Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-8229

Elytron security realms cannot be used only for authorization

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.1.0.DR11
    • 7.1.0.DR10
    • Security
    • None
    • Hide

      1) Configure Elytron Filesystem Realm for authentication and add users user and admin

      /subsystem=elytron/filesystem-realm=authnRealm:add(path=/tmp/fsRealm)
      /subsystem=elytron/filesystem-realm=authnRealm/identity=user:add()
      /subsystem=elytron/filesystem-realm=authnRealm/identity=user:set-password(clear={password=password})
      /subsystem=elytron/filesystem-realm=authnRealm/identity=admin:add()
      /subsystem=elytron/filesystem-realm=authnRealm/identity=admin:set-password(clear={password=password})
      

      2) Configure Elytron Properties Realm for authorization (and add user user to user properties file)
      Create /tmp/users.properties with following content:

      #$REALM_NAME=authzRealm$
      #user=whateverHere
      user=f3ef5b78a64bafdcae8d47ffbfecb8fc
      

      Create /tmp/roles.properties with following content:

      user=JBossAdmin
      admin=JBossAdmin
      

      Add Properties Realm:

      /subsystem=elytron/properties-realm=authzRealm:add(users-properties={path=/tmp/users.properties},groups-properties={path=/tmp/roles.properties})
      

      3) Configure Aggregate Realm

      /subsystem=elytron/aggregate-realm=aggregateRealm:add(authentication-realm=authnRealm,authorization-realm=authzRealm)
      

      4) Configure rest of needed Elytron resources

      /subsystem=elytron/security-domain=appSecurityDomain:add(default-realm=aggregateRealm,permission-mapper=default-permission-mapper,realms=[{realm=aggregateRealm,role-decoder=groups-to-roles}])
      /subsystem=elytron/http-authentication-factory=authFactory:add(http-server-mechanism-factory=global,security-domain=appSecurityDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="aggregateRealm"}]}])
      /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=authFactory)
      

      5) Deploy app for printing roles (see attachments)

      6) Try to authenticate to application
      Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=JBossAdmin and try to use following users:

      • user/password - authentication pass (because user user is included in /tmp/users.properties and role JBossAdmin is assigned to them
      • admin/password - authentication pass but authorization fail (HTTP status 403 is returned)

      In correct behavior authentication should pass for both users and role JBossAdmin should be assigned to them.

      Show
      1) Configure Elytron Filesystem Realm for authentication and add users user and admin /subsystem=elytron/filesystem-realm=authnRealm:add(path=/tmp/fsRealm) /subsystem=elytron/filesystem-realm=authnRealm/identity=user:add() /subsystem=elytron/filesystem-realm=authnRealm/identity=user:set-password(clear={password=password}) /subsystem=elytron/filesystem-realm=authnRealm/identity=admin:add() /subsystem=elytron/filesystem-realm=authnRealm/identity=admin:set-password(clear={password=password}) 2) Configure Elytron Properties Realm for authorization (and add user user to user properties file) Create /tmp/users.properties with following content: #$REALM_NAME=authzRealm$ #user=whateverHere user=f3ef5b78a64bafdcae8d47ffbfecb8fc Create /tmp/roles.properties with following content: user=JBossAdmin admin=JBossAdmin Add Properties Realm: /subsystem=elytron/properties-realm=authzRealm:add(users-properties={path=/tmp/users.properties},groups-properties={path=/tmp/roles.properties}) 3) Configure Aggregate Realm /subsystem=elytron/aggregate-realm=aggregateRealm:add(authentication-realm=authnRealm,authorization-realm=authzRealm) 4) Configure rest of needed Elytron resources /subsystem=elytron/security-domain=appSecurityDomain:add( default -realm=aggregateRealm,permission-mapper= default -permission-mapper,realms=[{realm=aggregateRealm,role-decoder=groups-to-roles}]) /subsystem=elytron/http-authentication-factory=authFactory:add(http-server-mechanism-factory=global,security-domain=appSecurityDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "aggregateRealm" }]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=authFactory) 5) Deploy app for printing roles (see attachments) 6) Try to authenticate to application Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=JBossAdmin and try to use following users: user/password - authentication pass (because user user is included in /tmp/users.properties and role JBossAdmin is assigned to them admin/password - authentication pass but authorization fail (HTTP status 403 is returned) In correct behavior authentication should pass for both users and role JBossAdmin should be assigned to them.

      Scenario: I try to configure application server for scenario when different identity stores are used for authentication and authorization (e.g. username/password are stored in LDAP and roles are assigned from Database).

      In case when authentication and authorization is handled by different security realms in Elytron (i.e. aggregate realm is used) then authorization works only in case, when identity store for realm used for authorization includes the username also for authentication. See Steps to Reproduce for more details.

      We request blocker since using different identity stores for authentication and authorization is common scenario which should be provided by Elytron. Even out documentation explicitly mentioned that scenarios [1]:
      Consider the case where users are managed in a central LDAP server and application-specific roles are stored in the application’s relational database.

      I tried this scenario with Properties and Filesystem Realms for authentication and Properties and Ldap Realms for authorization.

      [1] https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/security-architecture/

              jkalina@redhat.com Jan Kalina (Inactive)
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: