7 Replies Latest reply on Nov 20, 2018 7:04 AM by sergiu_pienar

    Migrate WildFly 13 custom login module using Elytron

    sergiu_pienar

      I'm using WildFly13 and Elytron. This setup was migrated from a WF9 with the old security implementation from WF.

      The "original" implementation had a custom login module, in which I had a class that was extending org.jboss.security.auth.spi.DatabaseServerLoginModule.

       

      In this class I would do additional actions depending on whether the login was successful or not.

       

      I'm trying to achieve the same thing using elytron. Any hints ?

        • 1. Re: Migrate WildFly 13 custom login module using Elytron
          mchoma

          What are these additional features you need? Are you sure Elytron jdbc realm does not provide them out of box? If not, so probably only way is to implement custom component. How to implement custom Security realm is described here [1]

           

          [1] Creating custom security realm for WildFly Elytron · Honza

          • 2. Re: Migrate WildFly 13 custom login module using Elytron
            sergiu_pienar

            Hi Martin,

            Basically what my custom class from my login module was doing was to check if the user provided a wrong password for more that 3 times. If so, we would "lock him out" of his account.


            The Elytron jdbc-realm is working fine now, I'm using it for both undertow and ejb as of now, but I would need to somehow extend it (or at least get a hook to some callback methods) so that I can implement this extra logic.

            • 3. Re: Migrate WildFly 13 custom login module using Elytron
              sergiu_pienar

              @Martin


              I got the elytron sources from github and tried to create my own SecurityRealm that extends org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm.

              I was able to create the module for the custom real, add it to the standalone.xml file but I don't see a way in which to add the principal query. Currently my jdbc-realm looks like this:

               

              <jdbc-realm name="acmeRealm">

              <principal-query sql="SELECT u.password FROM Usr u, Client c, UserRole ur WHERE u.logname = ? AND (u.status = 'active' OR u.status = 'system')  AND u.clientid = c.clientid AND (c.status = 'active' OR  c.status = 'system') AND (u.passwordExpireDate is null OR u.passwordExpireDate > now())  AND u.userId = ur.userId  AND u.lockedStatus != 1 AND ur.roleId=20" data-source="acmeDSXA">

              <simple-digest-mapper algorithm="simple-digest-sha-1" password-index="1"/>

              </principal-query>

              <principal-query sql="SELECT p.label, 'Roles' FROM Usr u, Role r, Privilege p, RolePrivilege rp, UserRole ur WHERE u.logname = ? AND u.userId = ur.userId  AND u.clientId = ur.clientId AND ur.roleId = r.roleId  AND r.roleId = rp.roleId AND rp.privilegeId = p.privilegeId" data-source="acmeDSXA">

              <attribute-mapping>

              <attribute to="roles" index="1"/>

              </attribute-mapping>

              </principal-query>

              </jdbc-realm>

               

              i.e. it has 2 principal queries. When I tried copying those into the <custom-realm> tag I got an exception stating that the custom realm can not have 2 principal queries. When I try adding only one of the principal queries I get an exception saying that principal-query is only allowed inside a jdbc-realm.

               

              Am I on the right track or is this a bad approach for me to follow ?

              • 4. Re: Migrate WildFly 13 custom login module using Elytron
                mchoma

                Custom security realm does not have any static parameters anymore. I would expect you have to configure everything through configuration parameter

                 

                /subsystem=elytron/custom-realm=myRealm:add( module=my.package.myrealm, class-name=my.package.MyRealm configuration={ myAttribute="myValue", otherAttribute="test" })

                 

                "configuration" => {

                                            "type" => OBJECT,

                                            "description" => "The optional key/value configuration for the custom realm.",

                                            "expressions-allowed" => true,

                                            "required" => false,

                                            "nillable" => true,

                                            "value-type" => STRING,

                                            "access-type" => "read-write",

                                            "storage" => "configuration",

                                            "restart-required" => "all-services"

                                        },

                 

                [1] Creating custom security realm for WildFly Elytron · Honza

                • 5. Re: Migrate WildFly 13 custom login module using Elytron
                  sergiu_pienar

                  Martin,

                   

                  Is there any class in which I can intercept the login process for the jdbc-realm ?

                  I would essentially need to check if the user currently trying to login has provided valid credentials and according to the result to increment some fields in a db table.

                   

                  Before Elytron I was able to do this by extending org.jboss.security.auth.spi.DatabaseServerLoginModule and overriding the login() method.

                  Is there something similar in Elytron ?

                   

                  Thanks

                  • 6. Re: Migrate WildFly 13 custom login module using Elytron
                    fjuma

                    The Elytron SecurityRealm#handleRealmEvent method can be used to handle various realm events. In your custom SecurityRealm that extends org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm, you could implement the handleRealmEvent method in order to handle the RealmFailedAuthenticationEvent which indicates a failed authentication attempt.

                    • 7. Re: Migrate WildFly 13 custom login module using Elytron
                      sergiu_pienar

                      Thank you Farah.

                      I was able to override the handleRealmEvent and do the necessary coding in there.