Elytron security explained
142 views
Skip to first unread message
Christian Hille
Mar 26, 2021, 12:04:11 PM3/26/21
to WildFly
I'm using wildfly 15 and try to understand elytron security. Can someone give me information where I can dig deeper to understand the behavior of authentification.
My problem is that I have an application that has to use SPNEGO and BASIC authentification. The web front end should be authentificated by SPNEGO. There are some rest services exposed, which are accessed by other services using BASIC authentification.
I configured a http-authentification-factory having realm definitions for every mechanism. SPNEGO is working fine. I have trouble with BASIC authentification, because the factory is using the default realm of connected security domain and not the the realm assigned for BASIC mechanism. Can someone help to get this working or give hints where I can find more information about that?
I attached my configuration and a logexcerpt. My problem is between line 6 and 15 where I do not understand, what happens there. It seems that ApplicationRealm is used, but I think that authentification is done by kerberosRealm (default realm of security domain).
I attached my configuration and a logexcerpt. My problem is between line 6 and 15 where I do not understand, what happens there. It seems that ApplicationRealm is used, but I think that authentification is done by kerberosRealm (default realm of security domain).
dvilkola
Mar 29, 2021, 5:17:25 AM3/29/21
to WildFly
Maybe the issue is you do not have BASIC method and security domain defined in web.xml with your rest service. See documentation here: https://docs.wildfly.org/22/WildFly_Elytron_Security.html#default-application-authentication-configuration
Wolfgang Mayer
Mar 31, 2021, 7:19:28 AM3/31/21
to WildFly
It looks like there is no password mapping configured (user-password-mapper) for the kerberosRealm.
Christian Hille
Mar 31, 2021, 10:19:59 PM3/31/21
to WildFly, Wolfgang Mayer
Hi Wolfgang,
that’s true. The Kerberos realm has to get the identities for spnego authenticated users from active directory. The basic authenticated users are stored with password in application realm. I think that, even I configured the application realm for Basic mechanism, it uses the Kerberos realm (default realm of security domain) for password verification.
Am I Right? Christian
------------------------
Gesendet von unterwegs
Am 31.03.2021 um 13:19 schrieb Wolfgang Mayer <wolf...@angela-web.de>:
It looks like there is no password mapping configured (user-password-mapper) for the kerberosRealm.
--
You received this message because you are subscribed to a topic in the Google Groups "WildFly" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wildfly/62EVxszLS1I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/f3846e31-52ed-459e-89f1-805dcdd62b88n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages