Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9376

Mapping roles in legacy security domain is ignored when this domain is used as Elytron realm

    XMLWordPrintable

Details

    • Hide

      1) create property files /tmp/users.properties and /tmp/roles.properties
      /tmp/users.properties:

      admin=admin

      /roles.properties:

      admin=JBossAdmin

      2) add legacy configuration to application server

      <security-domain name="legacyDomain" cache-type="default">
    <authentication>
        <login-module code="UsersRoles" flag="required">
            <module-option name="usersProperties" value="/tmp/users.properties"/>
            <module-option name="rolesProperties" value="/tmp/roles.properties"/>
        </login-module>
    </authentication>
    <mapping>
        <mapping-module code="SimpleRoles" type="role">
            <module-option name="admin" value="User"/>
        </mapping-module>
    </mapping>
</security-domain>
...
<elytron-integration>
    <security-realms>
        <elytron-realm name="exportedDomain" legacy-jaas-config="legacyDomain"/>
    </security-realms>
</elytron-integration>

      3) setup Elytron part:

      /subsystem=elytron/simple-role-decoder=roles-decoder:add(attribute=Roles)
/subsystem=elytron/security-domain=elytronDomain:add(default-realm=exportedDomain,permission-mapper=default-permission-mapper,realms=[{realm=exportedDomain,role-decoder=roles-decoder}])
/subsystem=elytron/http-authentication-factory=elytron-http-auth:add(http-server-mechanism-factory=global,security-domain=elytronDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Exported Realm"}]}])
/subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=elytron-http-auth)

      4) Deploy application for printing roles (see attachments)

      5) Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=User&role=JBossAdmin and login with admin/admin - only role JBossAdmin is assigned

      6) Optional: in deployment, change security-domain in jboss-web.xml to legacyDomain (to use legacy security domain directly) and access application again - both roles JBossAdmin and User are assigned

      Show
      1) create property files /tmp/users.properties and /tmp/roles.properties /tmp/users.properties: admin=admin /roles.properties: admin=JBossAdmin 2) add legacy configuration to application server <security-domain name= "legacyDomain" cache-type= " default " > <authentication> <login-module code= "UsersRoles" flag= "required" > <module-option name= "usersProperties" value= "/tmp/users.properties" /> <module-option name= "rolesProperties" value= "/tmp/roles.properties" /> </login-module> </authentication> <mapping> <mapping-module code= "SimpleRoles" type= "role" > <module-option name= "admin" value= "User" /> </mapping-module> </mapping> </security-domain> ... <elytron-integration> <security-realms> <elytron-realm name= "exportedDomain" legacy-jaas-config= "legacyDomain" /> </security-realms> </elytron-integration> 3) setup Elytron part: /subsystem=elytron/simple-role-decoder=roles-decoder:add(attribute=Roles) /subsystem=elytron/security-domain=elytronDomain:add( default -realm=exportedDomain,permission-mapper= default -permission-mapper,realms=[{realm=exportedDomain,role-decoder=roles-decoder}]) /subsystem=elytron/http-authentication-factory=elytron-http-auth:add(http-server-mechanism-factory=global,security-domain=elytronDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Exported Realm" }]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=elytron-http-auth) 4) Deploy application for printing roles (see attachments) 5) Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=User&role=JBossAdmin and login with admin/admin - only role JBossAdmin is assigned 6) Optional: in deployment, change security-domain in jboss-web.xml to legacyDomain (to use legacy security domain directly) and access application again - both roles JBossAdmin and User are assigned

    Description

      In case when legacy security domain is used as Elytron realm then roles assigned in mapping are unavailable in Elytron security realm.

      e.g. when UsersRoles login module, which assigns role JBossAdmin to user admin is used and then role User is assigned for user admin in SimpleRoles mapping module through:

      <mapping>
    <mapping-module code="SimpleRoles" type="role">
        <module-option name="admin" value="User"/>
    </mapping-module>
</mapping>

      then only role JBossAdmin is available for Elytron. Following appears in server log:

      Authorizing against the following attributes: [Roles, CallerPrincipal] => [JBossAdmin, admin]

      In case when this legacy security domain is used directly as PicketBox security domain, then both roles, JBossAdmin and User, are assigned to user admin.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. WFLY-8316 Mapping roles in legacy security domain is ignored when this domain is used as Elytron realm

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              sguilhen Stefan Guilhen
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: