Elytron security realm with jdb and sha-256
I was able to secure my webapplication in wildfly using the following commands by jboss-cli:
/subsystem=elytron/jdbc-realm=flowmanager-security-realm:add(principal-query=[{sql="SELECT PASSWORD FROM utenti WHERE nome = ?", data-source="PostgresDS", clear-password-mapper={password-index=1}},{sql="SELECT RUOLO FROM RUOLI WHERE NOME = ?", data-source="PostgresDS", attribute-mapping=[{index=1, to=roles}]}])
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=roles)
/subsystem=elytron/security-domain=flowmanager-security-sd:add(default-realm=flowmanager-security-realm, realms=[{realm=flowmanager-security-realm, role-decoder=from-roles-attribute}], permission-mapper=default-permission-mapper)
/subsystem=elytron/http-authentication-factory=flowmanager-security-http-auth:add(http-server-mechanism-factory=global,security-domain=flowmanager-security-sd,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=RealmUsersRoles}]}])
/subsystem=undertow/application-security-domain=flowmanager-security-sd:add(http-authentication-factory=flowmanager-security-http-auth)
as you can see, nothing fancy, just secure with clear-passowrd-mapper.
So I'ld like to start with sha-256 for passowrd on database side:
/subsystem=elytron/jdbc-realm=flowmanager-security-realm:add(principal-query=[{sql="SELECT PASSWORD FROM utenti WHERE nome = ?", data-source="PostgresDS", simple-digest-mapper={algorithm=simple-digest-sha-256,password-index=1}},{sql="SELECT RUOLO,'Roles' FROM RUOLI WHERE NOME = ?", data-source="PostgresDS", attribute-mapping=[{index=1, to=roles}]}])
After reloading wildfly configuration, I just repeat the access to secured service but I was not able to access:
2018-04-11 11:30:45,936 TRACE [org.wildfly.security] (default task-8) Created HttpServerAuthenticationMechanism [org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1@46551a9a] for mechanism [BASIC]
2018-04-11 11:30:45,936 TRACE [org.wildfly.security] (default task-8) Handling MechanismInformationCallback type='HTTP' name='BASIC' host-name='localhost' protocol='http'
2018-04-11 11:30:45,936 TRACE [org.wildfly.security] (default task-8) Handling AvailableRealmsCallback: realms = [RealmUsersRoles]
2018-04-11 11:30:45,936 DEBUG [org.wildfly.security] (default task-8) Using UsernamePasswordAuthenticationMechanism for username authentication. Realm: [RealmUsersRoles], Username: [rest].
2018-04-11 11:30:45,936 TRACE [org.wildfly.security] (default task-8) Handling RealmCallback: selected = [RealmUsersRoles]
2018-04-11 11:30:45,937 TRACE [org.wildfly.security] (default task-8) Handling NameCallback: authenticationName = rest
2018-04-11 11:30:45,937 TRACE [org.wildfly.security] (default task-8) Principal assigning: [rest], pre-realm rewritten: [rest], realm name: [flowmanager-security-realm], post-realm rewritten: [rest], realm rewritten: [rest]
2018-04-11 11:30:45,937 TRACE [org.wildfly.security] (default task-8) Executing principalQuery SELECT PASSWORD FROM utenti WHERE nome = ? with value rest
2018-04-11 11:30:45,947 TRACE [org.wildfly.security] (default task-8) Executing principalQuery SELECT RUOLO,'Roles' FROM RUOLI WHERE NOME = ? with value rest
2018-04-11 11:30:45,950 TRACE [org.wildfly.security] (default task-8) Executing principalQuery SELECT PASSWORD FROM utenti WHERE nome = ? with value rest
2018-04-11 11:30:45,952 DEBUG [org.wildfly.security] (default task-8) User rest authentication failed.
I'm not sure if:
1) my configuration is correct
2) I have to store passowrd on database with sha-256
3) what about encoding? client should sent password encoded on base64 ?
Thanks in advance,
