5 Replies Latest reply on Feb 22, 2018 12:16 PM by johnnuy

    EAP 7.1.0 and Elytron migration help...

    johnnuy
    johnnuy Feb 16, 2018 3:52 PM

      Hi,

       

      I am migrating our login and authentication mechanisms from the picketbox jaas modules to an elytron realm, and everything is going well.

       

      However I can't find a way to return custom login failure error messages.

       

      For example:

      - Invalid Username or Password

      - User has been locked due to invalid password attempts

      - User has been inactivated

      - etc.

       

      My integration points currently are a CustomSecurityRealm and a PrincipalTransformer used to append additional information to the principal before the getRealmIdentity() calls is made.  What is the proper way to send this information back to either a remote ejb client, or an http client?

       

      Additionally, I can't find a way to retrieve the current Principal from within our application code.  I have a hibernate interceptors which uses the PolicyContext.getContext("javax.security.auth.Subject.container") to retieve the current principal when running with the legacy security enabled.  What is the proper way to retrieve the current Principal using the Elytron framework?

        • 1. Re: EAP 7.1.0 and Elytron migration help...
          mchoma
          mchoma Feb 20, 2018 4:06 AM (in response to johnnuy)

          To get java.security.Principal this should help SecurityDomain.getCurrent().getCurrentSecurityIdentity().getPrincipal().

           

          What happens when you throw custom error message from CustomSecurityRealm?

            • Actions
          • 2. Re: EAP 7.1.0 and Elytron migration help...
            johnnuy
            johnnuy Feb 20, 2018 10:50 AM (in response to mchoma)

            Hi Martin,

             

            Thanks for the quick response.   Using the SecurityDomain.getCurrent().getCurrentSecurityIdentity().getPrincipal() is a good starting point for me; However this is returning a NamePrincipal.  within the Security Domain I have configured a PrincipalTransformer which is used to transform the NamePrincipal into a custom Principal which contains additional information such as the internal user identifier, and the type of user (external, internal, system, etc), when the user exists.

             

            The getRealmIdentity method of my security realm is being passed my custom Principal so I know the transformer is being invoked.  How would I ensure that the transformed Principal is the one that is set on CurrentSecurityIdentity?

             

            the elytron subsystem is configured as follows:

             

            <security-domains>

                 <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">

                      <realm name="ApplicationRealm" principal-transformer="MyPrincipalTransformer" role-decoder="groups-to-roles"/>

                 </security-domain>

                 <!--default properties based management realm -->

            </security-domains>

             

            <security-realms>

                 <custom-realm name="ApplicationRealm" module="my.module.elytron-extensions:2.0.0" class-name="my.SecurityRealm"/>

                 <!-- management realm based on properties config -->

            </security-realms>

             

            <mappers>

                 <!-- default simple permission mapper -->

                 <custom-principal-transformer name="MyPrincipalTransformer" module="my.module.elytron-extensions:2.0.0" class-name="my.PrincipalTransformer"/>

                 <!--role mappers, etc -->

            </mappers>

             

             

            If I throw a custom exception from within the SecurityRealms verifyEvidence() method I get a server error which is returned via undertow as a stack trace to the browser... I will get the stack trace and append it shortly.

              • Actions
            • 3. Re: EAP 7.1.0 and Elytron migration help...
              johnnuy
              johnnuy Feb 20, 2018 11:04 AM (in response to johnnuy)

              For some reason I can't paste the contents into this text area... so i've attached the stack trace as a file

                • Actions
              • 4. Re: EAP 7.1.0 and Elytron migration help...
                mchoma
                mchoma Feb 21, 2018 2:09 AM (in response to johnnuy)

                Please look at Darran's WildFly Blog: WildFly Elytron - Principal Transformers, Realm Mappings, and Principal Decoders  it will help you understand lifecycle of transformers and can help you to find solution in your specific use case.

                1 of 1 people found this helpful
                  • Actions
                • 5. Re: EAP 7.1.0 and Elytron migration help...
                  johnnuy
                  johnnuy Feb 22, 2018 12:16 PM (in response to mchoma)

                  For anyone else with similar issues, switching the transformer over to a "pre-realm-principal-transformer" on the security-domain, rather than on the security realm itself has solved the issue of having my custom principal attached to the currentSecurityIdentity.

                   

                  Still working on the custom login failure messages... but so far I'm liking Elytron vs the legacy JAAS implementations in previous EAP releases

                    • Actions