Wildfly 10.1 SPNEGO and Groups from LDAP
be.boerngen-schmidt Feb 26, 2018 3:49 PMHello everyone,
first of all, I'd love to use Wildfly 11, but I can not since the application is not yet ported. But it should be possible to build the same in Wildfly 10.1.
So what I want to archive is the following:
- User opens Browser and hits the applications URL
- Application Sends 401 ... User Authentication using Windows integrated Authenication (SPNEGO)
- After the user is Authenticated fetch his Roles from LDAP
- Map a specific role to another Role so that it matches the web.xml <role-name>-tag
I hope you guys can understand what I'm trying to do and I hope I'm on the right track.
What I managed to archive already:
- Integrated Windows Authentification (IWA) is working
- Roles are fetched from LDAP
- but only via LDAP Simple Bind
- Can not use Kerberos (would be nicer since I already have an authenticated user from IWA)
- I do have no clue how to Map a RoleA to RoleB
And web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> <display-name>App-IWA</display-name> <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <description>App-IWA security test site</description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <security-role> <description>User role is needed to login</description> <role-name>Users</role-name> </security-role> <login-config> <auth-method>SPNEGO</auth-method> <realm-name>SPNEGO</realm-name> </login-config> </web-app>
Until now I have read quite a lot of Blog posts, Red Hat JBoss Manual, Wildfly Manual etc. where a lot of partial Information is posted, mainly on the how to get the ManagementRealm to use LDAP, which I do not really care about BUT at the same time I cannot destinguish if the Information is also vailid for securing Applications.
Things, I just want to note down for anyone who finds this post later, are:
- The Login modules of a security domain are iterated through in order
- The Flags correspond to Configuration (Java Platform SE 8 )
- Password-Stacking (Authentication Modules - WildFly 10 - Project Documentation Editor), when set makes it so, that the first module does authentication and the following do authorization (Roles fetching only)
But after I introduced my problem, I'd like to ask some questions:
Q1: When I try to use the Kerberos "host" configuration for the AdvancedLdap login-module I always get the error that I do not have a bind to the LDAP
The configuration I tried to use for this looks like
/subsystem=security/security-domain=SPNEGO/authentication=classic/:write-attribute( name=login-modules, value=[{ code="SPNEGOUsers", flag="requisite", module="org.jboss.security.negotiation", module-options={ password-stacking="useFirstPass", serverSecurityDomain="host", removeRealmFromPrincipal=true } },{ code="org.jboss.security.negotiation.AdvancedADLoginModule", flag="required", module="org.jboss.security.negotiation", module-options={ password-stacking="useFirstPass", java.naming.provider.url="ldap://kdc.domain.dev:389", bindAuthentication="GSSAPI", jaasSecurityDomain="host", baseCtxDN="CN=Users,DC=domain,DC=dev", baseFilter="(sAMAccountName={0})", rolesCtxDN="CN=Users,DC=domain,DC=dev", roleFilter="(member={1})", roleAttributeID="cn" } }] ) {allow-resource-service-restart=true}
What confuses me is, that I already must have had a binding in SPNEGOUsers, right? The login always fails on org/jboss/security/negotiation/AdvancedLdapLoginModule.java:536 of the findUser function. It seems that when I reuse the credentials from the SPNEGO the filter attribute will be set to "Administrator" which would be fine, since it will match sAMAccountName.
The error usually looked like
2018-02-26 10:50:37,155 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) Login failed: javax.security.auth.login.LoginException: Unable to find user DN at org.jboss.security.negotiation.AdvancedLdapLoginModule.findUserDN(AdvancedLdapLoginModule.java:581) at org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:385) at org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:971) ... Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580 ]; ramining name 'CN=Users,DC=domain,DC=dev' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3194) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1846) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1786) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:418) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:396) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:378) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286) at org.jboss.security.negotiation.AdvancedLdapLoginModule.findUserDN(AdvancedLdapLoginModule.java:536) ....
Q2: Map LDAP Roles to Application Role
Since the roles in LDAP will look a lot different, than what will be "Generic" in the web.xml the "Users" is there a way to add the Users Role to the User/Principal (I do not get the difference) based on a specific LDAP Group?
So for example Administrator is part o the following LDAP Groups:
- Domain User
- Remote Desktopusers
- ApplicationUsers
- ZeWebApplicationWhichICoded
My Idea was, that after I fetched the Roles from LDAP and the user is part of "ZeWebApplicationWhichICoded" then I add him also to the Role "Users". But is this even possible with the given Tools of Wildfly or do I need to code something on my own?
Q3: Can I make Elytron work with Wildfly 10.1?
I read quite a lot about Elytron and it seems to have more of the Stuff I want than the current WFLY10.1 security subsystem. Is there a nice and easy way to get the latest Elytron version and enable it in Wildfly 10.1?
Anyways thanks for reading so far and I hope someone might be able to push me into the right direction.
Benjamin