Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-18310

IIOP: Elytron security configuration

    XMLWordPrintable

Details

    • Task
    • Resolution: Unresolved
    • Major
    • None
    • None
    • IIOP
    • None
    • ---
    • ---

    Description

      1) javax.rmi.PortableRemoteObject was removed in JDK 11 , we still have this in EAP but not in the jboss-client.jar , we probably need to pull in some jar so that clients on JDK11+ can still compile and run.

      2) com.sun.jndi.cosnaming.CNCtxFactory removed from the JDK as well, which standalone java apps would have used to call an EJB over IIOP. We have this org.wildfly.iiop.openjdk.naming.jndi.CNCtxFactory in EAP though it is not in the jboss-client.jar and I have not been able to make it work yet due to different errors.

      Hashtable<String,String> env = new Hashtable<String,String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.iiop.openjdk.naming.jndi.CNCtxFactory");
env.put(Context.PROVIDER_URL, "corbaloc::localhost:3528/JBoss/Naming/root");
Context ctx = new InitialContext(env);

      3) I am not sure this is supposed to work, when I tried I did not see it working unless there is a bug. And I am not sure how you would try to do a LoginContext login with Elytron.

      AuthenticationConfiguration common = AuthenticationConfiguration.empty()
.setSaslMechanismSelector(SaslMechanismSelector.NONE.addMechanism("DIGEST-MD5"));
AuthenticationConfiguration authConf = common.useName(username).usePassword(password);
final AuthenticationContext authCtx = AuthenticationContext.empty().with(MatchRule.ALL, authConf);
authCtx.runCallable(...)

      Trace logging on the server when I try to use the elytron auth context looks like it sees the principal as ejbuser correctly, but then it seems to go anonymous:

      2023-06-05 19:37:53,291 TRACE [org.jboss.as.ejb3] (p: default-threadpool; w: Idle) EJBObject invocation: create
2023-06-05 19:37:53,309 TRACE [org.wildfly.security] (p: default-threadpool; w: Idle) Principal assigning: [ejbuser], pre-realm rewritten: [ejbuser], realm name: [ApplicationRealm], post-realm rewritten: [ejbuser], realm rewritten: [ejbuser]
2023-06-05 19:37:53,320 TRACE [org.wildfly.security] (p: default-threadpool; w: Idle) Permission mapping: identity [anonymous] with roles [] implies ("org.wildfly.security.auth.permission.RunAsPrincipalPermission" "ejbuser") = false
2023-06-05 19:37:53,320 TRACE [org.wildfly.security] (p: default-threadpool; w: Idle) Authorization failed - source identity does not have RunAsPrincipalPermission
2023-06-05 19:37:53,320 TRACE [org.jboss.as.ejb3] (p: default-threadpool; w: Idle) Exception in EJBObject invocation: org.wildfly.security.authz.AuthorizationFailureException: ELY01088: Attempting to run as "ejbuser" authorization operation failed
at org.wildfly.security.auth.server.SecurityIdentity.createRunAsIdentity(SecurityIdentity.java:750)
at org.wildfly.security.auth.server.SecurityIdentity.createRunAsIdentity(SecurityIdentity.java:725)
at org.jboss.as.ejb3.iiop.EjbCorbaServant._invoke(EjbCorbaServant.java:323)
at com.sun.corba.se.impl.protocol.CorbaServerRequestDispatcherImpl.dispatchToServant(CorbaServerRequestDispatcherImpl.java:654)
at com.sun.corba.se.impl.protocol.CorbaServerRequestDispatcherImpl.dispatch(CorbaServerRequestDispatcherImpl.java:205)
at com.sun.corba.se.impl.protocol.CorbaMessageMediatorImpl.handleRequestRequest(CorbaMessageMediatorImpl.java:1700)
at com.sun.corba.se.impl.protocol.CorbaMessageMediatorImpl.handleRequest(CorbaMessageMediatorImpl.java:1558)
at com.sun.corba.se.impl.protocol.CorbaMessageMediatorImpl.handleInput(CorbaMessageMediatorImpl.java:940)
at com.sun.corba.se.impl.protocol.giopmsgheaders.RequestMessage_1_2.callback(RequestMessage_1_2.java:198)
at com.sun.corba.se.impl.protocol.CorbaMessageMediatorImpl.handleRequest(CorbaMessageMediatorImpl.java:712)
at com.sun.corba.se.impl.transport.SocketOrChannelConnectionImpl.dispatch(SocketOrChannelConnectionImpl.java:474)
at com.sun.corba.se.impl.transport.SocketOrChannelConnectionImpl.doWork(SocketOrChannelConnectionImpl.java:1237)
at com.sun.corba.se.impl.orbutil.threadpool.ThreadPoolImpl$WorkerThread.performWork(ThreadPoolImpl.java:490)
at com.sun.corba.se.impl.orbutil.threadpool.ThreadPoolImpl$WorkerThread.run(ThreadPoolImpl.java:519)

      4) The iiop subsystem seems to have client & server config options, but I did not see how you might specify the server side elytron config to use

      <subsystem xmlns="urn:jboss:domain:iiop-openjdk:2.1">
<orb socket-binding="iiop"/>
<initializers security="elytron" transactions="spec"/>
<security server-requires-ssl="false" client-requires-ssl="false" client-requires="ClientAuth" server-supports="ClientAuth" server-requires="ClientAuth"/>
<sas-context caller-propagation="supported"/>
</subsystem>

      authentication-context - The name of the authentication context used when the security initializer is set to 'elytron'."

      • Is this used for server side ? The elytron definition looks like it is for client side config
        security-domain - The name of the security domain that holds the key and trust stores that will be used to establish SSL connections / alternatives: server-ssl-context, client-ssl-context
      • This is Picketbox security ?
        server-ssl-context - The name of the SSL context used to create server side SSL sockets. / alternatives=security-domain
      • This is Elytron for SSL ?
        realm - The authentication service (AS) realm name.
      • I am not sure if this is Picketbox, Elytron or other

      Attachments

        Activity

          People

            tadamski@redhat.com Tomasz Adamski
            tadamski@redhat.com Tomasz Adamski
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: