Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-691

Elytron properties-realm is not compatible with legacy user property files

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Done
    • Affects Version/s: 1.1.0.Beta11
    • Fix Version/s: 1.1.0.Beta12
    • Component/s: None
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      For trying how it works in legacy security solution:
      1) add following to $SERVER_HOME/standalone/configuration/mgmt-users.properties:

      elytron:password
      !elytron=password
      elytronumlautöäü=password
      elytron用戶=password
      backslash\\=password
      backslash\\inthemiddle=password
      dn\=elytron,dc\=wildfly,dc\=org=password
      elytron1=pass=word
      elytron2=password\\
      elytron3=pass\\word
      elytron4=passwordWithumlautöäü
      elytron5=用戶
      

      2) configure ManagementRealm to use plain-text password:

      /core-service=management/security-realm=ManagementRealm/authentication=properties:write-attribute(name=plain-text,value=true)
      

      3) remove local authentication:

      /core-service=management/security-realm=ManagementRealm/authentication=local:remove()
      

      4) Try to login to jboss-cli with users mentioned in this JIRA description -> all pass (except !elytron/password which correctly fail)

      For reproduction this issue in Elytron, use related tests from org.wildfly.security.auth.realm.LegacyPropertiesSecurityRealmTest in Elytron unit tests.

      Show
      For trying how it works in legacy security solution: 1) add following to $SERVER_HOME/standalone/configuration/mgmt-users.properties : elytron:password !elytron=password elytronumlautöäü=password elytron用戶=password backslash\\=password backslash\\inthemiddle=password dn\=elytron,dc\=wildfly,dc\=org=password elytron1=pass=word elytron2=password\\ elytron3=pass\\word elytron4=passwordWithumlautöäü elytron5=用戶 2) configure ManagementRealm to use plain-text password: /core-service=management/security-realm=ManagementRealm/authentication=properties:write-attribute(name=plain-text,value= true ) 3) remove local authentication: /core-service=management/security-realm=ManagementRealm/authentication=local:remove() 4) Try to login to jboss-cli with users mentioned in this JIRA description -> all pass (except !elytron/password which correctly fail) For reproduction this issue in Elytron, use related tests from org.wildfly.security.auth.realm.LegacyPropertiesSecurityRealmTest in Elytron unit tests.

      Description

      When users properties file (e.g. mgmt-users.properties) used by legacy properties security realm is taken and used with Elytron properties-realm (backed by org.wildfly.security.auth.realm.LegacyPropertiesSecurityRealm) then there exist username/password combinations which do not works correctly.

      Following scenarios which uses mentioned below username/password work correctly for properties file used by legacy solution and do not work for Elytron:

      elytron:password                            // results to username elytron with password password
      elytronumlautöäü=password                   // results to username elytronumlautöäü with password password
      elytron用戶=password                        // results to username elytron用戶 with password password
      backslash\\=password                        // results to username backslash\ with password password
      backslash\\inthemiddle=password             // results to username backslash\inthemiddle with password password
      dn\=elytron,dc\=wildfly,dc\=org=password    // results to username dn=elytron,dc=wildfly,dc=org with password password
      elytron1=pass=word                          // results to username elytron1 with password pass=word - covered by JBEAP-6581
      elytron2=password\\                         // results to username elytron2 with password password\
      elytron3=pass\\word                         // results to username elytron3 with password pass\word
      elytron4=passwordWithumlautöäü              // results to username elytron4 with password passwordWithumlautöäü
      elytron5=用戶                               // results to username elytron5 with password 用戶
      

      Also '!' can be used for comments. It means that !elytron=password should not be considered as user !elytron but as comment.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  honza889 Jan Kalina
                  Reporter:
                  olukas Ondrej Lukas
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: