Question about 'sasl-authentication-factory' and mechanisms
434 views
Skip to first unread message
Aljaž Koželj
Nov 14, 2022, 9:25:06 AM11/14/22
to WildFly
Hello,
I'm upgrading from WF10.1.0 to WF26.1.2 and I have a question about configuring "sasl-authentication-factory".
Default configuration uses it for setting up http-remoting and that's what I also plan to use it for. But the default configurations confuses me a bit, especially after I tested it a bit.
I have my own security domain:
<security-domain name="MySecurityDomain" default-realm="my-jdbc-realm" permission-mapper="default-permission-mapper">
<realm name="my-jdbc-realm" role-decoder="from-roles-attribute"/>
<realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
</security-domain>
<realm name="my-jdbc-realm" role-decoder="from-roles-attribute"/>
<realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
</security-domain>
And I configured it in the sasl-authentication-factory :
<sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="MySecurityDomain">
<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
<mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ApplicationRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
But now I'm confused by the mechanism part. Whta exactly does this configuration do? Does it allow for the DIGEST-MD5 mechanism to be used with the ApplicationRealm? Why is a realm defined here to begin with, will it only work with this realm?
Mind you, I did some testing and this doesn't work for me at least. It did after I added a simple
<mechanism mechanism-name="PLAIN/>
With this is seems to use full security domain authentication, but I'm not sure.
Can someone point me to some documentation that could explain this? Google doesn't help here, nor do the official docs.
Cameron Rodriguez
Nov 14, 2022, 11:38:40 AM11/14/22
to Aljaž Koželj, WildFly
Hi Aljaž,
On Mon, Nov 14, 2022 at 9:25 AM Aljaž Koželj <kozel...@gmail.com> wrote:
Hello,I'm upgrading from WF10.1.0 to WF26.1.2 and I have a question about configuring "sasl-authentication-factory".Default configuration uses it for setting up http-remoting and that's what I also plan to use it for. But the default configurations confuses me a bit, especially after I tested it a bit.I have my own security domain:<security-domain name="MySecurityDomain" default-realm="my-jdbc-realm" permission-mapper="default-permission-mapper">
<realm name="my-jdbc-realm" role-decoder="from-roles-attribute"/>
<realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
</security-domain>And I configured it in the sasl-authentication-factory :<sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="MySecurityDomain"><mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/><mechanism mechanism-name="DIGEST-MD5"><mechanism-realm realm-name="ApplicationRealm"/></mechanism></mechanism-configuration></sasl-authentication-factory>But now I'm confused by the mechanism part. Whta exactly does this configuration do? Does it allow for the DIGEST-MD5 mechanism to be used with the ApplicationRealm? Why is a realm defined here to begin with, will it only work with this realm?
The ApplicationRealm represents a set of identities (usernames and hashed/salted passwords, likely saved in ManagementRealm-users.properties). The mechanism configuration specifies which mechanism should be used to access identities in that realm. In this case, the ApplicationRealm stores passwords protected by an MD5 digest, and you've added the realm to MySecurityDomain. The WildFly Elytron Security docs go into more detail, specifically this intro to security domains and this explanation of the default configuration.
You can use the mechanism with other realms, but each realm only uses one type of identity and authentication mechanism.
Mind you, I did some testing and this doesn't work for me at least. It did after I added a simple<mechanism mechanism-name="PLAIN/>With this is seems to use full security domain authentication, but I'm not sure.Can someone point me to some documentation that could explain this? Google doesn't help here, nor do the official docs.
--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/7c3bf0c0-03d7-4bf0-b1db-865ae0e826b6n%40googlegroups.com.
The default configuration adds ApplicationRealm to an ApplicationDomain, so you would need to either modify that domain or remove it and create your own. Adding that PLAIN mechanism would not be mapped to a security domain, so it may not perform properly.
Cameron Rodriguez
Nov 14, 2022, 11:40:26 AM11/14/22
to Aljaž Koželj, WildFly
Hi Aljaž,
Slight correction, the identities would be saved in ApplicationRealm-users.properties, within the server configuration directory.
Best,
Farah Juma
Nov 14, 2022, 3:29:24 PM11/14/22
to WildFly
On Monday, November 14, 2022 at 9:25:06 AM UTC-5 kozel...@gmail.com wrote:
Hello,I'm upgrading from WF10.1.0 to WF26.1.2 and I have a question about configuring "sasl-authentication-factory".Default configuration uses it for setting up http-remoting and that's what I also plan to use it for. But the default configurations confuses me a bit, especially after I tested it a bit.I have my own security domain:<security-domain name="MySecurityDomain" default-realm="my-jdbc-realm" permission-mapper="default-permission-mapper">
<realm name="my-jdbc-realm" role-decoder="from-roles-attribute"/>
<realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
</security-domain>And I configured it in the sasl-authentication-factory :<sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="MySecurityDomain"><mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/><mechanism mechanism-name="DIGEST-MD5"><mechanism-realm realm-name="ApplicationRealm"/></mechanism></mechanism-configuration></sasl-authentication-factory>But now I'm confused by the mechanism part. Whta exactly does this configuration do? Does it allow for the DIGEST-MD5 mechanism to be used with the ApplicationRealm? Why is a realm defined here to begin with, will it only work with this realm?
The realm-name attribute in the mechanism-realm configuration above is something that is actually specific to the DIGEST-MD5 SASL authentication mechanism.
In particular, the DIGEST-MD5 authentication mechanism requires access to either the clear text password or to the password pre-hashed using the 'digest-md5' implementation, where the hashed value comes from the username, password, and realm name.
In particular, the DIGEST-MD5 authentication mechanism requires access to either the clear text password or to the password pre-hashed using the 'digest-md5' implementation, where the hashed value comes from the username, password, and realm name.
Looks like your configuration is making use of a JDBC realm? In case it helps, there's some information about migrating to an Elytron JDBC realm here:
Feel free to let us know if you have more questions about this.
Aljaž Koželj
Nov 16, 2022, 9:43:15 AM11/16/22
to WildFly
Hey, thanks for the answer. "realm-name" being specific to DIGEST-MD5 makes it so much clearer, wow. I'm using "PLAIN" without any attributes now and it seems to work.
Cheers
Aljaž Koželj
Nov 16, 2022, 9:45:10 AM11/16/22
to WildFly
Hey, thanks for the answer.
That part was something I was aware of, but thanks. My main confusion was with the realm-name attribute in mechanism-realm field. But Farah cleared it up.
Cheers
Reply all
Reply to author
Forward
0 new messages