0 Replies Latest reply on Aug 19, 2019 9:03 AM by szymonk92

    WildFly 15.0.1 + JDBC; simple configuration

    szymonk92
    szymonk92 Aug 19, 2019 9:03 AM

      Hi, I am trying a simple configuration to secure my application, but can't get through handling RealmCallbacks. Every time ManagementRealm is being invoked instead of my own realm.
      defaultRealName is once exampleDbRealm and two lines below it become EMPTY and then ManagementRealm

       

      I believe it should be Realm: exampleDbRealm all the time!

       

      Since it took me quite a lot of time to test several configurations, I am posting the simplest one. Hope you can help me debug it

       

      My server configuration:

      module add --name=org.postgresql --resources=./postgresql-42.2.5.jar --dependencies=javax.api,javax.transaction.api

       

      /subsystem=datasources/jdbc-driver=postgres:add( \

        driver-name="postgres", \

        driver-module-name="org.postgresql", \

        driver-class-name="org.postgresql.Driver")

       

      data-source add \

        --name=XpDS \

        --driver-name=postgres \

        --connection-url=jdbc:postgresql://localhost:5432/xp_test \

        --jndi-name=java:jboss/datasources/XpDS \

        --use-java-context=true \

        --user-name=postgres \

        --password=postgres \

        --max-pool-size=25 \

        --blocking-timeout-wait-millis=5000 \

        --idle-timeout-minutes=5 \

        --enabled=true

       

      /subsystem=elytron/jdbc-realm=exampleDbRealm:add( \

        principal-query=[ \

             { data-source=XpDS, \

                  sql="select PASSWORD from T_USER WHERE username = ?", \

                  clear-password-mapper={password-index=1}}, \

             {data-source=XpDS, \

                  sql="SELECT r.name AS name, 'Roles' as roles from A_ROLE r INNER JOIN A_JOIN_U_R j ON j.roles = r.umro_id INNER JOIN A_USER u ON j.users = u.umus_id WHERE u.username = ?", \

                  attribute-mapping=[{index=1, to=roles}]}])

       

      /subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=roles)

       

      /subsystem=ee/service=default-bindings:write-attribute(name="datasource", value="java:jboss/datasources/XpDS")

       

      /subsystem=elytron/security-domain=exampleDbSD:add( \

        realms=[{ realm=exampleDbRealm,role-decoder=from-roles-attribute}], \

        default-realm=exampleDbRealm, \

        permission-mapper=default-permission-mapper)

       

      ## my app domain: xp-domain

      /subsystem=ejb3/application-security-domain=xp-domain:add(security-domain=exampleDbSD)

       

      /subsystem=elytron/sasl-authentication-factory=my-sasl-authentication-factory:add( \

        sasl-server-factory=configured, \

        security-domain=exampleDbSD, \

        mechanism-configurations=[{ \

        mechanism-name=DIGEST-MD5, \

        mechanism-realm-configurations=[{realm-name=exampleDbRealm}] \

        }])

       

      /subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=sasl-authentication-factory, value=my-sasl-authentication-factory)

      /subsystem=remoting/http-connector=http-remoting-connector:undefine-attribute(name=security-realm)

       

      ## Remove ExampleDS & H2 driver

      ## some logs

       

      Logs:

      INFO  [org.wildfly.extension.undertow] (MSC service thread 1-4) WFLYUT0018: Host default-host starting

      INFO  [org.jboss.as.server.deployment.scanner] (MSC service thread 1-3) WFLYDS0013: Started FileSystemDeploymentService for directory C:\Users\..\arquillian-wildfly\server\wildfly-dist_15.0.1.Final\wildfly-15.0.1.Final\standalone\deployments

      TRACE [org.wildfly.security] (MSC service thread 1-4) Building security domain with defaultRealmName EMPTY.

      TRACE [org.wildfly.security] (MSC service thread 1-4) The following additional realms were added: [LOCAL, DIGEST, EMPTY].

      TRACE [org.wildfly.security] (MSC service thread 1-4) Role mapping: principal [anonymous] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []

      INFO  [org.wildfly.extension.undertow] (MSC service thread 1-8) WFLYUT0006: Undertow HTTP listener default listening on 127.0.0.1:47080

      INFO  [org.jboss.as.ejb3] (MSC service thread 1-3) WFLYEJB0493: EJB subsystem suspension complete

      INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-7) WFLYJCA0001: Bound data source [java:jboss/datasources/XpDS]

      TRACE [org.wildfly.security] (MSC service thread 1-3) Building security domain with defaultRealmName exampleDbRealm.

      TRACE [org.wildfly.security] (MSC service thread 1-3) Role mapping: principal [anonymous] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []

      TRACE [org.wildfly.security] (MSC service thread 1-6) Building security domain with defaultRealmName EMPTY.

      TRACE [org.wildfly.security] (MSC service thread 1-6) The following additional realms were added: [LOCAL, DIGEST, EMPTY].

      TRACE [org.wildfly.security] (MSC service thread 1-6) Role mapping: principal [anonymous] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []

      INFO  [org.wildfly.extension.undertow] (MSC service thread 1-6) WFLYUT0006: Undertow HTTPS listener https listening on 127.0.0.1:47443

      INFO  [org.jboss.ws.common.management] (MSC service thread 1-5) JBWS022052: Starting JBossWS 5.2.4.Final (Apache CXF 3.2.5.jbossorg-1)

      INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server

      INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:48990/management

      INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:48990

      INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: WildFly Full 15.0.1.Final (WildFly Core 7.0.0.Final) started in 6124ms - Started 314 of 536 services (323 services are lazy, passive or on-demand)

      TRACE [org.wildfly.security] (management I/O-2) Handling MechanismInformationCallback type='SASL' name='DIGEST-MD5' host-name='vmware-localhost' protocol='remote'

      TRACE [org.wildfly.security] (management I/O-2) Handling AvailableRealmsCallback: realms = [ManagementRealm]

      TRACE [org.wildfly.security] (management I/O-2) Creating SaslServer [org.wildfly.security.sasl.digest.DigestSaslServer@1bf1a0fb] for mechanism [DIGEST-MD5] and protocol [remote]

      TRACE [org.wildfly.security] (management I/O-2) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1@34b016e7->org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer@a7e3bdf->org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1@5101899e->org.wildfly.security.sasl.digest.DigestSaslServer@1bf1a0fb] for mechanism [DIGEST-MD5]

      TRACE [org.wildfly.security] (management task-1) Handling RealmCallback: selected = [ManagementRealm]

      TRACE [org.wildfly.security] (management task-1) Handling NameCallback: authenticationName = test

      TRACE [org.wildfly.security] (management task-1) Principal assigning: [test], pre-realm rewritten: [test@ManagementRealm], realm name: [DIGEST], post-realm rewritten: [test@ManagementRealm], realm rewritten: [test@ManagementRealm]

      TRACE [org.wildfly.security] (management task-1) Handling CredentialCallback: failed to obtain credential

      TRACE [org.wildfly.security] (management task-1) Handling RealmCallback: selected = [ManagementRealm]

      TRACE [org.wildfly.security] (management task-1) Handling NameCallback: authenticationName = test

      TRACE [org.wildfly.security] (management task-1) Handling CredentialCallback: failed to obtain credential

      TRACE [org.wildfly.security] (management task-1) Handling RealmCallback: selected = [ManagementRealm]

      TRACE [org.wildfly.security] (management task-1) Handling NameCallback: authenticationName = test

      TRACE [org.wildfly.security] (management task-1) Handling PasswordCallback: failed to obtain PasswordCredential

      TRACE [org.wildfly.security] (management task-1) Handling AuthenticationCompleteCallback: fail

      DEBUG [client] Client received authentication rejected for mechanism DIGEST-MD5

      DEBUG [connection] JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:

         DIGEST-MD5: javax.security.sasl.SaslException: DIGEST-MD5: Server rejected authentication

       

       

      My client configuration:

      <?xml version="1.0" encoding="UTF-8"?>

      <configuration>
         <authentication-client xmlns="urn:elytron:1.0">
              <authentication-rules>
                   <rule use-configuration="arq-login"/>
              </authentication-rules>
              <authentication-configurations>
                   <configuration name="arq-login">
                        <set-user-name name="test"/>
                        <sasl-mechanism-selector selector="DIGEST-MD5"/>
                        <credentials>
                             <clear-password password="myPassword"/>
                        </credentials>
                   </configuration>
              </authentication-configurations>
         </authentication-client>
         <jboss-ejb-client xmlns="urn:jboss:wildfly-client-ejb:3.0">
              <connections>
                   <connection uri="remote+http://localhost:8080"/>
              </connections>
         </jboss-ejb-client>
      </configuration>

       

       

      Since I do not use HTTP-authentication I didn't change undertow configuration.

      exampleDbRealm