-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
7.1.0.ER2
-
None
-
-
-
-
-
-
- Unzip EAP
- copy application-roles.properties
and application-users.properties files to standalone/conf directory - in cli executed following commands:
/subsystem=elytron/x500-attribute-principal-decoder=CNDecoder:add(oid="2.5.4.3",maximum-segments=1,convert=true) /subsystem=elytron/properties-realm=my-realm:add(groups-attribute=groups,groups-properties={path=application-roles.properties,relative-to=jboss.server.config.dir},users-properties={path=application-users.properties,relative-to=jboss.server.config.dir,plain-text=true}) /subsystem=elytron/security-domain=my-sec-dom:add(realms=[{realm=my-realm,role-decoder=groups-to-roles}],default-realm=my-realm,permission-mapper=default-permission-mapper) /subsystem=elytron/http-authentication-factory=example-http-auth:add(http-server-mechanism-factory=global,security-domain=my-sec-dom,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=exampleApplicationDomain}],pre-realm-principal-transformer=CNDecoder}]) /subsystem=undertow/application-security-domain=exampleApplicationDomain:add(http-authentication-factory=example-http-auth)
- deploy jboss-helloworld.war app
- try to login via https://localhost:8443/jboss-helloworld/HelloWorld using credentials client/secret
- authentication fails
Unzip EAP copy application-roles.properties and application-users.properties files to standalone/conf directory in cli executed following commands: /subsystem=elytron/x500-attribute-principal-decoder=CNDecoder:add(oid= "2.5.4.3" ,maximum-segments=1,convert= true ) /subsystem=elytron/properties-realm=my-realm:add(groups-attribute=groups,groups-properties={path=application-roles.properties,relative-to=jboss.server.config.dir},users-properties={path=application-users.properties,relative-to=jboss.server.config.dir,plain-text= true }) /subsystem=elytron/security-domain=my-sec-dom:add(realms=[{realm=my-realm,role-decoder=groups-to-roles}], default -realm=my-realm,permission-mapper= default -permission-mapper) /subsystem=elytron/http-authentication-factory=example-http-auth:add(http-server-mechanism-factory=global,security-domain=my-sec-dom,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=exampleApplicationDomain}],pre-realm-principal-transformer=CNDecoder}]) /subsystem=undertow/application-security-domain=exampleApplicationDomain:add(http-authentication-factory=example-http-auth) deploy jboss-helloworld.war app try to login via https://localhost:8443/jboss-helloworld/HelloWorld using credentials client/secret authentication fails
As discussed here, there has been added a new convert attribute for x500-attribute-principal-decoder/x500-attribute-principal-transformer. This attribute may try to convert given principal to X500Principal. In case of CLIENT-CERT authentication when there is no other transformer used and principal is given in correct type, there is no necessity for such conversion. Although conversion is necessary in cases where principal is provided in different type.
I tried to exploit this x500-attribute-principal-transformer for Basic authentication just to check how it works but I failed.
I configured EAP (see steps to reproduce) but authentication always failed when I tried to use username which I expected to be extracted by x500-attribute-principal-transformer - 'client' or 'Duke' (see [^application-users.properties file]). When I configure 'convert' attribute of x500-principal-transformer to 'false' value, then authentication works just fine with usernames: 'cn=client' and 'CN=Duke,OU=JavaSoft,O=SunMicrosystems,C=US'.
This seems to be broken from my point of view or please. If I simply misunderstood purpose or exact meaning of 'convert' attribute of x500-attribute-principal-transformer, please elaborate and clarify with some practial example.
- is related to
-
-
- Closed
-
