How to configure the security for using JDBC realms
anindyam1969 May 9, 2019 6:59 AMWe are trying to use the Elytron v 1.7.0 security with WildFly 15.0.1 Final version. We can configure the JDBC realm with Oracle XE 11g and as such there are no issues if everything is in clear text.
Our main purpose is to secure our EJBs so that only the principals with approved roles and identities can access them.
However, we need the following:
1. The client must not send out the password as clear text.
2. We are going to use simple-digest-md5 mechanism to store the password in the Oracle tables.
Now the question is; with clear text passwords in the database and the client we can run the client program and it authenticates the principals correctly.
The issue is we cannot configure the same scenario using "simple-digest-md5". We have gone through the bcrypt examples given in the documentation here:
wildfly/JDBC_Security_Realm.adoc at master · wildfly/wildfly · GitHub
We haven't found any example anywhere that tells us how to get things working when we have the passwords as "simple-difest-md5".
The configurations that we have currently is as follows:
We tried with SASL authentication factory mechanism set to "DIGEST-SHA-256" since we could not find "simple-digest" equivalent of those.
<!-- EJB SubSystem -->
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
</application-security-domains>
<!-- Elytron Subsystem -->
<jdbc-realm name="DatabaseRealm">
<principal-query sql="SELECT password from sa_user where username=?" data-source="OraclePool">
<clear-password-mapper password-index="1"/>
</principal-query>
<principal-query sql="SELECT name from sa_roles where username=?" data-source="OraclePool">
<attribute-mapping>
<attribute to="groups" index="1"/>
</attribute-mapping>
</principal-query>
</jdbc-realm>
<sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
<mechanism-configuration>
<mechanism mechanism-name="DIGEST-SHA-256">
<mechanism-realm realm-name="DatabaseRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
<!-- Remoting SubSystem -->
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<http-connector name="http-remoting-connector" connector-ref="default" sasl-authentication-factory="application-sasl-authentication"/>
</subsystem>
<!-- DataSoerce SubSystem -->
<datasource jndi-name="java:jboss/OracleDS" pool-name="OraclePool">
<connection-url>jdbc:oracle:thin:@localhost:1521:XE</connection-url>
<driver>oracle</driver>
<security>
<user-name>sa_user</user-name>
<password>password</password>
</security>
</datasource>
<drivers>
<driver name="oracle" module="com.oracle">
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
</driver>
</drivers>
We are simply executing the client code as given in the project quickstart/ejb-security and it fails with the following errors:
10:16:57,086 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Added mechanism DIGEST-SHA-256
10:16:57,086 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Added mechanism DIGEST-SHA-256
10:16:57,087 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Sent 72 bytes
10:16:57,087 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Sent 72 bytes
10:16:57,087 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Flushed channel
10:16:57,087 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Flushed channel
10:16:57,173 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) No buffers in queue for message header
10:16:57,173 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) No buffers in queue for message header
10:16:57,173 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Allocated fresh buffers
10:16:57,173 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Allocated fresh buffers
10:16:57,173 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Received 20 bytes
10:16:57,173 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Received 20 bytes
10:16:57,174 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Received message java.nio.HeapByteBuffer[pos=0 lim=16 cap=8192]
10:16:57,174 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Received message java.nio.HeapByteBuffer[pos=0 lim=16 cap=8192]
10:16:57,174 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Received java.nio.HeapByteBuffer[pos=0 lim=16 cap=8192]
10:16:57,174 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Received java.nio.HeapByteBuffer[pos=0 lim=16 cap=8192]
10:16:57,175 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Server received authentication request
10:16:57,175 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Server received authentication request
10:16:57,187 TRACE [org.wildfly.security] (default I/O-5) Handling MechanismInformationCallback type='SASL' name='DIGEST-SHA-256' host-name='localhost' protocol='remote'
10:16:57,189 TRACE [org.wildfly.security] (default I/O-5) Handling MechanismInformationCallback type='SASL' name='DIGEST-SHA-256' host-name='localhost' protocol='remote'
10:16:57,190 TRACE [org.wildfly.security] (default I/O-5) Handling AvailableRealmsCallback: realms = [DatabaseRealm]
10:16:57,197 TRACE [org.wildfly.security] (default I/O-5) Creating SaslServer [org.wildfly.security.sasl.digest.DigestSaslServer@3ab3b98b] for mechanism [DIGEST-SHA-256] and protocol [remote]
10:16:57,199 TRACE [org.wildfly.security] (default I/O-5) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1@3392d2ed->org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer@792540da->org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1@1c34c20e->org.wildfly.security.sasl.digest.DigestSaslServer@3ab3b98b] for mechanism [DIGEST-SHA-256]
10:16:57,201 TRACE [org.jboss.remoting.endpoint] (default I/O-5) Allocated tick to 8 of endpoint "akashr-macbookpro" <49d155b9> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@61d21805)
10:16:57,201 TRACE [org.jboss.remoting.endpoint] (default I/O-5) Allocated tick to 8 of endpoint "akashr-macbookpro" <49d155b9> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@61d21805)
10:16:57,214 TRACE [org.jboss.remoting.remote.server] (default task-1) Server sending authentication challenge
