Elytron migration with a custom realm for authentication
1,080 views
Skip to first unread message
frank.l...@outlook.de
Sep 20, 2021, 1:39:08 PM9/20/21
to WildFly
We currently use the legacy security subsystem with this security-domain:
<security-domain name="mbisso" cache-type="default">
<authentication>
<login-module code="biz.mbisoftware.common.sso.MbiSingleSignOnLoginModule" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="DatabaseUsers" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="dsJndiName" value="java:jboss/datasources/DefaultDS"/>
<module-option name="principalsQuery" value="SELECT password FROM mbi_juser WHERE username=? AND is_activ=1"/>
<module-option name="rolesQuery" value="SELECT role, role_group FROM mbi_jrole WHERE username=?"/>
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="base64"/>
</login-module>
</authentication>
</security-domain>
The first custom login-module is used for authentication only, and only can be successful if our web application was called from our desktop application.
In this case parameters are added to the URL containing the username and client information. The login module then tries to connect the desktop client with this given information. In case of success the user is logged in.
In this case parameters are added to the URL containing the username and client information. The login module then tries to connect the desktop client with this given information. In case of success the user is logged in.
In this case, the second database login module does only the authorization, retrieving the roles assigned to this user. The password check is not done anymore.
In case of standalone opening the web-app, the first login module does no succeed and authentication and authorization are handled by the database login module.
How to do the same with Elytron now ?
The database login module is migrated successfully.
I created a custom realm based on https://github.com/wildfly-security-incubator/elytron-examples/blob/master/custom-realm/src/main/java/org/wildfly/examples/MyRealm.java.
The authentication seems to work, but database based login module is not called for authorization.
From standalone-full.xml / elytron subsystem:
<security-domain name="mbisso" default-realm="mbisso-proc" permission-mapper="default-permission-mapper">
<realm name="mbisso-proc" role-decoder="from-roles-attribute"/>
<realm name="mbisso-jdbc" role-decoder="from-roles-attribute"/>
</security-domain>
<custom-realm name="mbisso-proc" module="biz.mbisoftware.common.sso.custom-realm" class-name="biz.mbisoftware.common.sso.MbiSingleSignOnRealm3"/>
<jdbc-realm name="mbisso-jdbc">
<principal-query sql="SELECT password FROM mbi_juser WHERE username = ? AND is_activ = 1" data-source="DefaultDS">
<simple-digest-mapper password-index="1"/>
</principal-query>
<principal-query sql="SELECT role FROM mbi_jrole WHERE username = ?" data-source="DefaultDS">
<attribute-mapping>
<attribute to="roles" index="1"/>
</attribute-mapping>
</principal-query>
</jdbc-realm>
I also tried
<aggregate-realm name="mbisso" authentication-realm="mbisso-proc" authorization-realm="mbisso-jdbc"/>
but without success.
dvilkola
Sep 29, 2021, 6:17:58 AM9/29/21
to WildFly
Aggregate realm should be used when there is different realm for authentication and different for authorization. Did you configure the aggregate-realm mbisso to be the default-realm for the security domain?
John Burgess
Oct 4, 2021, 11:30:05 AM10/4/21
to WildFly
I have a similar problem. In our application there is often a chain of several login modules marked as required, and it is expected that if the first fails it will try and authenticate via the second and so on..
For example, one customer has added 5 (!) ldapExt login modules since they have several ldap servers but tend to have one or two down for maintenance or similar quite often.
By having a chain of 5 they achieve pretty much 100% availability of some ldap server to service logins.
I can't seem to achieve this with Elytron. The aggregate realm doesn't move on to the second realm if the first fails, it just uses the second to get more roles.
Help!
dvilkola
Oct 6, 2021, 7:55:39 AM10/6/21
to WildFly
I would look into failover security realm and distributed security realm. Distributed security realm used when identities are located across multiple stores. But for the case you mention the failover realm seems useful, as it will fail over to an alternative realm if some is unavailable. This blog post might help: http://www.mastertheboss.com/jbossas/jboss-security/managing-failover-and-distributed-realms-in-elytron/
Reply all
Reply to author
Forward
0 new messages