-
Bug
-
Resolution: Done
-
Blocker
-
None
-
None
It is not possible to add integrity support to existing filesystem realm:
[standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=exampleSecurityRealm:add(path=fs-realm-users,relative-to=jboss.server.config.dir)
{"outcome" => "success"}
[standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=exampleSecurityRealm:add-identity(identity=user1)
{"outcome" => "success"}
[standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=exampleSecurityRealm:set-password(identity=user1, clear={password="passwordUser1"})
{"outcome" => "success"}
[standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=exampleSecurityRealm:add-identity-attribute(identity=user1, name=Roles, value=["Admin","Guest"])
{"outcome" => "success"}
[standalone@localhost:9990 /] /subsystem=elytron/security-domain=exampleSecurityDomain:add(default-realm=exampleSecurityRealm,permission-mapper=default-permission-mapper,realms=[{realm=exampleSecurityRealm}])
{"outcome" => "success"}
[standalone@localhost:9990 /] /subsystem=elytron/security-domain=exampleSecurityDomain:read-identity(name=user1)
{
"outcome" => "success",
"result" => {
"name" => "user1",
"attributes" => {"Roles" => [
"Admin",
"Guest"
]},
"roles" => [
"Guest",
"Admin"
]
}
}
[standalone@localhost:9990 /] /subsystem=elytron/key-store=exampleKeystore:add(path=keystore, relative-to=jboss.server.config.dir, type=JKS, credential-reference={clear-text=secret})
{"outcome" => "success"}
[standalone@localhost:9990 /] /subsystem=elytron/key-store=exampleKeystore:generate-key-pair(alias=localhost,algorithm=RSA,key-size=1024,validity=365,distinguished-name="CN=localhost")
{"outcome" => "success"}
[standalone@localhost:9990 /] /subsystem=elytron/key-store=exampleKeystore:store()
{
"outcome" => "success",
"result" => undefined
}
[standalone@localhost:9990 /] batch
[standalone@localhost:9990 / #] /subsystem=elytron/filesystem-realm=exampleSecurityRealm:write-attribute(name=key-store,value=exampleKeystore)
[standalone@localhost:9990 / #] /subsystem=elytron/filesystem-realm=exampleSecurityRealm:write-attribute(name=key-store-alias,value=localhost)
[standalone@localhost:9990 / #] run-batch
The batch executed successfully
process-state: reload-required
[standalone@localhost:9990 /] reload
[standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=exampleSecurityRealm:update-key-pair()
{"outcome" => "success"}
[standalone@localhost:9990 /] /subsystem=elytron/security-domain=exampleSecurityDomain:read-identity(name=user1)
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.RuntimeException: WFLYELY01005: Could not read identity [user1] from security domain [service org.wildfly.security.security-domain.exampleSecurityDomain].",
"rolled-back" => true
}
I suppose it's because of missing <principal/> in the XML
The realm with no integrity support
<?xml version="1.0" encoding="UTF-8" standalone="no"?><identity xmlns="urn:elytron:1.0"> <credentials> <password algorithm="clear" format="base64">AXBhc3N3b3JkVXNlcjE=</password> </credentials> <attributes> <attribute name="Roles" value="Admin"/> <attribute name="Roles" value="Guest"/> </attributes> </identity>
The realm after adding the key pair:
<?xml version="1.0" encoding="UTF-8" standalone="no"?><identity xmlns="urn:elytron:1.0"> <credentials> <password algorithm="clear" format="base64">AXBhc3N3b3JkVXNlcjE=</password> </credentials> <attributes> <attribute name="Roles" value="Admin"/> <attribute name="Roles" value="Guest"/> </attributes> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>Vbi3IYFCvupI4/QjZV2es1K5eiF3jzIb+j2We/XOtPc=</DigestValue></Reference></SignedInfo><SignatureValue>AxBR67h95IDtwGEMKFQBp2FwWhSrlLeIQ0cKHtrmbJcnLTjvEn9LSTiEKL9f5DgvGmqy1VYjDkzX M5qrml7DwvzioJ5vg2ZInIEKcwzSY1ENpgdrY1Lo3NuQWtw6BGeEYbHx5ZSpv2X+z0L8b1rxWR5r iDtSSZ0gl0CwxMrys+w=</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>nqiJaKdlrkpVdobCyy0Xj7f3+hDTR9joednD7fkPtNGE/KmaaNMfC6vypr/9IonS1cE8EZcXSd7/ IA59XCQyVHo+Ul36NTITJwsOdBLMxwUmuw7p+lbbgo0E2JOkyZ1mN92E9+VTC+ZAxB51zOXzZpmd Afn8SF9QTWy0QNDDekM=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue></KeyInfo></Signature></identity>
A realm created with the integrity support from the beginning:
<?xml version="1.0" encoding="UTF-8" standalone="no"?><identity xmlns="urn:elytron:identity:1.2">
<principal name="user1"/>
<credentials>
<password algorithm="clear" format="base64">AXBhc3N3b3JkVXNlcjE=</password>
</credentials>
<attributes>
<attribute name="Roles" value="Admin"/>
<attribute name="Roles" value="Guest"/>
</attributes>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>AyZ5vqr8Tyy94coxXjUtKTJbpElLY25YxQPx4PpkDnk=</DigestValue></Reference></SignedInfo><SignatureValue>B+YIqMW5RWV/0Q20A6SBmrqFmE2+1UjULb4JSiEo68zEY/gsUK6XDVyEuNveVB6BEum1FX6FiREY
bW/zvsvgDNY59XYdUw3jfLH+qPlt/qQcjbjIwDpUa9TdTtpBCpgcINCXW5B7gtck7NVncbrAktXJ
kFj15pBHMD7oBop9unI=</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>nqiJaKdlrkpVdobCyy0Xj7f3+hDTR9joednD7fkPtNGE/KmaaNMfC6vypr/9IonS1cE8EZcXSd7/
IA59XCQyVHo+Ul36NTITJwsOdBLMxwUmuw7p+lbbgo0E2JOkyZ1mN92E9+VTC+ZAxB51zOXzZpmd
Afn8SF9QTWy0QNDDekM=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue></KeyInfo></Signature></identity>
- causes
-
-
- Closed
-
- clones
-
-
- Closed
-
