2 Replies Latest reply on Apr 13, 2018 2:35 AM by Marco Rossi

    Elytron security realm with jdb and sha-256

    Marco Rossi Newbie

      I was able to secure my webapplication in wildfly using the following commands by jboss-cli:

       

          /subsystem=elytron/jdbc-realm=flowmanager-security-realm:add(principal-query=[{sql="SELECT PASSWORD FROM utenti WHERE nome = ?", data-source="PostgresDS", clear-password-mapper={password-index=1}},{sql="SELECT RUOLO FROM RUOLI WHERE NOME = ?", data-source="PostgresDS", attribute-mapping=[{index=1, to=roles}]}])

         

          /subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=roles)

         

          /subsystem=elytron/security-domain=flowmanager-security-sd:add(default-realm=flowmanager-security-realm, realms=[{realm=flowmanager-security-realm, role-decoder=from-roles-attribute}], permission-mapper=default-permission-mapper)

          /subsystem=elytron/http-authentication-factory=flowmanager-security-http-auth:add(http-server-mechanism-factory=global,security-domain=flowmanager-security-sd,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=RealmUsersRoles}]}])

       

          /subsystem=undertow/application-security-domain=flowmanager-security-sd:add(http-authentication-factory=flowmanager-security-http-auth)

       

      as you can see, nothing fancy, just secure with clear-passowrd-mapper.

       

      So I'ld like to start with sha-256 for passowrd on database side:

       

      /subsystem=elytron/jdbc-realm=flowmanager-security-realm:add(principal-query=[{sql="SELECT PASSWORD FROM utenti WHERE nome = ?", data-source="PostgresDS", simple-digest-mapper={algorithm=simple-digest-sha-256,password-index=1}},{sql="SELECT RUOLO,'Roles' FROM RUOLI WHERE NOME = ?", data-source="PostgresDS", attribute-mapping=[{index=1, to=roles}]}])

       

      After reloading wildfly configuration, I just repeat the access to secured service but I was not able to access:

       

      2018-04-11 11:30:45,936 TRACE [org.wildfly.security] (default task-8) Created HttpServerAuthenticationMechanism [org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1@46551a9a] for mechanism [BASIC]

      2018-04-11 11:30:45,936 TRACE [org.wildfly.security] (default task-8) Handling MechanismInformationCallback type='HTTP' name='BASIC' host-name='localhost' protocol='http'

      2018-04-11 11:30:45,936 TRACE [org.wildfly.security] (default task-8) Handling AvailableRealmsCallback: realms = [RealmUsersRoles]

      2018-04-11 11:30:45,936 DEBUG [org.wildfly.security] (default task-8) Using UsernamePasswordAuthenticationMechanism for username authentication. Realm: [RealmUsersRoles], Username: [rest].

      2018-04-11 11:30:45,936 TRACE [org.wildfly.security] (default task-8) Handling RealmCallback: selected = [RealmUsersRoles]

      2018-04-11 11:30:45,937 TRACE [org.wildfly.security] (default task-8) Handling NameCallback: authenticationName = rest

      2018-04-11 11:30:45,937 TRACE [org.wildfly.security] (default task-8) Principal assigning: [rest], pre-realm rewritten: [rest], realm name: [flowmanager-security-realm], post-realm rewritten: [rest], realm rewritten: [rest]

      2018-04-11 11:30:45,937 TRACE [org.wildfly.security] (default task-8) Executing principalQuery SELECT PASSWORD FROM utenti WHERE nome = ? with value rest

      2018-04-11 11:30:45,947 TRACE [org.wildfly.security] (default task-8) Executing principalQuery SELECT RUOLO,'Roles' FROM RUOLI WHERE NOME = ? with value rest

      2018-04-11 11:30:45,950 TRACE [org.wildfly.security] (default task-8) Executing principalQuery SELECT PASSWORD FROM utenti WHERE nome = ? with value rest

      2018-04-11 11:30:45,952 DEBUG [org.wildfly.security] (default task-8) User rest authentication failed.

       

      I'm not sure if:

       

      1) my configuration is correct

      2) I have to store passowrd on database with sha-256

      3) what about encoding? client should sent password encoded on base64 ?

       

      Thanks in advance,