Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-8651

Incorrect username is passed to principal when principal-transformers are enabled

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Critical Critical
    • None
    • 7.1.0.DR11
    • Security
    • None
    • Hide

      1) Add user user123 to application realm through add-user.sh script
      2) Add principal transformers:

      <regex-principal-transformer name="add1" pattern="$" replacement="1"/>
<regex-principal-transformer name="add2" pattern="$" replacement="2"/>
<regex-principal-transformer name="add3" pattern="$" replacement="3"/>

      3) Modify Elytron ApplicationDomain to:

      <security-domain name="ApplicationDomain" pre-realm-principal-transformer="add1" default-realm="ApplicationRealm" post-realm-principal-transformer="add2" permission-mapper="default-permission-mapper">
    <realm name="ApplicationRealm" principal-transformer="add3" role-decoder="groups-to-roles"/>
</security-domain>

      4) Enable trace logging for org.wildfly.security
      5) Try to authenticate as user user (it will transformed to user123) and see log

      Show
      1) Add user user123 to application realm through add-user.sh script 2) Add principal transformers: <regex-principal-transformer name= "add1" pattern= "$" replacement= "1" /> <regex-principal-transformer name= "add2" pattern= "$" replacement= "2" /> <regex-principal-transformer name= "add3" pattern= "$" replacement= "3" /> 3) Modify Elytron ApplicationDomain to: <security-domain name= "ApplicationDomain" pre-realm-principal-transformer= "add1" default -realm= "ApplicationRealm" post-realm-principal-transformer= "add2" permission-mapper= " default -permission-mapper" > <realm name= "ApplicationRealm" principal-transformer= "add3" role-decoder= "groups-to-roles" /> </security-domain> 4) Enable trace logging for org.wildfly.security 5) Try to authenticate as user user (it will transformed to user123 ) and see log

      In case when some principal-transformers are used for transforming principal in security domain then final username which is used for authentication and later for authorization is: input_username transformed by pre-realm-principal-transformer, post-realm-principal-transformer and realm principal-transformer. However Principal assigned to SecurityIdentity uses only name input_username transformed by pre-realm-principal-transformer.

      It seems it is caused by passing preRealmPrincipal as fourth parameter in https://github.com/wildfly-security/wildfly-elytron/blob/7b5c89c437d27fec60ec441986b5f830bb111283/src/main/java/org/wildfly/security/auth/server/ServerAuthenticationContext.java#L1011

      Value of SecurityIdentity.getPrincipal() can be seen when trace log is enabled due to https://github.com/wildfly-security/wildfly-elytron/blob/7b5c89c437d27fec60ec441986b5f830bb111283/src/main/java/org/wildfly/security/auth/server/SecurityDomain.java#L451

      Since it seems there is currently no documentation related to this topic I cannot say whether it is real bug. dlofthouse could you please provide some clarification?

      Log (see Steps to Reproduce for more details about configuration):

      TRACE [org.wildfly.security] (default task-3) Principal assigning: [user], pre-realm rewritten: [user1], realm name: [ApplicationRealm], post realm rewritten: [user12], realm rewritten: [user123]
TRACE [org.wildfly.security] (default task-3) Attempting to authenticate account user123 using LegacyPropertiesSecurityRealm.
...
TRACE [org.wildfly.security] (default task-3) Role mapping: principal [user1] -> decoded roles [JBossAdmin] -> realm mapped roles [JBossAdmin] -> domain mapped roles [JBossAdmin]

              Unassigned Unassigned
              olukas Ondrej Lukas (Inactive)
              Darran Lofthouse
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: