Regarding : How to migrate a X509 Jaas LoginModule to Elytron custom Realm
245 views
Skip to first unread message
Akash gupta
Jan 4, 2022, 12:44:05 PM1/4/22
to WildFly
Hi,
Hope u are doing good.
current in our application
we have a configured a X509 Jaas Authentication.
so our current authentication workflow happen as mention below
1. Client -> 2. Undertow (custom auth) -> 3. legacy security sub system custom login modules 4. authenitciated.
details:
1. client
client present its certificate through browser
2. Undertow we have a written a custom authentication mechanism. io.undrtow.security.spi.AuthenticationMechanism
this is responsible for account verification by taking out the client certificates and marking the exchange as authenticated. and set principal for further workflow as part of undetow account .
3. uising legacy security ahving a loginmodule which which
<security-domain name="ABSecurityDomain" cache-type="default">
<jsse client-auth="true" protocols="${ab.web.server.tls.protocols:TLSv1.2}" cipher-suites="${ab.web.server.tls.ciphers:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256}" keystore-url="${jboss.server.config.dir}/t.keystore" keystore-password="KS_PASSWORD" truststore-url="${jboss.server.config.dir}/t.truststore" truststore-password="TS_PASSWORD" keystore-type="pkcs12" truststore-type="pkcs12"/>
<authentication>
<login-module code="com.abc.X509LoginModule" module="com.abc.common" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="securityDomain" value="ABSecurityDomain"/>
</login-module>
</authentication>
</security-domain>
<jsse client-auth="true" protocols="${ab.web.server.tls.protocols:TLSv1.2}" cipher-suites="${ab.web.server.tls.ciphers:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256}" keystore-url="${jboss.server.config.dir}/t.keystore" keystore-password="KS_PASSWORD" truststore-url="${jboss.server.config.dir}/t.truststore" truststore-password="TS_PASSWORD" keystore-type="pkcs12" truststore-type="pkcs12"/>
<authentication>
<login-module code="com.abc.X509LoginModule" module="com.abc.common" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="securityDomain" value="ABSecurityDomain"/>
</login-module>
</authentication>
</security-domain>
can u please give guidence on above steps to migrate the above configuraiton for wildlfy 26 probably using a custom realm based configuration. for above mention steps on how what we can do for each steps.
Thanks for anitcipation,
Akash Gupta
Akash gupta
Jan 4, 2022, 1:13:07 PM1/4/22
to WildFly
can u give some guidance for the above steps on how to back this by a custom realm. for the above mentions steps.
also needs some idea how elytron will wired client certificates as Evidence to custom realm i can see something org.wildfly.security.evidence.X509PeerCertificateChainEvidence is present.
- how this client certificate will available as evidence to custom realm while auth flow will call verifyEvidence.
- need a way to define a custom principal decoder extending EvidenceDecoder so we can get our principal based on our requirement. how to get pricipal for a certificate.
Diana Krepinska
Jan 5, 2022, 8:44:27 AM1/5/22
to WildFly
Hello, I'll post my thoughts here as well.
To use client certificates for authentication to the realm you could use CLIENT_CERT HTTP authentication mechanism. Take a look at this blog post https://developer.jboss.org/people/fjuma/blog/2019/06/14/using-elytron-certificate-based-authentication-with-authorization to see how it can be configured. There is also example of principal decoder that uses regular expression to decode the principal from client's certificate attribute.
To use client certificates for authentication to the realm you could use CLIENT_CERT HTTP authentication mechanism. Take a look at this blog post https://developer.jboss.org/people/fjuma/blog/2019/06/14/using-elytron-certificate-based-authentication-with-authorization to see how it can be configured. There is also example of principal decoder that uses regular expression to decode the principal from client's certificate attribute.
Reply all
Reply to author
Forward
0 new messages