10:16:57,214 TRACE [org.jboss.remoting.remote.server] (default task-1) Server sending authentication challenge
10:16:57,216 TRACE [org.jboss.remoting.remote] (default task-1) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Authentication@7bf652c7
10:16:57,216 TRACE [org.jboss.remoting.remote] (default task-1) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Authentication@7bf652c7
10:16:57,218 TRACE [org.jboss.remoting.endpoint] (default task-1) Resource closed count 00000007 of endpoint "akashr-macbookpro" <49d155b9> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@61d21805)
10:16:57,218 TRACE [org.jboss.remoting.endpoint] (default task-1) Resource closed count 00000007 of endpoint "akashr-macbookpro" <49d155b9> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@61d21805)
10:16:57,220 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Sent 116 bytes
10:16:57,220 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Sent 116 bytes
10:16:57,221 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Flushed channel
10:16:57,221 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Flushed channel
10:16:57,240 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) No buffers in queue for message header
10:16:57,240 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) No buffers in queue for message header
10:16:57,241 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Allocated fresh buffers
10:16:57,241 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Allocated fresh buffers
10:16:57,242 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Received 310 bytes
10:16:57,242 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Received 310 bytes
10:16:57,243 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Received message java.nio.HeapByteBuffer[pos=0 lim=306 cap=8192]
10:16:57,243 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Received message java.nio.HeapByteBuffer[pos=0 lim=306 cap=8192]
10:16:57,243 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Received java.nio.HeapByteBuffer[pos=0 lim=306 cap=8192]
10:16:57,243 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Received java.nio.HeapByteBuffer[pos=0 lim=306 cap=8192]
10:16:57,243 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Server received authentication response
10:16:57,243 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Server received authentication response
10:16:57,244 TRACE [org.jboss.remoting.endpoint] (default I/O-5) Allocated tick to 8 of endpoint "akashr-macbookpro" <49d155b9> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@61d21805)
10:16:57,244 TRACE [org.jboss.remoting.endpoint] (default I/O-5) Allocated tick to 8 of endpoint "akashr-macbookpro" <49d155b9> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@61d21805)
10:16:57,247 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [DatabaseRealm]
10:16:57,247 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = user2
10:16:57,248 TRACE [org.wildfly.security] (default task-1) Principal assigning: [user2], pre-realm rewritten: [user2], realm name: [DatabaseRealm], post-realm rewritten: [user2], realm rewritten: [user2]
10:16:57,252 TRACE [org.wildfly.security] (default task-1) Executing principalQuery SELECT password from sa_user where username=? with value user2
10:16:57,562 TRACE [org.wildfly.security] (default task-1) Key Mapper: Password credential created using algorithm column value [clear]
10:16:57,564 TRACE [org.wildfly.security] (default task-1) Executing principalQuery SELECT name from sa_roles where username=? with value user2
10:16:57,567 TRACE [org.wildfly.security] (default task-1) Handling CredentialCallback: failed to obtain credential
10:16:57,567 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [DatabaseRealm]
10:16:57,568 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = user2
10:16:57,568 TRACE [org.wildfly.security] (default task-1) Handling CredentialCallback: obtained credential: org.wildfly.security.credential.PasswordCredential@5d12f690
10:16:57,572 TRACE [org.jboss.remoting.remote.server] (default task-1) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05055: Authentication rejected (invalid proof)
at org.wildfly.security.sasl.digest.DigestSaslServer.validateDigestResponse(DigestSaslServer.java:274)
at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateMessage(DigestSaslServer.java:363)
at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:199)
at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateResponse(DigestSaslServer.java:336)
at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:59)
at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)
at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:949)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:748)
10:16:57,572 TRACE [org.jboss.remoting.remote.server] (default task-1) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05055: Authentication rejected (invalid proof)
at org.wildfly.security.sasl.digest.DigestSaslServer.validateDigestResponse(DigestSaslServer.java:274)
at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateMessage(DigestSaslServer.java:363)
at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:199)
at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateResponse(DigestSaslServer.java:336)
at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:59)
at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)
at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:949)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:748)
10:16:57,575 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: fail
10:16:57,575 TRACE [org.jboss.remoting.remote.server] (default task-1) No more authentication attempts allowed, closing the connection
We need to move a legacy application from JBoss 5.1.0 to WildFly 15.0.1.
Any help would be immensely appreciated. We do realize that somewhere the exact configurations needed for this to work on both the client and the server are not matching and hence these errors, but due to the lack of suitable examples and clear documentation we are not being able to proceed.
TIA,
Anindya