post-realm-principal-transformer
43 views
Skip to first unread message
Armin H
Oct 4, 2023, 6:41:29 PM10/4/23
to WildFly
Hi,
can someone explain post-realm-principal-transformer in the security domain . We cannot get it to work on a wildfly 25 installation.
we have multiple realms with prefixed usernames and want the resulting principal have the prefix removed. Choosing the appropriate realm works with mapped-regex-realm-mapper but normalizing the principal with post-realm-principal-transformer not:
Here the trace:
2:37:40,302 TRACE [org.wildfly.security] (default task-1) Handling AvailableRealmsCallback: realms = [ApplicationRealm]
22:37:40,302 TRACE [org.wildfly.security] (default task-1) Creating SaslServer [org.wildfly.security.sasl.digest.DigestSaslServer@1312955c] for mechanism [DIGEST-MD5] and protocol [remote]
22:37:40,302 TRACE [org.wildfly.security] (default task-1) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1@59fd53d4->org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer@4f289714->org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1@5e4ddc8d->org.wildfly.security.sasl.digest.DigestSaslServer@1312955c] for mechanism [DIGEST-MD5]
22:37:40,304 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [ApplicationRealm]
22:37:40,304 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = test-username
22:37:40,304 TRACE [org.wildfly.security] (default task-1) Principal assigning: [test-username], pre-realm rewritten: [test-username], realm name: [TestRealm], post-realm rewritten: [username], realm rewritten: [username]
22:37:40,304 TRACE [org.wildfly.security] (default task-1) Executing principalQuery --removed query-- with value username
22:37:40,306 TRACE [org.wildfly.security] (default task-1) Key Mapper: Password credential created using algorithm column value [clear]
22:37:40,306 TRACE [org.wildfly.security] (default task-1) Handling CredentialCallback: failed to obtain credential
22:37:40,306 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [ApplicationRealm]
22:37:40,307 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = test-username
22:37:40,307 TRACE [org.wildfly.security] (default task-1) Handling CredentialCallback: obtained credential: org.wildfly.security.credential.PasswordCredential@c7f9380d
22:37:40,307 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [test-username] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
22:37:40,307 TRACE [org.wildfly.security] (default task-1) Authorizing principal test-username.
22:37:40,307 TRACE [org.wildfly.security] (default task-1) Authorizing against the following attributes: [identity] => [username]
22:37:40,307 TRACE [org.wildfly.security] (default task-1) Authorizing against the following runtime attributes: [Source-Address] => [127.0.0.1]
22:37:40,307 TRACE [org.wildfly.security] (default task-1) Permission mapping: identity [test-username] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
22:37:40,307 TRACE [org.wildfly.security] (default task-1) Authorization succeed
22:37:40,307 TRACE [org.wildfly.security] (default task-1) RunAs authorization succeed - the same identity
22:37:40,308 TRACE [org.wildfly.security] (default task-1) Handling AuthorizeCallback: authenticationID = test-username authorizationID = test-username authorized = true
22:37:40,308 TRACE [org.wildfly.security.sasl.digest] (default task-1) SASL Negotiation Completed
22:37:40,308 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: succeed
22:37:40,308 TRACE [org.wildfly.security] (default task-1) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=test-username, securityDomain=org.wildfly.security.auth.server.SecurityDomain@406fb7af, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='TestRealm', securityRealm=org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm@70258cb3}, creationTime=2023-10-04T20:37:40.307637141Z}
22:37:40,302 TRACE [org.wildfly.security] (default task-1) Creating SaslServer [org.wildfly.security.sasl.digest.DigestSaslServer@1312955c] for mechanism [DIGEST-MD5] and protocol [remote]
22:37:40,302 TRACE [org.wildfly.security] (default task-1) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1@59fd53d4->org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer@4f289714->org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1@5e4ddc8d->org.wildfly.security.sasl.digest.DigestSaslServer@1312955c] for mechanism [DIGEST-MD5]
22:37:40,304 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [ApplicationRealm]
22:37:40,304 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = test-username
22:37:40,304 TRACE [org.wildfly.security] (default task-1) Principal assigning: [test-username], pre-realm rewritten: [test-username], realm name: [TestRealm], post-realm rewritten: [username], realm rewritten: [username]
22:37:40,304 TRACE [org.wildfly.security] (default task-1) Executing principalQuery --removed query-- with value username
22:37:40,306 TRACE [org.wildfly.security] (default task-1) Key Mapper: Password credential created using algorithm column value [clear]
22:37:40,306 TRACE [org.wildfly.security] (default task-1) Handling CredentialCallback: failed to obtain credential
22:37:40,306 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [ApplicationRealm]
22:37:40,307 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = test-username
22:37:40,307 TRACE [org.wildfly.security] (default task-1) Handling CredentialCallback: obtained credential: org.wildfly.security.credential.PasswordCredential@c7f9380d
22:37:40,307 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [test-username] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
22:37:40,307 TRACE [org.wildfly.security] (default task-1) Authorizing principal test-username.
22:37:40,307 TRACE [org.wildfly.security] (default task-1) Authorizing against the following attributes: [identity] => [username]
22:37:40,307 TRACE [org.wildfly.security] (default task-1) Authorizing against the following runtime attributes: [Source-Address] => [127.0.0.1]
22:37:40,307 TRACE [org.wildfly.security] (default task-1) Permission mapping: identity [test-username] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
22:37:40,307 TRACE [org.wildfly.security] (default task-1) Authorization succeed
22:37:40,307 TRACE [org.wildfly.security] (default task-1) RunAs authorization succeed - the same identity
22:37:40,308 TRACE [org.wildfly.security] (default task-1) Handling AuthorizeCallback: authenticationID = test-username authorizationID = test-username authorized = true
22:37:40,308 TRACE [org.wildfly.security.sasl.digest] (default task-1) SASL Negotiation Completed
22:37:40,308 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: succeed
22:37:40,308 TRACE [org.wildfly.security] (default task-1) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=test-username, securityDomain=org.wildfly.security.auth.server.SecurityDomain@406fb7af, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='TestRealm', securityRealm=org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm@70258cb3}, creationTime=2023-10-04T20:37:40.307637141Z}
Reply all
Reply to author
Forward
0 new messages