Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9407

Roles are not assigned if access=identity uses Elytron security domain based on legacy security domain

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Critical Critical
    • None
    • 7.1.0.DR13
    • Security
    • Hide

      1) create property files for legacy security /tmp/users.properties and /tmp/roles.properties
      /tmp/users.properties:

      admin=admin

      /roles.properties:

      admin=JBossAdmin

      2) create property files for elytron /tmp/users-elytron.properties and /tmp/roles-elytron.properties
      /tmp/users.properties:

      admin=password

      /roles.properties:

      admin=Admin

      3) add legacy configuration to application server

      <security-domain name="legacyDomain" cache-type="default">
    <authentication>
        <login-module code="UsersRoles" flag="required">
            <module-option name="usersProperties" value="/tmp/users.properties"/>
            <module-option name="rolesProperties" value="/tmp/roles.properties"/>
        </login-module>
    </authentication>
    <mapping>
        <mapping-module code="SimpleRoles" type="role">
            <module-option name="admin" value="User"/>
        </mapping-module>
    </mapping>
</security-domain>
...
<elytron-integration>
    <security-realms>
        <elytron-realm name="exportedDomain" legacy-jaas-config="legacyDomain"/>
    </security-realms>
</elytron-integration>

      4) setup Elytron part:

      <security-domain name="legacyDomain" default-realm="exportedDomain" permission-mapper="default-permission-mapper" trusted-security-domains="ElytronDomain">
    <realm name="exportedDomain" role-decoder="groups-to-roles"/>
</security-domain>
<security-domain name="ElytronDomain" default-realm="ElytronRealm" permission-mapper="default-permission-mapper" security-event-listener="local-audit">
    <realm name="ElytronRealm" role-decoder="groups-to-roles"/>
</security-domain>
...
<properties-realm name="ElytronRealm">
    <users-properties path="/tmp/users-elytron.properties" digest-realm-name="ElytronRealm" plain-text="true"/>
    <groups-properties path="/tmp/roles-elytron.properties"/>
</properties-realm>
...
<sasl-authentication-factory name="elytronSaslAuthnFactory" sasl-server-factory="elytronConfigurableSasl" security-domain="ElytronDomain">
    <mechanism-configuration>
        <mechanism mechanism-name="PLAIN"/>
    </mechanism-configuration>
</sasl-authentication-factory>
<configurable-sasl-server-factory name="elytronConfigurableSasl" sasl-server-factory="global">
    <filters>
        <filter>
            <pattern-filter value="PLAIN"/>
        </filter>
    </filters>
</configurable-sasl-server-factory>

      5) setup security for management interfaces:

      <identity security-domain="legacyDomain"/>
...
<http-interface http-authentication-factory="management-http-authentication">
    <http-upgrade enabled="true" sasl-authentication-factory="elytronSaslAuthnFactory"/>
    <socket-binding http="management-http"/>
</http-interface>

      6) start server and run CLI:

      ./jboss-cli.sh -c -u=admin -p=password ':whoami(verbose=true)'
{
    "outcome" => "success",
    "result" => {
        "identity" => {"username" => "admin"},
        "mapped-roles" => ["SuperUser"]
    }
}

      No roles from from legacy security domain occurs in identity.

      Show
      1) create property files for legacy security /tmp/users.properties and /tmp/roles.properties /tmp/users.properties: admin=admin /roles.properties: admin=JBossAdmin 2) create property files for elytron /tmp/users-elytron.properties and /tmp/roles-elytron.properties /tmp/users.properties: admin=password /roles.properties: admin=Admin 3) add legacy configuration to application server <security-domain name= "legacyDomain" cache-type= " default " > <authentication> <login-module code= "UsersRoles" flag= "required" > <module-option name= "usersProperties" value= "/tmp/users.properties" /> <module-option name= "rolesProperties" value= "/tmp/roles.properties" /> </login-module> </authentication> <mapping> <mapping-module code= "SimpleRoles" type= "role" > <module-option name= "admin" value= "User" /> </mapping-module> </mapping> </security-domain> ... <elytron-integration> <security-realms> <elytron-realm name= "exportedDomain" legacy-jaas-config= "legacyDomain" /> </security-realms> </elytron-integration> 4) setup Elytron part: <security-domain name= "legacyDomain" default -realm= "exportedDomain" permission-mapper= " default -permission-mapper" trusted-security-domains= "ElytronDomain" > <realm name= "exportedDomain" role-decoder= "groups-to-roles" /> </security-domain> <security-domain name= "ElytronDomain" default -realm= "ElytronRealm" permission-mapper= " default -permission-mapper" security-event-listener= "local-audit" > <realm name= "ElytronRealm" role-decoder= "groups-to-roles" /> </security-domain> ... <properties-realm name= "ElytronRealm" > <users-properties path= "/tmp/users-elytron.properties" digest-realm-name= "ElytronRealm" plain-text= " true " /> <groups-properties path= "/tmp/roles-elytron.properties" /> </properties-realm> ... <sasl-authentication-factory name= "elytronSaslAuthnFactory" sasl-server-factory= "elytronConfigurableSasl" security-domain= "ElytronDomain" > <mechanism-configuration> <mechanism mechanism-name= "PLAIN" /> </mechanism-configuration> </sasl-authentication-factory> <configurable-sasl-server-factory name= "elytronConfigurableSasl" sasl-server-factory= "global" > <filters> <filter> <pattern-filter value= "PLAIN" /> </filter> </filters> </configurable-sasl-server-factory> 5) setup security for management interfaces: <identity security-domain= "legacyDomain" /> ... <http- interface http-authentication-factory= "management-http-authentication" > <http-upgrade enabled= " true " sasl-authentication-factory= "elytronSaslAuthnFactory" /> <socket-binding http= "management-http" /> </http- interface > 6) start server and run CLI: ./jboss-cli.sh -c -u=admin -p=password ':whoami(verbose= true )' { "outcome" => "success" , "result" => { "identity" => { "username" => "admin" }, "mapped-roles" => [ "SuperUser" ] } } No roles from from legacy security domain occurs in identity.

      In case when Elytron security domain, which uses legacy security domain (provided through elytron-integration in legacy security subsystem), is used for identity inflow in access=identity, and authentication is provided by security domain which uses some Elytron security realm, then no roles/groups from legacy security domain are assigned to the secured identity. See reproducer for more details.

              Unassigned Unassigned
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: