Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8316

Mapping roles in legacy security domain is ignored when this domain is used as Elytron realm

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 11.0.0.Beta1
    • Component/s: Security
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      1) create property files /tmp/users.properties and /tmp/roles.properties
      /tmp/users.properties:

      admin=admin
      

      /roles.properties:

      admin=JBossAdmin
      

      2) add legacy configuration to application server

      <security-domain name="legacyDomain" cache-type="default">
          <authentication>
              <login-module code="UsersRoles" flag="required">
                  <module-option name="usersProperties" value="/tmp/users.properties"/>
                  <module-option name="rolesProperties" value="/tmp/roles.properties"/>
              </login-module>
          </authentication>
          <mapping>
              <mapping-module code="SimpleRoles" type="role">
                  <module-option name="admin" value="User"/>
              </mapping-module>
          </mapping>
      </security-domain>
      ...
      <elytron-integration>
          <security-realms>
              <elytron-realm name="exportedDomain" legacy-jaas-config="legacyDomain"/>
          </security-realms>
      </elytron-integration>
      

      3) setup Elytron part:

      /subsystem=elytron/simple-role-decoder=roles-decoder:add(attribute=Roles)
      /subsystem=elytron/security-domain=elytronDomain:add(default-realm=exportedDomain,permission-mapper=default-permission-mapper,realms=[{realm=exportedDomain,role-decoder=roles-decoder}])
      /subsystem=elytron/http-authentication-factory=elytron-http-auth:add(http-server-mechanism-factory=global,security-domain=elytronDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Exported Realm"}]}])
      /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=elytron-http-auth)
      

      4) Deploy application for printing roles (see attachments)

      5) Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=User&role=JBossAdmin and login with admin/admin - only role JBossAdmin is assigned

      6) Optional: in deployment, change security-domain in jboss-web.xml to legacyDomain (to use legacy security domain directly) and access application again - both roles JBossAdmin and User are assigned

      Show
      1) create property files /tmp/users.properties and /tmp/roles.properties /tmp/users.properties: admin=admin /roles.properties: admin=JBossAdmin 2) add legacy configuration to application server <security-domain name= "legacyDomain" cache-type= " default " > <authentication> <login-module code= "UsersRoles" flag= "required" > <module-option name= "usersProperties" value= "/tmp/users.properties" /> <module-option name= "rolesProperties" value= "/tmp/roles.properties" /> </login-module> </authentication> <mapping> <mapping-module code= "SimpleRoles" type= "role" > <module-option name= "admin" value= "User" /> </mapping-module> </mapping> </security-domain> ... <elytron-integration> <security-realms> <elytron-realm name= "exportedDomain" legacy-jaas-config= "legacyDomain" /> </security-realms> </elytron-integration> 3) setup Elytron part: /subsystem=elytron/simple-role-decoder=roles-decoder:add(attribute=Roles) /subsystem=elytron/security-domain=elytronDomain:add( default -realm=exportedDomain,permission-mapper= default -permission-mapper,realms=[{realm=exportedDomain,role-decoder=roles-decoder}]) /subsystem=elytron/http-authentication-factory=elytron-http-auth:add(http-server-mechanism-factory=global,security-domain=elytronDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Exported Realm" }]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=elytron-http-auth) 4) Deploy application for printing roles (see attachments) 5) Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=User&role=JBossAdmin and login with admin/admin - only role JBossAdmin is assigned 6) Optional: in deployment, change security-domain in jboss-web.xml to legacyDomain (to use legacy security domain directly) and access application again - both roles JBossAdmin and User are assigned

      Description

      In case when legacy security domain is used as Elytron realm then roles assigned in mapping are unavailable in Elytron security realm.

      e.g. when UsersRoles login module, which assigns role JBossAdmin to user admin is used and then role User is assigned for user admin in SimpleRoles mapping module through:

      <mapping>
          <mapping-module code="SimpleRoles" type="role">
              <module-option name="admin" value="User"/>
          </mapping-module>
      </mapping>
      

      then only role JBossAdmin is available for Elytron. Following appears in server log:

      Authorizing against the following attributes: [Roles, CallerPrincipal] => [JBossAdmin, admin]
      

      In case when this legacy security domain is used directly as PicketBox security domain, then both roles, JBossAdmin and User, are assigned to user admin.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  sguilhen Stefan Guilhen
                  Reporter:
                  olukas Ondrej Lukas
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: