1 Reply Latest reply on Sep 21, 2018 9:41 AM by Slava Shelestyuk

    WF14 Elytron security Roles mapping

    Slava Shelestyuk Newbie

      Hi

       

      Having troubles migrating to WF14 from WF10 due to the new security.

       

      So security was set up as follows:

      /subsystem=elytron/jdbc-realm=EcrmRealm:add(principal-query=[{sql="SELECT password, 'Default' role FROM account WHERE login=?",data-source=H2DS,clear-password-mapper={password-index=1},attribute-mapping=[{index=2,to=Roles}]}])

      /subsystem=elytron/security-domain=ecrmSD:add(realms=[{realm=EcrmRealm,role-decoder=groups-to-roles}],default-realm=EcrmRealm,permission-mapper=default-permission-mapper)

      /subsystem=elytron/http-authentication-factory=ecrm-db-http-auth:add(http-server-mechanism-factory=global,security-domain=ecrmSD,mechanism-configurations=[{mechanism-name=FORM}])

      /subsystem=undertow/application-security-domain=ecrm:add(http-authentication-factory=ecrm-db-http-auth)

      /subsystem=ejb3/application-security-domain=ecrm:add(security-domain=ecrmSD)

       

      Authentication works fine but then authorization fails. I enabled additional logging for security and it here it is:

      09:01:31,442 DEBUG [org.wildfly.security.http.password] (default task-1) Username authentication. Realm: [null], Username: [admin].

      09:01:31,456 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = admin

      09:01:31,458 TRACE [org.wildfly.security] (default task-1) Principal assigning: [admin], pre-realm rewritten: [admin], realm name: [EcrmRealm], post-realm rewritten: [admin], realm rewritten: [admin]

      09:01:31,459 TRACE [org.wildfly.security] (default task-1) Executing principalQuery SELECT password, 'Default' role FROM account WHERE login=? with value admin

      09:01:31,464 TRACE [org.wildfly.security] (default task-1) Key Mapper: Password credential created using algorithm column value [clear]

      09:01:31,469 TRACE [org.wildfly.security.http.form] (default task-1) Authorizing username: [admin], Request URI: [http://localhost:2525/ecrm/j_security_check], Context path: [/ecrm]

      09:01:31,470 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [admin] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []

      09:01:31,471 TRACE [org.wildfly.security] (default task-1) Authorizing principal admin.

      09:01:31,471 TRACE [org.wildfly.security] (default task-1) Authorizing against the following attributes: [Roles] => [Default]

      09:01:31,473 TRACE [org.wildfly.security] (default task-1) Permission mapping: identity [admin] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true

      09:01:31,473 TRACE [org.wildfly.security] (default task-1) Authorization succeed

      09:01:31,474 TRACE [org.wildfly.security] (default task-1) Handling CachedIdentityAuthorizeCallback: principal = admin  authorizedIdentity = SecurityIdentity{principal=admin, securityDomain=org.wildfly.security.auth.server.SecurityDomain@2917b485, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='EcrmRealm', securityRealm=org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm@156a848a}, creationTime=2018-09-21T07:01:31.470Z}

      09:01:31,474 DEBUG [org.wildfly.security.http.form] (default task-1) User [admin] authenticated successfully

      09:01:31,474 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: succeed

      09:01:31,475 TRACE [org.wildfly.security] (default task-1) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=admin, securityDomain=org.wildfly.security.auth.server.SecurityDomain@2917b485, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='EcrmRealm', securityRealm=org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm@156a848a}, creationTime=2018-09-21T07:01:31.470Z}

      09:01:31,475 TRACE [org.wildfly.security.http.form] (default task-1) User redirected to original path [http://localhost:2525/ecrm/accountInfo.jsf]

      09:01:31,475 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [admin] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []

       

      On one hand I can see that:

      09:01:31,471 TRACE [org.wildfly.security] (default task-1) Authorizing against the following attributes: [Roles] => [Default]

      On the other:

      09:01:31,475 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [admin] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []

       

      When I try to log "getRequest().getRemoteUser()" and "getRequest().isUserInRole( "Default" )" it gives "admin" and "false", so as result:

      09:01:31,491 ERROR [org.jboss.as.ejb3.invocation] (default task-1) WFLYEJB0034: EJB Invocation failed on component AccountManagerBean for method public shel.ecrm.domain.Account shel.ecrm.process.AccountManagerBean.getAccount(java.lang.String) throws shel.ecrm.process.ObjectNotFoundException: javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public shel.ecrm.domain.Account shel.ecrm.process.AccountManagerBean.getAccount(java.lang.String) throws shel.ecrm.process.ObjectNotFoundException of bean: AccountManagerBean is not allowed

       

      Looks like the 'Default' Role ain't mapped according to query, struggling to figure out why...

      It was first an SQL with real Roles but since it was failing I hardcoded the 'Default' role which is defined in the bean class:

      @RolesAllowed( { "System", "Default" } )

      public class AccountManagerBean implements AccountManager

       

      Both jboss-ejb3.xml and jboss-web.xml have security domains defined:

      <s:security-domain>ecrm</s:security-domain>

      and

      <security-domain>ecrm</security-domain>

       

      Cheers

      Slava