Custom Principal in Elytron (wildfly-elytron 1.15.3)

211 views
Skip to first unread message

Gunnar Hilling

unread,
Jan 7, 2022, 10:11:00 AM1/7/22
to WildFly
I'm migrating a "legacy" LoginModule relying on Picketbox to Elytron. As we're using a custom Principal implementation in our application I created a Principal Transformer to create this "CustomPrincipal" from the default "NamePrincipal".
But if I activate my PrincipalTransformer the authentication fails...

I assume that the problem is in the LdapSecurityRealm in line 180 where it checks for the principal to be of type "NamePrincipal" ...

The following configuration of the domain allow to authenticate successfully:
        "default-realm" => "app-ldap-realm",
        "evidence-decoder" => undefined,
        "outflow-anonymous" => false,
        "outflow-security-domains" => undefined,
        "permission-mapper" => "default-permission-mapper",
        "post-realm-principal-transformer" => undefined,
        "pre-realm-principal-transformer" => undefined,
        "principal-decoder" => "app-principal-decoder",
        "realm-mapper" => "app-realm-mapper",
        "realms" => [{
            "realm" => "app-ldap-realm",
            "role-mapper" => "app-constant-role-mapper"
        }],
        "role-decoder" => undefined,
        "role-mapper" => undefined,
        "security-event-listener" => undefined,
        "trusted-security-domains" => undefined
After defining the following code as "post-realm-principal-transformer" authentication fails:

===
private static final PrincipalTransformer DELEGATE = PrincipalTransformer.from(principal -> new UserPrincipal(1, principal.getName()));
===

I set logging to trace and when failing the following output shows:

12:53:10,953 TRACE [org.wildfly.security] (default task-1) Principal assigning: [CLEAR_TEXT_USER%3Ag.hilling%3A], pre-realm rewritten: [g.hilling], realm name: [app-ldap-realm], post-realm rewritten: [g.hilling(id: 1, no costcenter)], realm rewritten: [g.hilling(id: 1, no costcenter)]
12:53:10,953 DEBUG [org.wildfly.security.http.basic] (default task-1) User CLEAR_TEXT_USER%3Ag.hilling%3A authentication failed.
12:53:10,953 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: fail

During successful authentication the instead of "authentication failed" I get:
12:51:27,205 DEBUG [org.wildfly.security] (default task-1) Obtaining lock for identity [g.hilling]...
12:51:27,205 DEBUG [org.wildfly.security] (default task-1) Obtained lock for identity [g.hilling].

Diana Krepinska

unread,
Jan 12, 2022, 9:48:05 AM1/12/22
to WildFly
Hello, LDAP realm expects NamePrincipal for authentication. You probably don't need a custom principal implementation for authentication process?

Gunnar Hilling

unread,
Jan 12, 2022, 12:24:14 PM1/12/22
to WildFly
Hi Diana,
yes, thanks. That‘s correct, but:
1) Where would I need to define the transformer after authentication?
2) How can I „remember“ details from the „original“ name and additional infos like userId?
Maybe I missed something in the docs …
Kind regards,
Gunnar

Diana Krepinska

unread,
Jan 13, 2022, 6:19:22 AM1/13/22
to WildFly
To associate more details like userId you can define attributes of the identity. You can look at attribute mapping in ldap-realm. Here is a migration documentation for LDAP if it helps https://docs.jboss.org/author/display/WFLY/LDAP%20Based%20Authentication%20Migration.html .
Reply all
Reply to author
Forward
0 new messages