Elytron-enabled datasource login problem.

453 views
Skip to first unread message

Dj Apal

unread,
Mar 22, 2021, 7:09:23 AM3/22/21
to WildFly
Hello all.
We are running our application within a Wildfly 10.1 server

We have setup our login to our postgres DB to be via LDAP
This is working fine.

We tried to do the same with Wildfly 22 and elytron but it seems that password is not passed to login process.
We are stuck many days with this problem.
Are we doing sth wrong here?
Any help is appreciated

                <dir-context name="idmDC" url=our_ldap_url" principal="principal_query">
                    <credential-reference clear-text="xxxxx"/>
                </dir-context>


                <ldap-realm name="idmLR" dir-context="idmDC" direct-verification="true">
                    <identity-mapping rdn-identifier="uid" search-base-dn="cn=users,cn=accounts,dc=internal,dc=net">
                        <attribute-mapping>
                            <attribute from="cn" to="Roles" filter="(member=uid={0},cn=users,cn=accounts,dc=internal,dc=net)" filter-base-dn="cn=groups,cn=accounts,dc=internal,dc=net"/>
                        </attribute-mapping>
                    </identity-mapping>
                </ldap-realm>



roles are retrieved without problems


                <datasource jndi-name="java:/devDS" pool-name="devDS">
                    <connection-url>jdbc:postgresql://localhost:5432/testDB</connection-url>
                    <driver>postgres</driver>
                    <pool>
                        <max-pool-size>100</max-pool-size>
                    </pool>
                    <security>
                        <elytron-enabled>true</elytron-enabled>
                        <authentication-context>test-authentication-context</authentication-context>
                    </security>
                    <validation>
                        <check-valid-connection-sql>select 1</check-valid-connection-sql>
                        <background-validation>false</background-validation>
                    </validation>
                    <timeout>
                        <idle-timeout-minutes>5</idle-timeout-minutes>
                    </timeout>
                </datasource>



            <authentication-client>
                <authentication-configuration name="test-authentication-configuration" realm="idmLR" forwarding-mode="authentication"/>
                <authentication-context name="test-authentication-context">
                    <match-rule authentication-configuration="test-authentication-configuration"/>
                </authentication-context>
            </authentication-client>

If i put here ream="idmLR" i get "No matching credentials in Subject"

If I put security-domaim="testSD" I get  FATAL: invalid password packet size


where testSD

                <security-domain name=" testSD  " default-realm="idmLR" permission-mapper="default-permission-mapper">
                    <realm name="idmLR" role-decoder="from-roles-attribute"/>
                </security-domain>


Can anyone help here? Have we setup sth wrong?

BR

Apostolos

Dj Apal

unread,
Mar 22, 2021, 10:12:53 AM3/22/21
to WildFly
If this is of any help it seems that password passed has replaced all characters with zeroes.
I tried similar senario with properties realm and private credentials held the correct password, not zeroes.

CaptureWildfly.PNG

Farah Juma

unread,
Mar 22, 2021, 4:22:10 PM3/22/21
to WildFly
Do you want to use the current authentication context of the caller that is retrieving the connection? If so, only elytron-enabled needs to be set, no need to configure an authentication-context.

Dj Apal

unread,
Mar 23, 2021, 3:12:14 AM3/23/21
to WildFly
Hi Farah.
The senario is this:

We have a login page (j_username, j_password, j_security_check)
and with this login we retrieve the groups of the user and then the username and password should be forwarded to db to acquire connection.
If i remove the authentication-context, Subject is null and I get 

Caused by: org.postgresql.util.PSQLException: The server requested password-based authentication, but no password was provided.

It seems that password characters are replaced with zeroes because same senario with properties realm works without problems.
I debugged the same line and saw tha actual password of user inside privCredentials property.
So for some reason password is kept as-is regarding the length of characters but all characters are replaced with zeroes.
Is this a bug?

Farah Juma

unread,
Apr 1, 2021, 10:13:08 AM4/1/21
to WildFly
Just FYI, the fix for this bug will be included in WildFly 23.0.1.

Dj Apal

unread,
Apr 2, 2021, 9:20:28 AM4/2/21
to WildFly
Hi Farah

This is great!
Awaiting for the 23.0.1 release!

BR

Dj Apal

unread,
Apr 14, 2021, 4:38:37 AM4/14/21
to WildFly
it seems, from the github tagging, that this fix wont be included, since elytron 1.15.3 update is not in the list.
I'll have to manually replace the existing jar with the newer version. cant wait for version 24.0.0

Farah Juma

unread,
Apr 14, 2021, 1:10:57 PM4/14/21
to WildFly
It's included in WildFly 23.0.1. The Elytron upgrade actually comes in through WildFly Core. The 15.0.1.Final version of WildFly Core contains Elytron 1.15.3.Final:

Dj Apal

unread,
Apr 15, 2021, 2:18:45 AM4/15/21
to WildFly
Hi Farah. 
Sorry for my misunderstanding.
I was expecting to see it as a bug fix, as a component update but I made a "shallow" search.
This is great news! Thank you very much. 
I'll proceed with our server upgrade (10.1 --> 23.0.1) immediately.

BR

Reply all
Reply to author
Forward
0 new messages