Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-869

Elytron security realms cannot be used only for authorization

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 1.1.0.Beta20
    • 1.1.0.Beta18
    • Realms
    • None
    • Hide

      1) Configure Elytron Filesystem Realm for authentication and add users user and admin

      /subsystem=elytron/filesystem-realm=authnRealm:add(path=/tmp/fsRealm)
/subsystem=elytron/filesystem-realm=authnRealm/identity=user:add()
/subsystem=elytron/filesystem-realm=authnRealm/identity=user:set-password(clear={password=password})
/subsystem=elytron/filesystem-realm=authnRealm/identity=admin:add()
/subsystem=elytron/filesystem-realm=authnRealm/identity=admin:set-password(clear={password=password})

      2) Configure Elytron Properties Realm for authorization (and add user user to user properties file)
      Create /tmp/users.properties with following content:

      #$REALM_NAME=authzRealm$
#user=whateverHere
user=f3ef5b78a64bafdcae8d47ffbfecb8fc

      Create /tmp/roles.properties with following content:

      user=JBossAdmin
admin=JBossAdmin

      Add Properties Realm:

      /subsystem=elytron/properties-realm=authzRealm:add(users-properties={path=/tmp/users.properties},groups-properties={path=/tmp/roles.properties})

      3) Configure Aggregate Realm

      /subsystem=elytron/aggregate-realm=aggregateRealm:add(authentication-realm=authnRealm,authorization-realm=authzRealm)

      4) Configure rest of needed Elytron resources

      /subsystem=elytron/security-domain=appSecurityDomain:add(default-realm=aggregateRealm,permission-mapper=default-permission-mapper,realms=[{realm=aggregateRealm,role-decoder=groups-to-roles}])
/subsystem=elytron/http-authentication-factory=authFactory:add(http-server-mechanism-factory=global,security-domain=appSecurityDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="aggregateRealm"}]}])
/subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=authFactory)

      5) Deploy app for printing roles (see attachments)

      6) Try to authenticate to application
      Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=JBossAdmin and try to use following users:

      • user/password - authentication pass (because user user is included in /tmp/users.properties and role JBossAdmin is assigned to them
      • admin/password - authentication pass but authorization fail (HTTP status 403 is returned)

      In correct behavior authentication should pass for both users and role JBossAdmin should be assigned to them.

      Show
      1) Configure Elytron Filesystem Realm for authentication and add users user and admin /subsystem=elytron/filesystem-realm=authnRealm:add(path=/tmp/fsRealm) /subsystem=elytron/filesystem-realm=authnRealm/identity=user:add() /subsystem=elytron/filesystem-realm=authnRealm/identity=user:set-password(clear={password=password}) /subsystem=elytron/filesystem-realm=authnRealm/identity=admin:add() /subsystem=elytron/filesystem-realm=authnRealm/identity=admin:set-password(clear={password=password}) 2) Configure Elytron Properties Realm for authorization (and add user user to user properties file) Create /tmp/users.properties with following content: #$REALM_NAME=authzRealm$ #user=whateverHere user=f3ef5b78a64bafdcae8d47ffbfecb8fc Create /tmp/roles.properties with following content: user=JBossAdmin admin=JBossAdmin Add Properties Realm: /subsystem=elytron/properties-realm=authzRealm:add(users-properties={path=/tmp/users.properties},groups-properties={path=/tmp/roles.properties}) 3) Configure Aggregate Realm /subsystem=elytron/aggregate-realm=aggregateRealm:add(authentication-realm=authnRealm,authorization-realm=authzRealm) 4) Configure rest of needed Elytron resources /subsystem=elytron/security-domain=appSecurityDomain:add( default -realm=aggregateRealm,permission-mapper= default -permission-mapper,realms=[{realm=aggregateRealm,role-decoder=groups-to-roles}]) /subsystem=elytron/http-authentication-factory=authFactory:add(http-server-mechanism-factory=global,security-domain=appSecurityDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "aggregateRealm" }]}]) /subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=authFactory) 5) Deploy app for printing roles (see attachments) 6) Try to authenticate to application Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=JBossAdmin and try to use following users: user/password - authentication pass (because user user is included in /tmp/users.properties and role JBossAdmin is assigned to them admin/password - authentication pass but authorization fail (HTTP status 403 is returned) In correct behavior authentication should pass for both users and role JBossAdmin should be assigned to them.

    Description

      Scenario: I try to configure application server for scenario when different identity stores are used for authentication and authorization (e.g. username/password are stored in LDAP and roles are assigned from Database).

      In case when authentication and authorization is handled by different security realms in Elytron (i.e. aggregate realm is used) then authorization works only in case, when identity store for realm used for authorization includes the username also for authentication. See Steps to Reproduce for more details.

      We request blocker since using different identity stores for authentication and authorization is common scenario which should be provided by Elytron. Even out documentation explicitly mentioned that scenarios [1]:
      Consider the case where users are managed in a central LDAP server and application-specific roles are stored in the application’s relational database.

      I tried this scenario with Properties and Filesystem Realms for authentication and Properties and Ldap Realms for authorization.

      [1] https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/security-architecture/

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-8229 Elytron security realms cannot be used only for authorization

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified
          relates to

          Bug - A problem that impairs or prevents the functions of the product. ELY-760 Elytron Ldap Realm searches roles before validating password

          • Critical - To be worked on immediately following BLOCKER issues.
          • Resolved

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: