2 Replies Latest reply on May 10, 2019 12:39 AM by Anindya Mukherjee

    How to configure the security for using JDBC realms

    Anindya Mukherjee Newbie

      We are trying to use the Elytron v 1.7.0 security with WildFly 15.0.1 Final version. We can configure the JDBC realm with Oracle XE 11g and as such there are no issues if everything is in clear text.

      Our main purpose is to secure our EJBs so that only the principals with approved roles and identities can access them.

      However, we need the following:

       

      1. The client must not send out the password as clear text.

      2. We are going to use simple-digest-md5 mechanism to store the password in the Oracle tables.

       

      Now the question is; with clear text passwords in the database and the client we can run the client program and it authenticates the principals correctly.

       

      The issue is we cannot configure the same scenario using "simple-digest-md5". We have gone through the bcrypt examples given in the documentation here:

      wildfly/JDBC_Security_Realm.adoc at master · wildfly/wildfly · GitHub

       

      We haven't found any example anywhere that tells us how to get things working when we have the passwords as "simple-difest-md5".

       

      The configurations that we have currently is as follows:

       

      We tried with SASL authentication factory mechanism set to "DIGEST-SHA-256" since we could not find "simple-digest" equivalent of those.

       

      <!-- EJB SubSystem -->

      <application-security-domains>

        <application-security-domain name="other" security-domain="ApplicationDomain"/>

      </application-security-domains>

       

       

      <!-- Elytron Subsystem -->

      <jdbc-realm name="DatabaseRealm">

        <principal-query sql="SELECT password from sa_user where username=?" data-source="OraclePool">

        <clear-password-mapper password-index="1"/>

        </principal-query>

        <principal-query sql="SELECT name from sa_roles where username=?" data-source="OraclePool">

        <attribute-mapping>

        <attribute to="groups" index="1"/>

        </attribute-mapping>

        </principal-query>

      </jdbc-realm>

       

      <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">

        <mechanism-configuration>

        <mechanism mechanism-name="DIGEST-SHA-256">

        <mechanism-realm realm-name="DatabaseRealm"/>

        </mechanism>

        </mechanism-configuration>

      </sasl-authentication-factory>

       

       

      <!-- Remoting SubSystem -->

      <subsystem xmlns="urn:jboss:domain:remoting:4.0">

        <http-connector name="http-remoting-connector" connector-ref="default" sasl-authentication-factory="application-sasl-authentication"/>

      </subsystem>

       

      <!-- DataSoerce SubSystem -->

      <datasource jndi-name="java:jboss/OracleDS" pool-name="OraclePool">

        <connection-url>jdbc:oracle:thin:@localhost:1521:XE</connection-url>

        <driver>oracle</driver>

        <security>

        <user-name>sa_user</user-name>

        <password>password</password>

        </security>

      </datasource>

       

      <drivers>

      <driver name="oracle" module="com.oracle">

        <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>

        </driver>

      </drivers>

       

      We are simply executing the client code as given in the project quickstart/ejb-security and it fails with the following errors:

       

      10:16:57,086 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Added mechanism DIGEST-SHA-256

      10:16:57,086 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Added mechanism DIGEST-SHA-256

      10:16:57,087 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Sent 72 bytes

      10:16:57,087 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Sent 72 bytes

      10:16:57,087 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Flushed channel

      10:16:57,087 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Flushed channel

      10:16:57,173 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) No buffers in queue for message header

      10:16:57,173 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) No buffers in queue for message header

      10:16:57,173 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Allocated fresh buffers

      10:16:57,173 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Allocated fresh buffers

      10:16:57,173 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Received 20 bytes

      10:16:57,173 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Received 20 bytes

      10:16:57,174 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Received message java.nio.HeapByteBuffer[pos=0 lim=16 cap=8192]

      10:16:57,174 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Received message java.nio.HeapByteBuffer[pos=0 lim=16 cap=8192]

      10:16:57,174 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Received java.nio.HeapByteBuffer[pos=0 lim=16 cap=8192]

      10:16:57,174 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Received java.nio.HeapByteBuffer[pos=0 lim=16 cap=8192]

      10:16:57,175 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Server received authentication request

      10:16:57,175 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Server received authentication request

      10:16:57,187 TRACE [org.wildfly.security] (default I/O-5) Handling MechanismInformationCallback type='SASL' name='DIGEST-SHA-256' host-name='localhost' protocol='remote'

      10:16:57,189 TRACE [org.wildfly.security] (default I/O-5) Handling MechanismInformationCallback type='SASL' name='DIGEST-SHA-256' host-name='localhost' protocol='remote'

      10:16:57,190 TRACE [org.wildfly.security] (default I/O-5) Handling AvailableRealmsCallback: realms = [DatabaseRealm]

      10:16:57,197 TRACE [org.wildfly.security] (default I/O-5) Creating SaslServer [org.wildfly.security.sasl.digest.DigestSaslServer@3ab3b98b] for mechanism [DIGEST-SHA-256] and protocol [remote]

      10:16:57,199 TRACE [org.wildfly.security] (default I/O-5) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1@3392d2ed->org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer@792540da->org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1@1c34c20e->org.wildfly.security.sasl.digest.DigestSaslServer@3ab3b98b] for mechanism [DIGEST-SHA-256]

      10:16:57,201 TRACE [org.jboss.remoting.endpoint] (default I/O-5) Allocated tick to 8 of endpoint "akashr-macbookpro" <49d155b9> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@61d21805)

      10:16:57,201 TRACE [org.jboss.remoting.endpoint] (default I/O-5) Allocated tick to 8 of endpoint "akashr-macbookpro" <49d155b9> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@61d21805)

      10:16:57,214 TRACE [org.jboss.remoting.remote.server] (default task-1) Server sending authentication challenge

      10:16:57,214 TRACE [org.jboss.remoting.remote.server] (default task-1) Server sending authentication challenge

      10:16:57,216 TRACE [org.jboss.remoting.remote] (default task-1) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Authentication@7bf652c7

      10:16:57,216 TRACE [org.jboss.remoting.remote] (default task-1) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Authentication@7bf652c7

      10:16:57,218 TRACE [org.jboss.remoting.endpoint] (default task-1) Resource closed count 00000007 of endpoint "akashr-macbookpro" <49d155b9> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@61d21805)

      10:16:57,218 TRACE [org.jboss.remoting.endpoint] (default task-1) Resource closed count 00000007 of endpoint "akashr-macbookpro" <49d155b9> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@61d21805)

      10:16:57,220 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Sent 116 bytes

      10:16:57,220 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Sent 116 bytes

      10:16:57,221 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Flushed channel

      10:16:57,221 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Flushed channel

      10:16:57,240 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) No buffers in queue for message header

      10:16:57,240 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) No buffers in queue for message header

      10:16:57,241 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Allocated fresh buffers

      10:16:57,241 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Allocated fresh buffers

      10:16:57,242 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Received 310 bytes

      10:16:57,242 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Received 310 bytes

      10:16:57,243 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Received message java.nio.HeapByteBuffer[pos=0 lim=306 cap=8192]

      10:16:57,243 TRACE [org.jboss.remoting.remote.connection] (default I/O-5) Received message java.nio.HeapByteBuffer[pos=0 lim=306 cap=8192]

      10:16:57,243 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Received java.nio.HeapByteBuffer[pos=0 lim=306 cap=8192]

      10:16:57,243 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Received java.nio.HeapByteBuffer[pos=0 lim=306 cap=8192]

      10:16:57,243 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Server received authentication response

      10:16:57,243 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Server received authentication response

      10:16:57,244 TRACE [org.jboss.remoting.endpoint] (default I/O-5) Allocated tick to 8 of endpoint "akashr-macbookpro" <49d155b9> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@61d21805)

      10:16:57,244 TRACE [org.jboss.remoting.endpoint] (default I/O-5) Allocated tick to 8 of endpoint "akashr-macbookpro" <49d155b9> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@61d21805)

      10:16:57,247 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [DatabaseRealm]

      10:16:57,247 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = user2

      10:16:57,248 TRACE [org.wildfly.security] (default task-1) Principal assigning: [user2], pre-realm rewritten: [user2], realm name: [DatabaseRealm], post-realm rewritten: [user2], realm rewritten: [user2]

      10:16:57,252 TRACE [org.wildfly.security] (default task-1) Executing principalQuery SELECT password from sa_user where username=? with value user2

      10:16:57,562 TRACE [org.wildfly.security] (default task-1) Key Mapper: Password credential created using algorithm column value [clear]

      10:16:57,564 TRACE [org.wildfly.security] (default task-1) Executing principalQuery SELECT name from sa_roles where username=? with value user2

      10:16:57,567 TRACE [org.wildfly.security] (default task-1) Handling CredentialCallback: failed to obtain credential

      10:16:57,567 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [DatabaseRealm]

      10:16:57,568 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = user2

      10:16:57,568 TRACE [org.wildfly.security] (default task-1) Handling CredentialCallback: obtained credential: org.wildfly.security.credential.PasswordCredential@5d12f690

      10:16:57,572 TRACE [org.jboss.remoting.remote.server] (default task-1) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05055: Authentication rejected (invalid proof)

      at org.wildfly.security.sasl.digest.DigestSaslServer.validateDigestResponse(DigestSaslServer.java:274)

      at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateMessage(DigestSaslServer.java:363)

      at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:199)

      at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateResponse(DigestSaslServer.java:336)

      at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)

      at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)

      at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:59)

      at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)

      at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)

      at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)

      at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:949)

      at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)

      at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)

      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)

      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)

      at java.lang.Thread.run(Thread.java:748)

       

      10:16:57,572 TRACE [org.jboss.remoting.remote.server] (default task-1) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05055: Authentication rejected (invalid proof)

      at org.wildfly.security.sasl.digest.DigestSaslServer.validateDigestResponse(DigestSaslServer.java:274)

      at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateMessage(DigestSaslServer.java:363)

      at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:199)

      at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateResponse(DigestSaslServer.java:336)

      at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)

      at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)

      at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:59)

      at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)

      at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)

      at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)

      at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:949)

      at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)

      at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)

      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)

      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)

      at java.lang.Thread.run(Thread.java:748)

       

      10:16:57,575 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: fail

      10:16:57,575 TRACE [org.jboss.remoting.remote.server] (default task-1) No more authentication attempts allowed, closing the connection

       

      We need to move a legacy application from JBoss 5.1.0 to WildFly 15.0.1.

      Any help would be immensely appreciated. We do realize that somewhere the exact configurations needed for this to work on both the client and the server are not matching and hence these errors, but due to the lack of suitable examples and clear documentation we are not being able to proceed.

       

      TIA,

       

      Anindya

        • 1. Re: How to configure the security for using JDBC realms
          Farah Juma Expert

          Looks like your configuration is using a clear-password-mapper, which is used to load a clear-text password from the database. Since the database contains hashed passwords, you'll want to use a simple-digest-mapper instead:

           

          wildfly/JDBC_Security_Realm.adoc at master · wildfly/wildfly · GitHub

          • 2. Re: How to configure the security for using JDBC realms
            Anindya Mukherjee Newbie

            Hi Farah,

             

            Thanks for your reply. We have already changed out config to use "simple-digest-mapper" and the password is stored as a base64 encoded MD-5 hash in Oracle table. This part is fine. The question is we are not being very clear about what should be the entries in wildfly-config.xml so that the client can work properly with the server. And also, what should be the entry to be made in the mechanism-name in the sasl-authentication-factory section in the server config ?

             

            I believe there is something mismatched between these two entries and hence the client gets something from the server which it doesn't expect or vice versa and hence the failures in authentication. Could you please point us to some documents which shows exactly how to configure the client and the server in case of each of the mappers supported by WildFly 15 ? That would be a big help.

             

            Thanks once again,

             

            Anindya