Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9392

Legacy security domain used as Elytron security realm does not work in authorization part of aggregate-realm

XMLWordPrintable

    • Hide

      1) create property files /tmp/users.properties and /tmp/roles.properties:

      echo admin=admin > /tmp/users.properties
      echo admin=JBossAdmin > /tmp/roles.properties
      

      2) Through add-user.sh add user admin with some password and role Admin for ApplicationRealm

      3) add legacy configuration to application server

      <security-domain name="legacyDomain" cache-type="default">
          <authentication>
              <login-module code="UsersRoles" flag="required">
                  <module-option name="usersProperties" value="/tmp/users.properties"/>
                  <module-option name="rolesProperties" value="/tmp/roles.properties"/>
              </login-module>
          </authentication>
          <mapping>
              <mapping-module code="SimpleRoles" type="role">
                  <module-option name="admin" value="User"/>
              </mapping-module>
          </mapping>
      </security-domain>
      ...
      <elytron-integration>
          <security-realms>
              <elytron-realm name="exportedDomain" legacy-jaas-config="legacyDomain"/>
          </security-realms>
      </elytron-integration>
      

      4) setup Elytron part:

      /subsystem=elytron/simple-role-decoder=roles-decoder:add(attribute=Roles)
      /subsystem=elytron/aggregate-realm=pbauthz:add(authentication-realm=ApplicationRealm,authorization-realm=exportedDomain)
      /subsystem=elytron/security-domain=elytronDomain:add(default-realm=pbauthz,permission-mapper=default-permission-mapper,realms=[{realm=pbauthz,role-decoder=roles-decoder}])
      /subsystem=elytron/http-authentication-factory=elytron-http-auth:add(http-server-mechanism-factory=global,security-domain=elytronDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Exported Realm"}]}])
      /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=elytron-http-auth)
      

      5) Deploy application for printing roles (see attachments)

      6) Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=User&role=JBossAdmin&role=Admin and login with admin/admin - no roles are assigned (HTTP status cod 403 is returned)

      Show
      1) create property files /tmp/users.properties and /tmp/roles.properties: echo admin=admin > /tmp/users.properties echo admin=JBossAdmin > /tmp/roles.properties 2) Through add-user.sh add user admin with some password and role Admin for ApplicationRealm 3) add legacy configuration to application server <security-domain name= "legacyDomain" cache-type= " default " > <authentication> <login-module code= "UsersRoles" flag= "required" > <module-option name= "usersProperties" value= "/tmp/users.properties" /> <module-option name= "rolesProperties" value= "/tmp/roles.properties" /> </login-module> </authentication> <mapping> <mapping-module code= "SimpleRoles" type= "role" > <module-option name= "admin" value= "User" /> </mapping-module> </mapping> </security-domain> ... <elytron-integration> <security-realms> <elytron-realm name= "exportedDomain" legacy-jaas-config= "legacyDomain" /> </security-realms> </elytron-integration> 4) setup Elytron part: /subsystem=elytron/simple-role-decoder=roles-decoder:add(attribute=Roles) /subsystem=elytron/aggregate-realm=pbauthz:add(authentication-realm=ApplicationRealm,authorization-realm=exportedDomain) /subsystem=elytron/security-domain=elytronDomain:add( default -realm=pbauthz,permission-mapper= default -permission-mapper,realms=[{realm=pbauthz,role-decoder=roles-decoder}]) /subsystem=elytron/http-authentication-factory=elytron-http-auth:add(http-server-mechanism-factory=global,security-domain=elytronDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Exported Realm" }]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=elytron-http-auth) 5) Deploy application for printing roles (see attachments) 6) Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=User&role=JBossAdmin&role=Admin and login with admin/admin - no roles are assigned (HTTP status cod 403 is returned)

      In case when legacy security domain is used as Elytron security realm and is added as authorization realm to aggregate-realm then no roles are assigned to authenticated user.

      I tried to use following legacy security domain:

      <security-domain name="legacyDomain" cache-type="default">
          <authentication>
              <login-module code="UsersRoles" flag="required">
                  <module-option name="usersProperties" value="/tmp/users.properties"/>
                  <module-option name="rolesProperties" value="/tmp/roles.properties"/>
              </login-module>
          </authentication>
          <mapping>
              <mapping-module code="SimpleRoles" type="role">
                  <module-option name="admin" value="User"/>
              </mapping-module>
          </mapping>
      </security-domain>
      

      Roles should be assigned from mapping. Since it seems that there is no documentation related to this topic I am not sure whether roles should be assigned also from rolesProperties of UsersRoles login module - it needs to be clarified by developers.

        1. print-roles.war
          5 kB
          Ondrej Lukas
        2. standalone-leg.xml
          30 kB
          Jan Kalina

              Unassigned Unassigned
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: