WF14 Elytron security Roles mapping
shel Sep 21, 2018 4:02 AMHi
Having troubles migrating to WF14 from WF10 due to the new security.
So security was set up as follows:
/subsystem=elytron/jdbc-realm=EcrmRealm:add(principal-query=[{sql="SELECT password, 'Default' role FROM account WHERE login=?",data-source=H2DS,clear-password-mapper={password-index=1},attribute-mapping=[{index=2,to=Roles}]}])
/subsystem=elytron/security-domain=ecrmSD:add(realms=[{realm=EcrmRealm,role-decoder=groups-to-roles}],default-realm=EcrmRealm,permission-mapper=default-permission-mapper)
/subsystem=elytron/http-authentication-factory=ecrm-db-http-auth:add(http-server-mechanism-factory=global,security-domain=ecrmSD,mechanism-configurations=[{mechanism-name=FORM}])
/subsystem=undertow/application-security-domain=ecrm:add(http-authentication-factory=ecrm-db-http-auth)
/subsystem=ejb3/application-security-domain=ecrm:add(security-domain=ecrmSD)
Authentication works fine but then authorization fails. I enabled additional logging for security and it here it is:
09:01:31,442 DEBUG [org.wildfly.security.http.password] (default task-1) Username authentication. Realm: [null], Username: [admin].
09:01:31,456 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = admin
09:01:31,458 TRACE [org.wildfly.security] (default task-1) Principal assigning: [admin], pre-realm rewritten: [admin], realm name: [EcrmRealm], post-realm rewritten: [admin], realm rewritten: [admin]
09:01:31,459 TRACE [org.wildfly.security] (default task-1) Executing principalQuery SELECT password, 'Default' role FROM account WHERE login=? with value admin
09:01:31,464 TRACE [org.wildfly.security] (default task-1) Key Mapper: Password credential created using algorithm column value [clear]
09:01:31,469 TRACE [org.wildfly.security.http.form] (default task-1) Authorizing username: [admin], Request URI: [http://localhost:2525/ecrm/j_security_check], Context path: [/ecrm]
09:01:31,470 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [admin] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []
09:01:31,471 TRACE [org.wildfly.security] (default task-1) Authorizing principal admin.
09:01:31,471 TRACE [org.wildfly.security] (default task-1) Authorizing against the following attributes: [Roles] => [Default]
09:01:31,473 TRACE [org.wildfly.security] (default task-1) Permission mapping: identity [admin] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
09:01:31,473 TRACE [org.wildfly.security] (default task-1) Authorization succeed
09:01:31,474 TRACE [org.wildfly.security] (default task-1) Handling CachedIdentityAuthorizeCallback: principal = admin authorizedIdentity = SecurityIdentity{principal=admin, securityDomain=org.wildfly.security.auth.server.SecurityDomain@2917b485, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='EcrmRealm', securityRealm=org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm@156a848a}, creationTime=2018-09-21T07:01:31.470Z}
09:01:31,474 DEBUG [org.wildfly.security.http.form] (default task-1) User [admin] authenticated successfully
09:01:31,474 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: succeed
09:01:31,475 TRACE [org.wildfly.security] (default task-1) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=admin, securityDomain=org.wildfly.security.auth.server.SecurityDomain@2917b485, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='EcrmRealm', securityRealm=org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm@156a848a}, creationTime=2018-09-21T07:01:31.470Z}
09:01:31,475 TRACE [org.wildfly.security.http.form] (default task-1) User redirected to original path [http://localhost:2525/ecrm/accountInfo.jsf]
09:01:31,475 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [admin] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []
On one hand I can see that:
09:01:31,471 TRACE [org.wildfly.security] (default task-1) Authorizing against the following attributes: [Roles] => [Default]
On the other:
09:01:31,475 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [admin] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []
When I try to log "getRequest().getRemoteUser()" and "getRequest().isUserInRole( "Default" )" it gives "admin" and "false", so as result:
09:01:31,491 ERROR [org.jboss.as.ejb3.invocation] (default task-1) WFLYEJB0034: EJB Invocation failed on component AccountManagerBean for method public shel.ecrm.domain.Account shel.ecrm.process.AccountManagerBean.getAccount(java.lang.String) throws shel.ecrm.process.ObjectNotFoundException: javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public shel.ecrm.domain.Account shel.ecrm.process.AccountManagerBean.getAccount(java.lang.String) throws shel.ecrm.process.ObjectNotFoundException of bean: AccountManagerBean is not allowed
Looks like the 'Default' Role ain't mapped according to query, struggling to figure out why...
It was first an SQL with real Roles but since it was failing I hardcoded the 'Default' role which is defined in the bean class:
@RolesAllowed( { "System", "Default" } )
public class AccountManagerBean implements AccountManager
Both jboss-ejb3.xml and jboss-web.xml have security domains defined:
<s:security-domain>ecrm</s:security-domain>
and
<security-domain>ecrm</security-domain>
Cheers
Slava