Custom Principal in Elytron (wildfly-elytron 1.15.3)

Skip to first unread message

Gunnar Hilling

Jan 7, 2022, 10:11:00 AMJan 7
to WildFly
I'm migrating a "legacy" LoginModule relying on Picketbox to Elytron. As we're using a custom Principal implementation in our application I created a Principal Transformer to create this "CustomPrincipal" from the default "NamePrincipal".
But if I activate my PrincipalTransformer the authentication fails...

I assume that the problem is in the LdapSecurityRealm in line 180 where it checks for the principal to be of type "NamePrincipal" ...

The following configuration of the domain allow to authenticate successfully:
        "default-realm" => "app-ldap-realm",
        "evidence-decoder" => undefined,
        "outflow-anonymous" => false,
        "outflow-security-domains" => undefined,
        "permission-mapper" => "default-permission-mapper",
        "post-realm-principal-transformer" => undefined,
        "pre-realm-principal-transformer" => undefined,
        "principal-decoder" => "app-principal-decoder",
        "realm-mapper" => "app-realm-mapper",
        "realms" => [{
            "realm" => "app-ldap-realm",
            "role-mapper" => "app-constant-role-mapper"
        "role-decoder" => undefined,
        "role-mapper" => undefined,
        "security-event-listener" => undefined,
        "trusted-security-domains" => undefined
After defining the following code as "post-realm-principal-transformer" authentication fails:

private static final PrincipalTransformer DELEGATE = PrincipalTransformer.from(principal -> new UserPrincipal(1, principal.getName()));

I set logging to trace and when failing the following output shows:

12:53:10,953 TRACE [] (default task-1) Principal assigning: [CLEAR_TEXT_USER%3Ag.hilling%3A], pre-realm rewritten: [g.hilling], realm name: [app-ldap-realm], post-realm rewritten: [g.hilling(id: 1, no costcenter)], realm rewritten: [g.hilling(id: 1, no costcenter)]
12:53:10,953 DEBUG [] (default task-1) User CLEAR_TEXT_USER%3Ag.hilling%3A authentication failed.
12:53:10,953 TRACE [] (default task-1) Handling AuthenticationCompleteCallback: fail

During successful authentication the instead of "authentication failed" I get:
12:51:27,205 DEBUG [] (default task-1) Obtaining lock for identity [g.hilling]...
12:51:27,205 DEBUG [] (default task-1) Obtained lock for identity [g.hilling].

Diana Krepinska

Jan 12, 2022, 9:48:05 AMJan 12
to WildFly
Hello, LDAP realm expects NamePrincipal for authentication. You probably don't need a custom principal implementation for authentication process?

Gunnar Hilling

Jan 12, 2022, 12:24:14 PMJan 12
to WildFly
Hi Diana,
yes, thanks. That‘s correct, but:
1) Where would I need to define the transformer after authentication?
2) How can I „remember“ details from the „original“ name and additional infos like userId?
Maybe I missed something in the docs …
Kind regards,

Diana Krepinska

Jan 13, 2022, 6:19:22 AMJan 13
to WildFly
To associate more details like userId you can define attributes of the identity. You can look at attribute mapping in ldap-realm. Here is a migration documentation for LDAP if it helps .
Reply all
Reply to author
0 new messages