Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2503

Legacy security domain used as Elytron security realm does not work in authorization part of aggregate-realm

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Critical Critical
    • None
    • None
    • Security
    • None
    • Hide

      1) create property files /tmp/users.properties and /tmp/roles.properties
      /tmp/users.properties:

      admin=admin

      /roles.properties:

      admin=JBossAdmin

      2) Through add-user.sh add user admin with some password and role Admin for ApplicationRealm

      3) add legacy configuration to application server

      <security-domain name="legacyDomain" cache-type="default">
    <authentication>
        <login-module code="UsersRoles" flag="required">
            <module-option name="usersProperties" value="/tmp/users.properties"/>
            <module-option name="rolesProperties" value="/tmp/roles.properties"/>
        </login-module>
    </authentication>
    <mapping>
        <mapping-module code="SimpleRoles" type="role">
            <module-option name="admin" value="User"/>
        </mapping-module>
    </mapping>
</security-domain>
...
<elytron-integration>
    <security-realms>
        <elytron-realm name="exportedDomain" legacy-jaas-config="legacyDomain"/>
    </security-realms>
</elytron-integration>

      4) setup Elytron part:

      /subsystem=elytron/simple-role-decoder=roles-decoder:add(attribute=Roles)
/subsystem=elytron/aggregate-realm=pbauthz:add(authentication-realm=ApplicationRealm,authorization-realm=exportedDomain)
/subsystem=elytron/security-domain=elytronDomain:add(default-realm=pbauthz,permission-mapper=default-permission-mapper,realms=[{realm=pbauthz,role-decoder=roles-decoder}])
/subsystem=elytron/http-authentication-factory=elytron-http-auth:add(http-server-mechanism-factory=global,security-domain=elytronDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Exported Realm"}]}])
/subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=elytron-http-auth)

      5) Deploy application for printing roles (see attachments)

      6) Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=User&role=JBossAdmin&role=Admin and login with admin/admin - no roles are assigned (HTTP status cod 403 is returned)

      Show
      1) create property files /tmp/users.properties and /tmp/roles.properties /tmp/users.properties: admin=admin /roles.properties: admin=JBossAdmin 2) Through add-user.sh add user admin with some password and role Admin for ApplicationRealm 3) add legacy configuration to application server <security-domain name= "legacyDomain" cache-type= " default " > <authentication> <login-module code= "UsersRoles" flag= "required" > <module-option name= "usersProperties" value= "/tmp/users.properties" /> <module-option name= "rolesProperties" value= "/tmp/roles.properties" /> </login-module> </authentication> <mapping> <mapping-module code= "SimpleRoles" type= "role" > <module-option name= "admin" value= "User" /> </mapping-module> </mapping> </security-domain> ... <elytron-integration> <security-realms> <elytron-realm name= "exportedDomain" legacy-jaas-config= "legacyDomain" /> </security-realms> </elytron-integration> 4) setup Elytron part: /subsystem=elytron/simple-role-decoder=roles-decoder:add(attribute=Roles) /subsystem=elytron/aggregate-realm=pbauthz:add(authentication-realm=ApplicationRealm,authorization-realm=exportedDomain) /subsystem=elytron/security-domain=elytronDomain:add( default -realm=pbauthz,permission-mapper= default -permission-mapper,realms=[{realm=pbauthz,role-decoder=roles-decoder}]) /subsystem=elytron/http-authentication-factory=elytron-http-auth:add(http-server-mechanism-factory=global,security-domain=elytronDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Exported Realm" }]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=elytron-http-auth) 5) Deploy application for printing roles (see attachments) 6) Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=User&role=JBossAdmin&role=Admin and login with admin/admin - no roles are assigned (HTTP status cod 403 is returned)

      In case when legacy security domain is used as Elytron security realm and is added as authorization realm to aggregate-realm then no roles are assigned to authenticated user.

      I tried to use following legacy security domain:

      <security-domain name="legacyDomain" cache-type="default">
    <authentication>
        <login-module code="UsersRoles" flag="required">
            <module-option name="usersProperties" value="/tmp/users.properties"/>
            <module-option name="rolesProperties" value="/tmp/roles.properties"/>
        </login-module>
    </authentication>
    <mapping>
        <mapping-module code="SimpleRoles" type="role">
            <module-option name="admin" value="User"/>
        </mapping-module>
    </mapping>
</security-domain>

      Roles should be assigned from mapping. Since it seems that there is no documentation related to this topic I am not sure whether roles should be assigned also from rolesProperties of UsersRoles login module - it needs to be clarified by developers.

        1. print-roles.war
          5 kB

              darran.lofthouse@redhat.com Darran Lofthouse
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: