Loading...

Details

Type: Bug
Resolution: Won't Do
Priority: Critical
Fix Version/s: None
Affects Version/s: 7.1.0.DR13
Component/s: Security
Labels:

Target Release:

7.1.0.GA
Steps to Reproduce:
Hide

1) create property files /tmp/users.properties and /tmp/roles.properties:

echo admin=admin > /tmp/users.properties echo admin=JBossAdmin > /tmp/roles.properties

2) Through add-user.sh add user admin with some password and role Admin for ApplicationRealm

3) add legacy configuration to application server

<security-domain name="legacyDomain" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="/tmp/users.properties"/> <module-option name="rolesProperties" value="/tmp/roles.properties"/> </login-module> </authentication> <mapping> <mapping-module code="SimpleRoles" type="role"> <module-option name="admin" value="User"/> </mapping-module> </mapping> </security-domain> ... <elytron-integration> <security-realms> <elytron-realm name="exportedDomain" legacy-jaas-config="legacyDomain"/> </security-realms> </elytron-integration>

4) setup Elytron part:

/subsystem=elytron/simple-role-decoder=roles-decoder:add(attribute=Roles) /subsystem=elytron/aggregate-realm=pbauthz:add(authentication-realm=ApplicationRealm,authorization-realm=exportedDomain) /subsystem=elytron/security-domain=elytronDomain:add(default-realm=pbauthz,permission-mapper=default-permission-mapper,realms=[{realm=pbauthz,role-decoder=roles-decoder}]) /subsystem=elytron/http-authentication-factory=elytron-http-auth:add(http-server-mechanism-factory=global,security-domain=elytronDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Exported Realm"}]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=elytron-http-auth)

5) Deploy application for printing roles (see attachments)

6) Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=User&role=JBossAdmin&role=Admin and login with admin/admin - no roles are assigned (HTTP status cod 403 is returned)
Show
1) create property files /tmp/users.properties and /tmp/roles.properties: echo admin=admin > /tmp/users.properties echo admin=JBossAdmin > /tmp/roles.properties 2) Through add-user.sh add user admin with some password and role Admin for ApplicationRealm 3) add legacy configuration to application server <security-domain name= "legacyDomain" cache-type= " default " > <authentication> <login-module code= "UsersRoles" flag= "required" > <module-option name= "usersProperties" value= "/tmp/users.properties" /> <module-option name= "rolesProperties" value= "/tmp/roles.properties" /> </login-module> </authentication> <mapping> <mapping-module code= "SimpleRoles" type= "role" > <module-option name= "admin" value= "User" /> </mapping-module> </mapping> </security-domain> ... <elytron-integration> <security-realms> <elytron-realm name= "exportedDomain" legacy-jaas-config= "legacyDomain" /> </security-realms> </elytron-integration> 4) setup Elytron part: /subsystem=elytron/simple-role-decoder=roles-decoder:add(attribute=Roles) /subsystem=elytron/aggregate-realm=pbauthz:add(authentication-realm=ApplicationRealm,authorization-realm=exportedDomain) /subsystem=elytron/security-domain=elytronDomain:add( default -realm=pbauthz,permission-mapper= default -permission-mapper,realms=[{realm=pbauthz,role-decoder=roles-decoder}]) /subsystem=elytron/http-authentication-factory=elytron-http-auth:add(http-server-mechanism-factory=global,security-domain=elytronDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Exported Realm" }]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=elytron-http-auth) 5) Deploy application for printing roles (see attachments) 6) Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=User&role=JBossAdmin&role=Admin and login with admin/admin - no roles are assigned (HTTP status cod 403 is returned)

SFDC Cases Counter:
SFDC Cases Links:

Description

In case when legacy security domain is used as Elytron security realm and is added as authorization realm to aggregate-realm then no roles are assigned to authenticated user.

I tried to use following legacy security domain:

<security-domain name="legacyDomain" cache-type="default">
    <authentication>
        <login-module code="UsersRoles" flag="required">
            <module-option name="usersProperties" value="/tmp/users.properties"/>
            <module-option name="rolesProperties" value="/tmp/roles.properties"/>
        </login-module>
    </authentication>
    <mapping>
        <mapping-module code="SimpleRoles" type="role">
            <module-option name="admin" value="User"/>
        </mapping-module>
    </mapping>
</security-domain>

Roles should be assigned from mapping. Since it seems that there is no documentation related to this topic I am not sure whether roles should be assigned also from rolesProperties of UsersRoles login module - it needs to be clarified by developers.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

print-roles.war
5 kB
2017/03/08 6:14 AM
standalone-leg.xml
30 kB
2017/05/29 11:57 AM

Issue Links

is cloned by

WFCORE-2503 Legacy security domain used as Elytron security realm does not work in authorization part of aggregate-realm

Closed

relates to

JBEAP-12009 Document legacy security domain cannot be used as Elytron security realm in authorization part of aggregate-realm

Closed

Legacy security domain used as Elytron security realm does not work in authorization part of aggregate-realm

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates