-
1. Re: Migrate WildFly 13 custom login module using Elytron
mchoma Nov 14, 2018 9:34 AM (in response to sergiu_pienar)What are these additional features you need? Are you sure Elytron jdbc realm does not provide them out of box? If not, so probably only way is to implement custom component. How to implement custom Security realm is described here [1]
[1] Creating custom security realm for WildFly Elytron · Honza
-
2. Re: Migrate WildFly 13 custom login module using Elytron
sergiu_pienar Nov 14, 2018 9:42 AM (in response to mchoma)Hi Martin,
Basically what my custom class from my login module was doing was to check if the user provided a wrong password for more that 3 times. If so, we would "lock him out" of his account.
The Elytron jdbc-realm is working fine now, I'm using it for both undertow and ejb as of now, but I would need to somehow extend it (or at least get a hook to some callback methods) so that I can implement this extra logic. -
3. Re: Migrate WildFly 13 custom login module using Elytron
sergiu_pienar Nov 15, 2018 8:14 AM (in response to sergiu_pienar)@Martin
I got the elytron sources from github and tried to create my own SecurityRealm that extends org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm.I was able to create the module for the custom real, add it to the standalone.xml file but I don't see a way in which to add the principal query. Currently my jdbc-realm looks like this:
<jdbc-realm name="acmeRealm">
<principal-query sql="SELECT u.password FROM Usr u, Client c, UserRole ur WHERE u.logname = ? AND (u.status = 'active' OR u.status = 'system') AND u.clientid = c.clientid AND (c.status = 'active' OR c.status = 'system') AND (u.passwordExpireDate is null OR u.passwordExpireDate > now()) AND u.userId = ur.userId AND u.lockedStatus != 1 AND ur.roleId=20" data-source="acmeDSXA">
<simple-digest-mapper algorithm="simple-digest-sha-1" password-index="1"/>
</principal-query>
<principal-query sql="SELECT p.label, 'Roles' FROM Usr u, Role r, Privilege p, RolePrivilege rp, UserRole ur WHERE u.logname = ? AND u.userId = ur.userId AND u.clientId = ur.clientId AND ur.roleId = r.roleId AND r.roleId = rp.roleId AND rp.privilegeId = p.privilegeId" data-source="acmeDSXA">
<attribute-mapping>
<attribute to="roles" index="1"/>
</attribute-mapping>
</principal-query>
</jdbc-realm>
i.e. it has 2 principal queries. When I tried copying those into the <custom-realm> tag I got an exception stating that the custom realm can not have 2 principal queries. When I try adding only one of the principal queries I get an exception saying that principal-query is only allowed inside a jdbc-realm.
Am I on the right track or is this a bad approach for me to follow ?
-
4. Re: Migrate WildFly 13 custom login module using Elytron
mchoma Nov 15, 2018 10:02 AM (in response to sergiu_pienar)Custom security realm does not have any static parameters anymore. I would expect you have to configure everything through configuration parameter
/subsystem=elytron/custom-realm=myRealm:add( module=my.package.myrealm, class-name=my.package.MyRealm configuration={ myAttribute="myValue", otherAttribute="test" })
"configuration" => {
"type" => OBJECT,
"description" => "The optional key/value configuration for the custom realm.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"value-type" => STRING,
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "all-services"
},
[1] Creating custom security realm for WildFly Elytron · Honza
-
5. Re: Migrate WildFly 13 custom login module using Elytron
sergiu_pienar Nov 19, 2018 3:33 AM (in response to mchoma)Martin,
Is there any class in which I can intercept the login process for the jdbc-realm ?
I would essentially need to check if the user currently trying to login has provided valid credentials and according to the result to increment some fields in a db table.
Before Elytron I was able to do this by extending org.jboss.security.auth.spi.DatabaseServerLoginModule and overriding the login() method.
Is there something similar in Elytron ?
Thanks
-
6. Re: Migrate WildFly 13 custom login module using Elytron
fjuma Nov 19, 2018 4:16 PM (in response to sergiu_pienar)The Elytron SecurityRealm#handleRealmEvent method can be used to handle various realm events. In your custom SecurityRealm that extends org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm, you could implement the handleRealmEvent method in order to handle the RealmFailedAuthenticationEvent which indicates a failed authentication attempt.
-
7. Re: Migrate WildFly 13 custom login module using Elytron
sergiu_pienar Nov 20, 2018 7:04 AM (in response to fjuma)Thank you Farah.
I was able to override the handleRealmEvent and do the necessary coding in there.