Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1995

AggregateRealm is failing in authentication with token-realm

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 1.10.8.Final, 1.13.0.Final
    • None
    • None
    • None
    • Hide

      Configuration Snap:

      <security-domain name="aggregate-domain" default-realm="aggregate-test-realm" permission-mapper="default-permission-mapper">
      <realm name="aggregate-test-realm" role-decoder="from-roles-attribute"/>
      </security-domain>

      <aggregate-realm name="aggregate-test-realm" authentication-realm="jwt-realm" authorization-realm="ldap-realm"/>

      <ldap-realm name="ldap-realm" dir-context="ldap-context" direct-verification="true">
      <identity-mapping rdn-identifier="sAMAccountName" use-recursive-search="true" search-base-dn="CN=USERS,DC=TEST,DC=COM">
      <attribute-mapping>
      <attribute from="cn" to="Roles" filter="(& (objectClass=group)(member=

      Unknown macro: {1}

      ))" filter-base-dn="CN=USERS,DC=TEST,DC=COM" role-recursion="5"/>
      </attribute-mapping>
      </identity-mapping>
      </ldap-realm>
      <token-realm name="jwt-realm" principal-claim="preferred_username">
      <jwt issuer="http://localhost:8080/auth/realms/ldap-test" audience="RestEasy" key-store="jwt-key" certificate="jwt"/>
      </token-realm>

      Show
      Configuration Snap: <security-domain name="aggregate-domain" default-realm="aggregate-test-realm" permission-mapper="default-permission-mapper"> <realm name="aggregate-test-realm" role-decoder="from-roles-attribute"/> </security-domain> <aggregate-realm name="aggregate-test-realm" authentication-realm="jwt-realm" authorization-realm="ldap-realm"/> <ldap-realm name="ldap-realm" dir-context="ldap-context" direct-verification="true"> <identity-mapping rdn-identifier="sAMAccountName" use-recursive-search="true" search-base-dn="CN=USERS,DC=TEST,DC=COM"> <attribute-mapping> <attribute from="cn" to="Roles" filter="(& (objectClass=group)(member= Unknown macro: {1} ))" filter-base-dn="CN=USERS,DC=TEST,DC=COM" role-recursion="5"/> </attribute-mapping> </identity-mapping> </ldap-realm> <token-realm name="jwt-realm" principal-claim="preferred_username"> <jwt issuer="http://localhost:8080/auth/realms/ldap-test" audience="RestEasy" key-store="jwt-key" certificate="jwt"/> </token-realm>

      Authentication is failing when token-realm is set as an authentication-realm in aggregate-realm and ldap-realm is set as authorization realm. 

      It is found that AggregateSecurityRealm#getRealmIdentity is attempting to get the realm identity to be used for authentication using the JWT realm and it attempts to get the realm identity to be used for authorization using the LDAP realm. In both cases, the BearerTokenEvidence is being used to try to obtain the realm identity. The problem with this is that the LdapSecurityRealm won't be able to obtain the principal from the BearerTokenEvidence so the authorizationIdentity will just be the RealmIdentity.NON_EXISTENT identity, resulting in the "User does not exist" error.

      2020-06-11 08:51:06,767 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='BEARER_TOKEN' host-name='localhost' protocol='http'
      2020-06-11 08:51:06,769 TRACE [org.wildfly.security] (default task-1) Evidence verification: evidence = org.wildfly.security.evidence.BearerTokenEvidence@2587e47f evidencePrincipal = null
      2020-06-11 08:51:06,782 DEBUG [org.wildfly.security] (default task-1) Token is using algorithm [RS256]
      2020-06-11 08:51:06,789 DEBUG [org.wildfly.security] (default task-1) Token is using algorithm [RS256]
      2020-06-11 08:51:06,792 TRACE [org.wildfly.security] (default task-1) BEARER_TOKEN: org.wildfly.security.http.HttpAuthenticationException: ELY05053: Callback handler failed for unknown reason
      at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:161)
      ... 41 more

       

            fjuma1@redhat.com Farah Juma
            fjuma1@redhat.com Farah Juma
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: