Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-6129

Unable to add integrity support to existing filesystem realm

XMLWordPrintable

      It is not possible to add integrity support to existing filesystem realm:

      [standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=exampleSecurityRealm:add(path=fs-realm-users,relative-to=jboss.server.config.dir)
      {"outcome" => "success"}
      
      [standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=exampleSecurityRealm:add-identity(identity=user1)
      {"outcome" => "success"}
      
      [standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=exampleSecurityRealm:set-password(identity=user1, clear={password="passwordUser1"})
      {"outcome" => "success"}
      
      [standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=exampleSecurityRealm:add-identity-attribute(identity=user1, name=Roles, value=["Admin","Guest"])
      {"outcome" => "success"}
      
      [standalone@localhost:9990 /] /subsystem=elytron/security-domain=exampleSecurityDomain:add(default-realm=exampleSecurityRealm,permission-mapper=default-permission-mapper,realms=[{realm=exampleSecurityRealm}])
      {"outcome" => "success"}
      
      [standalone@localhost:9990 /] /subsystem=elytron/security-domain=exampleSecurityDomain:read-identity(name=user1)
      {
          "outcome" => "success",
          "result" => {
              "name" => "user1",
              "attributes" => {"Roles" => [
                  "Admin",
                  "Guest"
              ]},
              "roles" => [
                  "Guest",
                  "Admin"
              ]
          }
      }
      
      [standalone@localhost:9990 /] /subsystem=elytron/key-store=exampleKeystore:add(path=keystore, relative-to=jboss.server.config.dir, type=JKS, credential-reference={clear-text=secret})
      {"outcome" => "success"}
      
      [standalone@localhost:9990 /] /subsystem=elytron/key-store=exampleKeystore:generate-key-pair(alias=localhost,algorithm=RSA,key-size=1024,validity=365,distinguished-name="CN=localhost")
      {"outcome" => "success"}
      
      [standalone@localhost:9990 /] /subsystem=elytron/key-store=exampleKeystore:store()
      {
          "outcome" => "success",
          "result" => undefined
      }
      
      [standalone@localhost:9990 /] batch
      [standalone@localhost:9990 / #] /subsystem=elytron/filesystem-realm=exampleSecurityRealm:write-attribute(name=key-store,value=exampleKeystore)
      [standalone@localhost:9990 / #] /subsystem=elytron/filesystem-realm=exampleSecurityRealm:write-attribute(name=key-store-alias,value=localhost)
      [standalone@localhost:9990 / #] run-batch 
      The batch executed successfully
      process-state: reload-required 
      
      [standalone@localhost:9990 /] reload
      [standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=exampleSecurityRealm:update-key-pair()
      {"outcome" => "success"}
      
      [standalone@localhost:9990 /] /subsystem=elytron/security-domain=exampleSecurityDomain:read-identity(name=user1)
      {
          "outcome" => "failed",
          "failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.RuntimeException: WFLYELY01005: Could not read identity [user1] from security domain [service org.wildfly.security.security-domain.exampleSecurityDomain].",
          "rolled-back" => true
      }
      

      I suppose it's because of missing <principal/> in the XML

      The realm with no integrity support

      <?xml version="1.0" encoding="UTF-8" standalone="no"?><identity xmlns="urn:elytron:1.0">
      <credentials>
      <password algorithm="clear" format="base64">AXBhc3N3b3JkVXNlcjE=</password>
      </credentials>
      <attributes>
      <attribute name="Roles" value="Admin"/>
      <attribute name="Roles" value="Guest"/>
      </attributes>
      </identity>
      

      The realm after adding the key pair:

      <?xml version="1.0" encoding="UTF-8" standalone="no"?><identity xmlns="urn:elytron:1.0">
      <credentials>
      <password algorithm="clear" format="base64">AXBhc3N3b3JkVXNlcjE=</password>
      </credentials>
      <attributes>
      <attribute name="Roles" value="Admin"/>
      <attribute name="Roles" value="Guest"/>
      </attributes>
      
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>Vbi3IYFCvupI4/QjZV2es1K5eiF3jzIb+j2We/XOtPc=</DigestValue></Reference></SignedInfo><SignatureValue>AxBR67h95IDtwGEMKFQBp2FwWhSrlLeIQ0cKHtrmbJcnLTjvEn9LSTiEKL9f5DgvGmqy1VYjDkzX 
      M5qrml7DwvzioJ5vg2ZInIEKcwzSY1ENpgdrY1Lo3NuQWtw6BGeEYbHx5ZSpv2X+z0L8b1rxWR5r 
      iDtSSZ0gl0CwxMrys+w=</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>nqiJaKdlrkpVdobCyy0Xj7f3+hDTR9joednD7fkPtNGE/KmaaNMfC6vypr/9IonS1cE8EZcXSd7/ 
      IA59XCQyVHo+Ul36NTITJwsOdBLMxwUmuw7p+lbbgo0E2JOkyZ1mN92E9+VTC+ZAxB51zOXzZpmd 
      Afn8SF9QTWy0QNDDekM=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue></KeyInfo></Signature></identity>
      

      A realm created with the integrity support from the beginning:

      <?xml version="1.0" encoding="UTF-8" standalone="no"?><identity xmlns="urn:elytron:identity:1.2">
          <principal name="user1"/>
          <credentials>
              <password algorithm="clear" format="base64">AXBhc3N3b3JkVXNlcjE=</password>
          </credentials>
          <attributes>
              <attribute name="Roles" value="Admin"/>
              <attribute name="Roles" value="Guest"/>
          </attributes>
      
          <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>AyZ5vqr8Tyy94coxXjUtKTJbpElLY25YxQPx4PpkDnk=</DigestValue></Reference></SignedInfo><SignatureValue>B+YIqMW5RWV/0Q20A6SBmrqFmE2+1UjULb4JSiEo68zEY/gsUK6XDVyEuNveVB6BEum1FX6FiREY&#13;
      bW/zvsvgDNY59XYdUw3jfLH+qPlt/qQcjbjIwDpUa9TdTtpBCpgcINCXW5B7gtck7NVncbrAktXJ&#13;
      kFj15pBHMD7oBop9unI=</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>nqiJaKdlrkpVdobCyy0Xj7f3+hDTR9joednD7fkPtNGE/KmaaNMfC6vypr/9IonS1cE8EZcXSd7/&#13;
      IA59XCQyVHo+Ul36NTITJwsOdBLMxwUmuw7p+lbbgo0E2JOkyZ1mN92E9+VTC+ZAxB51zOXzZpmd&#13;
      Afn8SF9QTWy0QNDDekM=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue></KeyInfo></Signature></identity>
      

              rh-ee-jrodri Jessica Rodriguez
              fjuma1@redhat.com Farah Juma
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: