For SASL and HTTP mechanisms it is possible to define realm-mapping as part of *-authentication-factory. But this cannot be used for EXTERNAL/CLIENT_CERT mechanism, because ServerAuthenticationContext is not constructed by mechanism but by SecurityDomainTrustManager - without relation to any *-authentication-factory.
It can be misleading for user, that EXTERNAL mechanism is present in sasl-authentication-factory, but if realm-mapper is defined here, it is ignored: (because SSL authentication finish before any SASL is initiated)
<sasl-authentication-factory name="client-cert-digest" sasl-server-factory="configured" security-domain="client-cert-domain"> <mechanism-configuration> <mechanism mechanism-name="EXTERNAL" realm-mapper="key-store-realm"/> </mechanism-configuration> </sasl-authentication-factory>
Should be considered adding way how to pass realm-mapper into SSL authentication - maybe add realm-mapper attribute into server-ssl-context definition?
- is cloned by
-
ELY-1217 Unable to define realm-mapping for TrustManager based auth
- Resolved
-
WFCORE-2898 Unable to define realm-mapping for TrustManager based auth
- Resolved
- is incorporated by
-
JBEAP-11305 Upgrade WildFly Elytron to 1.1.0.Beta51
- Closed
- is related to
-
JBEAP-11684 Elytron realm-mapper on server-ssl-context is ignored for HTTP based authn
- Closed