PasswordCredential not propagating when using SASL Authentication with Elytron Security ldap-realm
srose Oct 11, 2018 10:35 AMHi I am upgrading from Wildfly 10 to Wildfly 14.01
I was able to login from a standalone EJB Client using SASL with the following with the following security-realms with no issue
1. jdbc-realm
2. properties-realm
I am however unable to login from standalone EJB client using ldap-realm with SASL.
I tested my configuration by logging in using the HttpRequest.login method via a servlet and that works with no problem see below:
2018-10-10 17:07:02,278 TRACE [org.wildfly.security] (default task-2) Principal assigning: [GAUSS], pre-realm rewritten: [GAUSS], realm name: [LdapRealm], post-realm rewritten: [GAUSS], realm rewritten: [GAUSS] 2018-10-10 17:07:02,278 DEBUG [org.wildfly.security] (default task-2) Obtaining lock for identity [GAUSS]... 2018-10-10 17:07:02,278 DEBUG [org.wildfly.security] (default task-2) Obtained lock for identity [GAUSS]. 2018-10-10 17:07:02,298 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment: 2018-10-10 17:07:02,298 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.credentials] with value [******] 2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.authentication] with value [simple] 2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.provider.url] with value [ldap://ldap.forumsys.com:389] 2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.read.timeout] with value [60000] 2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.pool] with value [false] 2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.timeout] with value [5000] 2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.principal] with value [cn=read-only-admin,dc=example,dc=com] 2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.referral] with value [ignore] 2018-10-10 17:07:02,299 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory] 2018-10-10 17:07:02,480 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@493a3a0b] successfully created. Connection established to LDAP server. 2018-10-10 17:07:02,483 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [GAUSS]. 2018-10-10 17:07:02,484 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [dc=example,dc=com] with arguments [GAUSS]. Returning attributes are []. Binary attributes are []. 2018-10-10 17:07:02,569 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=gauss,dc=example,dc=com]. 2018-10-10 17:07:02,569 DEBUG [org.wildfly.security] (default task-2) Identity for principal [GAUSS] found at [uid=gauss,dc=example,dc=com]. 2018-10-10 17:07:02,734 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@493a3a0b] was closed. Connection closed or just returned to the pool. 2018-10-10 17:07:02,734 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment: 2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.credentials] with value [******] 2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.authentication] with value [simple] 2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.provider.url] with value [ldap://ldap.forumsys.com:389] 2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.read.timeout] with value [60000] 2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.pool] with value [false] 2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.timeout] with value [5000] 2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.principal] with value [cn=read-only-admin,dc=example,dc=com] 2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.referral] with value [ignore] 2018-10-10 17:07:02,735 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory] 2018-10-10 17:07:02,916 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@2896a1e0] successfully created. Connection established to LDAP server. 2018-10-10 17:07:02,917 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [GAUSS]. 2018-10-10 17:07:02,917 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [dc=example,dc=com] with arguments [GAUSS]. Returning attributes are [null]. Binary attributes are [null]. 2018-10-10 17:07:03,002 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=gauss,dc=example,dc=com]. 2018-10-10 17:07:03,002 DEBUG [org.wildfly.security] (default task-2) Identity for principal [GAUSS] found at [uid=gauss,dc=example,dc=com]. 2018-10-10 17:07:03,002 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@2896a1e0] was closed. Connection closed or just returned to the pool. 2018-10-10 17:07:03,002 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment: 2018-10-10 17:07:03,002 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.credentials] with value [******] 2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.authentication] with value [simple] 2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.provider.url] with value [ldap://ldap.forumsys.com:389] 2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.read.timeout] with value [60000] 2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.pool] with value [false] 2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.timeout] with value [5000] 2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.principal] with value [cn=read-only-admin,dc=example,dc=com] 2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.referral] with value [ignore] 2018-10-10 17:07:03,003 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory] 2018-10-10 17:07:03,185 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@18ccf2] successfully created. Connection established to LDAP server. 2018-10-10 17:07:03,186 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [GAUSS]. 2018-10-10 17:07:03,186 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [dc=example,dc=com] with arguments [GAUSS]. Returning attributes are []. Binary attributes are [null]. 2018-10-10 17:07:03,264 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=gauss,dc=example,dc=com]. 2018-10-10 17:07:03,264 DEBUG [org.wildfly.security] (default task-2) Identity for principal [GAUSS] found at [uid=gauss,dc=example,dc=com]. 2018-10-10 17:07:03,266 DEBUG [org.wildfly.security] (default task-2) Executing search [(uniqueMember={1})] in context [ou=mathematicians,dc=example,dc=com] with arguments [GAUSS, uid=gauss,dc=example,dc=com]. Returning attributes are [null, UID, CN]. Binary attributes are [null]. 2018-10-10 17:07:03,346 DEBUG [org.wildfly.security] (default task-2) Found entry [ou=mathematicians,dc=example,dc=com]. 2018-10-10 17:07:03,346 TRACE [org.wildfly.security] (default task-2) Identity iterating - pagination not supported - end of list 2018-10-10 17:07:03,347 DEBUG [org.wildfly.security] (default task-2) Obtaining authorization identity attributes for principal [GAUSS]: 2018-10-10 17:07:03,347 DEBUG [org.wildfly.security] (default task-2) Identity [GAUSS] does not have any attributes. 2018-10-10 17:07:03,347 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@18ccf2] was closed. Connection closed or just returned to the pool. 2018-10-10 17:07:03,349 TRACE [org.wildfly.security] (default task-2) Role mapping: principal [GAUSS] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles [] 2018-10-10 17:07:03,349 TRACE [org.wildfly.security] (default task-2) Authorizing principal GAUSS. 2018-10-10 17:07:03,350 TRACE [org.wildfly.security] (default task-2) Authorizing against the following attributes: [] => [] 2018-10-10 17:07:03,352 TRACE [org.wildfly.security] (default task-2) Permission mapping: identity [GAUSS] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true 2018-10-10 17:07:03,352 TRACE [org.wildfly.security] (default task-2) Authorization succeed 2018-10-10 17:07:03,357 TRACE [org.wildfly.security] (default task-2) Role mapping: principal [GAUSS] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []
However when I try to login via the EJB Client using http remoting and the code below :
AuthenticationConfiguration config = AuthenticationConfiguration .empty() .setSaslMechanismSelector(SaslMechanismSelector.NONE.addMechanism("DIGEST-MD5").forbidMechanism("JBOSS-LOCAL-USER")) .useName(username) .usePassword(password) .useDefaultProviders(); final AuthenticationContext authCtx = AuthenticationContext.empty().with(MatchRule.ALL, config); ContextManager contextManager = authCtx.getInstanceContextManager(); contextManager.setGlobalDefault(authCtx); Callable vCallable = () -> { return initJNDIContext();; }; try { facade = (PWFacade) authCtx.runCallable(vCallable); } catch (Exception e) { e.printStackTrace(); }
I get the following error trying to authenticate :
2018-10-10 17:07:04,167 TRACE [org.wildfly.security] (default I/O-5) Handling MechanismInformationCallback type='SASL' name='DIGEST-MD5' host-name='pw.test.com' protocol='remote' 2018-10-10 17:07:04,168 TRACE [org.wildfly.security] (default I/O-5) Handling MechanismInformationCallback type='SASL' name='DIGEST-MD5' host-name='pw.test.com' protocol='remote' 2018-10-10 17:07:04,168 TRACE [org.wildfly.security] (default I/O-5) Handling AvailableRealmsCallback: realms = [LdapRealm] 2018-10-10 17:07:04,174 TRACE [org.wildfly.security] (default I/O-5) Creating SaslServer [org.wildfly.security.sasl.digest.DigestSaslServer@151e2d83] for mechanism [DIGEST-MD5] and protocol [remote] 2018-10-10 17:07:04,176 TRACE [org.wildfly.security] (default I/O-5) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1@11dcf178->org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer@6d00f4d7->org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1@2ea5f4f1->org.wildfly.security.sasl.digest.DigestSaslServer@151e2d83] for mechanism [DIGEST-MD5] 2018-10-10 17:07:04,214 TRACE [org.wildfly.security] (default task-2) Handling RealmCallback: selected = [LdapRealm] 2018-10-10 17:07:04,215 TRACE [org.wildfly.security] (default task-2) Handling NameCallback: authenticationName = GAUSS 2018-10-10 17:07:04,215 TRACE [org.wildfly.security] (default task-2) Principal assigning: [GAUSS], pre-realm rewritten: [GAUSS], realm name: [LdapRealm], post-realm rewritten: [GAUSS], realm rewritten: [GAUSS] 2018-10-10 17:07:04,215 DEBUG [org.wildfly.security] (default task-2) Obtaining lock for identity [GAUSS]... 2018-10-10 17:07:04,215 DEBUG [org.wildfly.security] (default task-2) Obtained lock for identity [GAUSS]. 2018-10-10 17:07:04,215 TRACE [org.wildfly.security] (default task-2) Handling CredentialCallback: failed to obtain credential 2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling RealmCallback: selected = [LdapRealm] 2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling NameCallback: authenticationName = GAUSS 2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling CredentialCallback: failed to obtain credential 2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling RealmCallback: selected = [LdapRealm] 2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling NameCallback: authenticationName = GAUSS 2018-10-10 17:07:04,216 TRACE [org.wildfly.security] (default task-2) Handling PasswordCallback: PasswordCredential may not be supported 2018-10-10 17:07:04,217 TRACE [org.wildfly.security] (default task-2) Handling AuthenticationCompleteCallback: fail
My standalone.config is very simple. Here are the relevant portions:
<subsystem xmlns="urn:wildfly:elytron:4.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto"> <security-domains> <security-domain name="LdapDomain" default-realm="LdapRealm" permission-mapper="default-permission-mapper"> <realm name="LdapRealm" role-decoder="groups-to-roles"/> <realm name="local"/> </security-domain> </security-domains> <security-realms> <identity-realm name="local" identity="$local"/> <ldap-realm name="LdapRealm" dir-context="ldap-connection" direct-verification="false"> <identity-mapping rdn-identifier="uid" search-base-dn="dc=example,dc=com"> <attribute-mapping> <attribute from="uid" to="Roles" filter="(uniqueMember={1})" filter-base-dn="ou=mathematicians,dc=example,dc=com"/> </attribute-mapping> </identity-mapping> </ldap-realm> </security-realms> <sasl> <sasl-authentication-factory name="ldap-sasl-authentication" sasl-server-factory="configured" security-domain="LdapDomain"> <mechanism-configuration> <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/> <mechanism mechanism-name="DIGEST-MD5"> <mechanism-realm realm-name="LdapRealm"/> </mechanism> </mechanism-configuration> </sasl-authentication-factory> </sasl> <dir-contexts> <dir-context name="ldap-connection" url="ldap://ldap.forumsys.com:389" principal="cn=read-only-admin,dc=example,dc=com"> <credential-reference clear-text="password"/> </dir-context> </dir-contexts> </subsystem> <subsystem xmlns="urn:jboss:domain:remoting:4.0"> <http-connector name="http-remoting-connector" connector-ref="default" sasl-authentication-factory="ldap-sasl-authentication"> <sasl/> </http-connector> </subsystem> <subsystem xmlns="urn:jboss:domain:undertow:7.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other"> <application-security-domains> <application-security-domain name="ldap-security-domain" security-domain="LdapDomain"/> </application-security-domains> </subsystem>
I am using the free online LDAP server found here :Online LDAP Test Server - Forum Systems
Any ideas?
Thanks
-Steve