Loading...

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 1.1.0.Beta20
Affects Version/s: 1.1.0.Beta18
Component/s: Realms
Labels:
None

Steps to Reproduce:
Hide

1) Configure Elytron Filesystem Realm for authentication and add users user and admin

/subsystem=elytron/filesystem-realm=authnRealm:add(path=/tmp/fsRealm) /subsystem=elytron/filesystem-realm=authnRealm/identity=user:add() /subsystem=elytron/filesystem-realm=authnRealm/identity=user:set-password(clear={password=password}) /subsystem=elytron/filesystem-realm=authnRealm/identity=admin:add() /subsystem=elytron/filesystem-realm=authnRealm/identity=admin:set-password(clear={password=password})

2) Configure Elytron Properties Realm for authorization (and add user user to user properties file)
Create /tmp/users.properties with following content:

#$REALM_NAME=authzRealm$ #user=whateverHere user=f3ef5b78a64bafdcae8d47ffbfecb8fc

Create /tmp/roles.properties with following content:

user=JBossAdmin admin=JBossAdmin

Add Properties Realm:

/subsystem=elytron/properties-realm=authzRealm:add(users-properties={path=/tmp/users.properties},groups-properties={path=/tmp/roles.properties})

3) Configure Aggregate Realm

/subsystem=elytron/aggregate-realm=aggregateRealm:add(authentication-realm=authnRealm,authorization-realm=authzRealm)

4) Configure rest of needed Elytron resources

/subsystem=elytron/security-domain=appSecurityDomain:add(default-realm=aggregateRealm,permission-mapper=default-permission-mapper,realms=[{realm=aggregateRealm,role-decoder=groups-to-roles}]) /subsystem=elytron/http-authentication-factory=authFactory:add(http-server-mechanism-factory=global,security-domain=appSecurityDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="aggregateRealm"}]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=authFactory)

5) Deploy app for printing roles (see attachments)

6) Try to authenticate to application
Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=JBossAdmin and try to use following users:

user/password - authentication pass (because user user is included in /tmp/users.properties and role JBossAdmin is assigned to them

admin/password - authentication pass but authorization fail (HTTP status 403 is returned)

In correct behavior authentication should pass for both users and role JBossAdmin should be assigned to them.
Show
1) Configure Elytron Filesystem Realm for authentication and add users user and admin /subsystem=elytron/filesystem-realm=authnRealm:add(path=/tmp/fsRealm) /subsystem=elytron/filesystem-realm=authnRealm/identity=user:add() /subsystem=elytron/filesystem-realm=authnRealm/identity=user:set-password(clear={password=password}) /subsystem=elytron/filesystem-realm=authnRealm/identity=admin:add() /subsystem=elytron/filesystem-realm=authnRealm/identity=admin:set-password(clear={password=password}) 2) Configure Elytron Properties Realm for authorization (and add user user to user properties file) Create /tmp/users.properties with following content: #$REALM_NAME=authzRealm$ #user=whateverHere user=f3ef5b78a64bafdcae8d47ffbfecb8fc Create /tmp/roles.properties with following content: user=JBossAdmin admin=JBossAdmin Add Properties Realm: /subsystem=elytron/properties-realm=authzRealm:add(users-properties={path=/tmp/users.properties},groups-properties={path=/tmp/roles.properties}) 3) Configure Aggregate Realm /subsystem=elytron/aggregate-realm=aggregateRealm:add(authentication-realm=authnRealm,authorization-realm=authzRealm) 4) Configure rest of needed Elytron resources /subsystem=elytron/security-domain=appSecurityDomain:add( default -realm=aggregateRealm,permission-mapper= default -permission-mapper,realms=[{realm=aggregateRealm,role-decoder=groups-to-roles}]) /subsystem=elytron/http-authentication-factory=authFactory:add(http-server-mechanism-factory=global,security-domain=appSecurityDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "aggregateRealm" }]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=authFactory) 5) Deploy app for printing roles (see attachments) 6) Try to authenticate to application Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=JBossAdmin and try to use following users: user/password - authentication pass (because user user is included in /tmp/users.properties and role JBossAdmin is assigned to them admin/password - authentication pass but authorization fail (HTTP status 403 is returned) In correct behavior authentication should pass for both users and role JBossAdmin should be assigned to them.
Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/621, https://github.com/wildfly-security/wildfly-elytron/pull/629

Scenario: I try to configure application server for scenario when different identity stores are used for authentication and authorization (e.g. username/password are stored in LDAP and roles are assigned from Database).

In case when authentication and authorization is handled by different security realms in Elytron (i.e. aggregate realm is used) then authorization works only in case, when identity store for realm used for authorization includes the username also for authentication. See Steps to Reproduce for more details.

We request blocker since using different identity stores for authentication and authorization is common scenario which should be provided by Elytron. Even out documentation explicitly mentioned that scenarios [1]:
Consider the case where users are managed in a central LDAP server and application-specific roles are stored in the application’s relational database.

I tried this scenario with Properties and Filesystem Realms for authentication and Properties and Ldap Realms for authorization.

[1] https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/security-architecture/

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

print-roles.war
2017/01/12 4:11 AM
5 kB
Ondrej Lukas

clones

JBEAP-8229 Elytron security realms cannot be used only for authorization

Closed

relates to

ELY-760 Elytron Ldap Realm searches roles before validating password

Resolved

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates