Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-7201

Filesystem-realm identity created with jboss-cli is not found

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • 26.0.1.Final
    • Security
    • None
    • Hide

      1) Create the two-way SSL keystore and truststores
      2) Configure the Elytron subsystem

       

      # Create a security realm and add the identity
/subsystem=elytron/filesystem-realm=wsRealm:add(path=https/ids,relative-to=jboss.server.config.dir)
/subsystem=elytron/filesystem-realm=wsRealm:add-identity(identity="CN=INT ITside-ETtest0x, OU=ALL, O=ALL, L=ALL, ST=itside, C=IT")
/subsystem=elytron/filesystem-realm=wsRealm:add-identity-attribute(identity="CN=INT ITside-ETtest0x, OU=ALL, O=ALL, L=ALL, ST=itside, C=IT",name=Roles,value=[Int])

# Configure an evidence decoder
/subsystem=elytron/x500-subject-evidence-decoder=subjectDecoder:add()

# Configure a security domain that references our security realm
/subsystem=elytron/security-domain=clientCertDomain:add(realms=[{realm=wsRealm}], default-realm=wsRealm, permission-mapper=default-permission-mapper, evidence-decoder=subjectDecoder)

# Configure two-way SSL
/subsystem=elytron/key-store=serverTS:add(path=https/ts.p12,relative-to=jboss.server.config.dir,credential-reference={clear-text=tspass},type=PKCS12)
security enable-ssl-http-server --key-store-path=https/sslks.p12 --key-store-path-relative-to=jboss.server.config.dir --key-store-password=kspass --trust-store-name=serverTS --override-ssl-context

# Configure the CLIENT_CERT HTTP mechanism
/subsystem=elytron/configurable-http-server-mechanism-factory=configuredCert:add(http-server-mechanism-factory=global, properties={org.wildfly.security.http.skip-certificate-verification=true})
/subsystem=elytron/http-authentication-factory=clientCertAuth:add(http-server-mechanism-factory=configuredCert, security-domain=clientCertDomain, mechanism-configurations=[{mechanism-name=CLIENT_CERT}])
/subsystem=undertow/application-security-domain=etClientCertSecuritydomain:add(http-authentication-factory=clientCertAuth,override-deployment-config=true)

# Reload the server instance
reload

      3) Deploy a web application declaring the CLIENT-CERT method in web.xml (and role as declared for the identity that was added, e.g. Int) and the security domain in jboss-web.xml.

      4a) Look at the org.wildfly.security TRACE logs to verify that the identity file is not found

      2025-02-11 12:11:09,394 TRACE [org.wildfly.security] (default task-1) Principal assigning: [CN=INT ITside-ETtest0x, OU=ALL, O=ALL, L=ALL, ST=itside, C=IT], pre-realm rewritten: [CN=INT ITside-ETtest0x, OU=ALL, O=ALL, L=ALL, ST=itside, C=IT], realm name: [wsRealm], post-realm rewritten: [CN=INT ITside-ETtest0x, OU=ALL, O=ALL, L=ALL, ST=itside, C=IT], realm rewritten: [CN=INT ITside-ETtest0x, OU=ALL, O=ALL, L=ALL, ST=itside, C=IT]
2025-02-11 12:12:21,539 TRACE [org.wildfly.security] (default task-1) Authorization failed - realm identity does not exists
2025-02-11 12:12:21,540 TRACE [org.wildfly.security] (default task-1) Handling CachedIdentityAuthorizeCallback: principal = CN=INT ITside-ETtest0x, OU=ALL, O=ALL, L=ALL, ST=itside, C=IT  authorizedIdentity = null

      4b) Debug the ServerAuthorizationContext.doAuthorization method to verify the path of the XML identity file that is being looked for:

      if (! realmIdentity.exists()) {
    ElytronMessages.log.trace("Authorization failed - realm identity does not exists");
    return null;
}

       

      Show
      1) Create the two-way SSL keystore and truststores 2) Configure the Elytron subsystem   # Create a security realm and add the identity /subsystem=elytron/filesystem-realm=wsRealm:add(path=https/ids,relative-to=jboss.server.config.dir) /subsystem=elytron/filesystem-realm=wsRealm:add-identity(identity= "CN=INT ITside-ETtest0x, OU=ALL, O=ALL, L=ALL, ST=itside, C=IT" ) /subsystem=elytron/filesystem-realm=wsRealm:add-identity-attribute(identity= "CN=INT ITside-ETtest0x, OU=ALL, O=ALL, L=ALL, ST=itside, C=IT" ,name=Roles,value=[Int]) # Configure an evidence decoder /subsystem=elytron/x500-subject-evidence-decoder=subjectDecoder:add() # Configure a security domain that references our security realm /subsystem=elytron/security-domain=clientCertDomain:add(realms=[{realm=wsRealm}], default -realm=wsRealm, permission-mapper= default -permission-mapper, evidence-decoder=subjectDecoder) # Configure two-way SSL /subsystem=elytron/key-store=serverTS:add(path=https/ts.p12,relative-to=jboss.server.config.dir,credential-reference={clear-text=tspass},type=PKCS12) security enable-ssl-http-server --key-store-path=https/sslks.p12 --key-store-path-relative-to=jboss.server.config.dir --key-store-password=kspass --trust-store-name=serverTS --override-ssl-context # Configure the CLIENT_CERT HTTP mechanism /subsystem=elytron/configurable-http-server-mechanism-factory=configuredCert:add(http-server-mechanism-factory=global, properties={org.wildfly.security.http.skip-certificate-verification= true }) /subsystem=elytron/http-authentication-factory=clientCertAuth:add(http-server-mechanism-factory=configuredCert, security-domain=clientCertDomain, mechanism-configurations=[{mechanism-name=CLIENT_CERT}]) /subsystem=undertow/application-security-domain=etClientCertSecuritydomain:add(http-authentication-factory=clientCertAuth,override-deployment-config= true ) # Reload the server instance reload 3) Deploy a web application declaring the CLIENT-CERT method in web.xml (and role as declared for the identity that was added, e.g. Int) and the security domain in jboss-web.xml. 4a) Look at the org.wildfly.security TRACE logs to verify that the identity file is not found 2025-02-11 12:11:09,394 TRACE [org.wildfly.security] ( default task-1) Principal assigning: [CN=INT ITside-ETtest0x, OU=ALL, O=ALL, L=ALL, ST=itside, C=IT], pre-realm rewritten: [CN=INT ITside-ETtest0x, OU=ALL, O=ALL, L=ALL, ST=itside, C=IT], realm name: [wsRealm], post-realm rewritten: [CN=INT ITside-ETtest0x, OU=ALL, O=ALL, L=ALL, ST=itside, C=IT], realm rewritten: [CN=INT ITside-ETtest0x, OU=ALL, O=ALL, L=ALL, ST=itside, C=IT] 2025-02-11 12:12:21,539 TRACE [org.wildfly.security] ( default task-1) Authorization failed - realm identity does not exists 2025-02-11 12:12:21,540 TRACE [org.wildfly.security] ( default task-1) Handling CachedIdentityAuthorizeCallback: principal = CN=INT ITside-ETtest0x, OU=ALL, O=ALL, L=ALL, ST=itside, C=IT  authorizedIdentity = null 4b) Debug the ServerAuthorizationContext.doAuthorization method to verify the path of the XML identity file that is being looked for: if (! realmIdentity.exists()) { ElytronMessages.log.trace( "Authorization failed - realm identity does not exists" ); return null ; }  
    • Workaround Exists
    • Hide

      The workaround, if applicable, involves two steps:

      1. Set the "encoded" attribute to false in the filesystem-realm declaration
      2. After adding the identity with the jboss-cli, remove manually the blank spaces after the commas that separate the DN components in the identity filename
      Show
      The workaround, if applicable, involves two steps: Set the "encoded" attribute to false in the filesystem-realm declaration After adding the identity with the jboss-cli, remove manually the blank spaces after the commas that separate the DN components in the identity filename

      An identity created with the jboss-cli is not found during authorization. The identity filename (suffixed with the Base32 encoding) created by jboss-cli is different from the one that is looked up during authorization.

      The scenario was reproduced starting from the Elytron example "client-cert-with-authorization-and-evidence-decoders".

      The script was modified to use only one principal decoder, which does not do any transformation, thus retrieves the whole DN.

      This is the name of the identity file that was created by the jboss-cli:

      cn_int_itside_ettest0x__ou_all__o_all__l_all__st_itside__c_it-INHD2SKOKQQESVDTNFSGKLKFKR2GK43UGB4CYICPKU6UCTCMFQQE6PKBJRGCYICMHVAUYTBMEBJVIPLJORZWSZDFFQQEGPKJKQ.xml

      This is the name of the identity file that is looked up during authorization:

      cn_int_itside_ettest0x_ou_all_o_all_l_all_st_itside_c_it-INHD2SKOKQQESVDTNFSGKLKFKR2GK43UGB4CYT2VHVAUYTBMJ46UCTCMFRGD2QKMJQWFGVB5NF2HG2LEMUWEGPKJKQ.xml

      If the "encoded" attribute of the filesystem-realm is set to false, the issue exists nonetheless. In this case, this is the filename of the identity file that was created by the jboss-cli:

      CN=INT ITside-ETtest0x, OU=ALL, O=ALL, L=ALL, ST=itside, C=IT.xml

      This is the name of the identity file that is looked up during authorization:

      CN=INT ITside-ETtest0x,OU=ALL,O=ALL,L=ALL,ST=itside,C=IT.xml

              Unassigned Unassigned
              lucabueti Luca Bueti (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: