jboss Wildfly / Elytron和jdbc-realm with digest

jv2fixgn  于 12个月前  发布在  其他
关注(0)|答案(1)|浏览(202)

我正在将一个应用程序从Wildfly 16迁移到30,很难找到正确的安全配置。
我在Wildfly 16中有:(1)基于JDBC的身份验证,使用base64'ed SHA-256密码/授权,如下所示:

<security-domain name="j-lawyer-security" cache-type="default">
                    <authentication>
                        <login-module code="Database" flag="required">
                            <module-option name="dsJndiName" value="java:/jlawyerdb"/>
                            <module-option name="principalsQuery" value="select password from security_users where principalId=?"/>
                            <module-option name="rolesQuery" value="select role, 'Roles' from security_roles where principalId=?"/>
                            <module-option name="unauthenticatedIdentity" value="anonymous"/>
                            <module-option name="hashAlgorithm" value="SHA-256"/>
                            <module-option name="hashEncoding" value="base64"/>
                            <module-option name="hashUserPassword" value="true"/>
                            <module-option name="hashStorePassword" value="false"/>
                        </login-module>
                    </authentication>
                </security-domain>
            </security-domains>

字符串
应用程序代码引用此安全域。
(2)一个远程EJB客户端,看起来像这样:

Properties properties = new Properties();
            properties.put("jboss.naming.client.ejb.context", true);

            // begin: for JMS only
            properties.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.naming.client.WildFlyInitialContextFactory");
            properties.put(Context.PROVIDER_URL, "http-remoting://localhost:8080");
            properties.put(Context.SECURITY_PRINCIPAL, "admin");
            properties.put(Context.SECURITY_CREDENTIALS, pwString);
            properties.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
            properties.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "false");
            properties.put("jboss.naming.client.connect.options.org.xnio.Options.SSL_ENABLED", "false");
            properties.put("jboss.naming.client.connect.options.org.xnio.Options.SSL_STARTTLS", "false");

            InitialContext ic = new InitialContext(properties);
            SecurityServiceRemote remote = (SecurityServiceRemote) ic.lookup("ejb:j-lawyer-server/j-lawyer-server-ejb//SecurityService!com.jdimension.jlawyer.services.SecurityServiceRemote");
            remote.dummy();


(3)使用基于HTTP身份验证的REST API
EJB客户端和HTTP BASIC都能很好地协同工作。

**

现在,在Wildfly 30中,我正在努力建立Elytron来实现同样的事情。
我在Wildfly standalone.xml中有:
(1)我更改了安全领域以支持基于数据库的身份验证:

<security-realms>
                <identity-realm name="local" identity="$local"/>
                <jdbc-realm name="ApplicationRealm">
                    <principal-query sql="select password from security_users where principalId=?" data-source="somedb">
                        <clear-password-mapper password-index="1"/>
                    </principal-query>
                    <principal-query sql="select role, 'Roles' from security_roles where principalId=?" data-source="jlawyerdb">
                        <attribute-mapping>
                            <attribute to="Roles" index="1"/>
                        </attribute-mapping>
                    </principal-query>
                </jdbc-realm>
            </security-realms>


在Elytron模块中,我有

<http>
                <http-authentication-factory name="application-http-authentication" security-domain="ApplicationDomain" http-server-mechanism-factory="global">
                    <mechanism-configuration>
                        <mechanism mechanism-name="BASIC">
                            <mechanism-realm realm-name="ApplicationRealm"/>
                        </mechanism>
                    </mechanism-configuration>
                </http-authentication-factory>
                <provider-http-server-mechanism-factory name="global"/>
            </http>
            <sasl>
                <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
                    <mechanism-configuration>
                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
                        <mechanism mechanism-name="DIGEST-SHA-256">
                            <mechanism-realm realm-name="ApplicationRealm"/>
                        </mechanism>
                    </mechanism-configuration>
                </sasl-authentication-factory>


在回流模块中:

<application-security-domains>
                <application-security-domain name="other" security-domain="ApplicationDomain"/>
            </application-security-domains>


对于远程EJB客户端,查找代码成功地执行了查找,但是当调用一些业务逻辑时它失败了。奇怪的是,当我创建一个SHA-256和Base64并将该值作为密码传递到查找属性时,它正在成功地进行身份验证
这对我来说没有意义,因为它本质上与在服务器端存储明文密码相同,而在Wildfly 16中不需要这样的东西。
HTTP客户端(我尝试打开同时托管REST后端的Web应用程序)要求提供凭据(浏览器弹出窗口),但之后什么都不起作用,不是纯文本密码,也不是散列值。
我将安全性设置为TRACE级别日志记录,这是我在浏览器中进行身份验证时得到的结果:

2023-11-24 21:26:31,706 TRACE [org.wildfly.security.http.servlet] (default task-1) Created ServletSecurityContextImpl enableJapi=true, integratedJaspi=true, applicationContext=default-host /j-lawyer-io
2023-11-24 21:26:31,706 TRACE [org.wildfly.security.http.servlet] (default task-1) No AuthConfigProvider for layer=HttpServlet, appContext=default-host /j-lawyer-io
2023-11-24 21:26:31,706 TRACE [org.wildfly.security.http.servlet] (default task-1) JASPIC Unavailable, using HTTP authentication.
2023-11-24 21:26:31,706 TRACE [org.wildfly.security] (default task-1) No CachedIdentity to restore.
2023-11-24 21:26:31,706 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1@6c3c7599] for mechanism [BASIC]
2023-11-24 21:26:31,706 TRACE [org.wildfly.security] (default task-1) Handling AvailableRealmsCallback: realms = [j-lawyer-security-application]
2023-11-24 21:26:31,706 DEBUG [org.wildfly.security.http.password] (default task-1) Username authentication. Realm: [j-lawyer-security-application], Username: [admin].
2023-11-24 21:26:31,706 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [j-lawyer-security-application]
2023-11-24 21:26:31,706 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = admin
2023-11-24 21:26:31,706 TRACE [org.wildfly.security] (default task-1) Principal assigning: [admin], pre-realm rewritten: [admin], realm name: [ApplicationRealm], post-realm rewritten: [admin], realm rewritten: [admin]
2023-11-24 21:26:31,706 TRACE [org.wildfly.security] (default task-1) Executing principalQuery select password from security_users where principalId=? with value admin
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Key Mapper: Password credential created using algorithm column value [clear]
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Executing principalQuery select role, 'Roles' from security_roles where principalId=? with value admin
2023-11-24 21:26:31,707 TRACE [org.wildfly.security.http.basic] (default task-1) User admin authenticated successfully!
2023-11-24 21:26:31,707 DEBUG [org.wildfly.security.http.password] (default task-1) Username authorization. Username: [admin].
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [admin] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Authorizing principal admin.
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Authorizing against the following attributes: [Roles] => [loginRole, writeAddressRole, createAddressRole, readArchiveFileRole, createOptionGroupRole, commonReportRole, createArchiveFileRole, writeOptionGroupRole, removeAddressRole, confidentialReportRole, readAddressRole, adminRole, writeArchiveFileRole, removeArchiveFileRole, deleteOptionGroupRole, importRole]
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Authorizing against the following runtime attributes: [] => []
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Permission mapping: identity [admin] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Authorization succeed
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) RunAs authorization succeed - the same identity
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Handling AuthorizeCallback: authenticationID = admin  authorizationID = admin  authorized = true
2023-11-24 21:26:31,707 DEBUG [org.wildfly.security.http.basic] (default task-1) User admin authorization succeeded!
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: succeed
2023-11-24 21:26:31,708 TRACE [org.wildfly.security] (default task-1) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=admin, securityDomain=org.wildfly.security.auth.server.SecurityDomain@3ea8f016, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='ApplicationRealm', securityRealm=org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm@51bd3c04}, creationTime=2023-11-24T20:26:31.707702901Z}
2023-11-24 21:26:31,708 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [admin] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
2023-11-24 21:26:31,708 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [admin] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
2023-11-24 21:26:31,708 TRACE [org.wildfly.security] (default task-1) Permission mapping: identity [admin] with roles [] implies ("jakarta.security.jacc.WebResourcePermission" "/swagger-ui/" "GET") = false


问题:

  • 在概念层面上,我做错了什么吗?
  • HTTP是Web应用程序的基础,哈希密码与远程EJB客户端结合使用吗?
  • 当使用散列时,远程客户端现在应该在查找属性中向服务器提供散列值吗?如果是,浏览器会做什么?它不能创建这样的值。
  • 由于Elytron文档似乎过时或不完整:有人知道一个类似的例子吗?

谢谢你,谢谢

rryofs0p

rryofs0p1#

在这里提出我自己的问题,以防万一其他人遇到这个问题:
使用

<simple-digest-mapper algorithm="simple-digest-sha-256" password-index="1"/>

字符串
在jdbc-realm和SASL auth工厂的“PLAIN”机制:

<sasl-authentication-factory name="jlawyer-sasl-authentication-factory" sasl-server-factory="configured" security-domain="jlawyer-security-domain">
            <mechanism-configuration>
                <mechanism mechanism-name="PLAIN">
                    <mechanism-realm realm-name="jlawyer-jdbc-realm"/>
                </mechanism>
            </mechanism-configuration>
        </sasl-authentication-factory>


这一招奏效了

相关问题