我正在将应用程序从 Wildfly 16 迁移到 30,但很难找到正确的安全配置。
我在 Wildfly 16 中拥有的内容: (1) 基于 jdbc 的身份验证,使用 base64'ed SHA-256 密码/授权,如下所示:
<security-domain name="j-lawyer-security" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:/jlawyerdb"/>
<module-option name="principalsQuery" value="select password from security_users where principalId=?"/>
<module-option name="rolesQuery" value="select role, 'Roles' from security_roles where principalId=?"/>
<module-option name="unauthenticatedIdentity" value="anonymous"/>
<module-option name="hashAlgorithm" value="SHA-256"/>
<module-option name="hashEncoding" value="base64"/>
<module-option name="hashUserPassword" value="true"/>
<module-option name="hashStorePassword" value="false"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
应用程序代码引用此安全域。
(2) 一个远程 EJB 客户端,如下所示:
Properties properties = new Properties();
properties.put("jboss.naming.client.ejb.context", true);
// begin: for JMS only
properties.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.naming.client.WildFlyInitialContextFactory");
properties.put(Context.PROVIDER_URL, "http-remoting://localhost:8080");
properties.put(Context.SECURITY_PRINCIPAL, "admin");
properties.put(Context.SECURITY_CREDENTIALS, pwString);
properties.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
properties.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "false");
properties.put("jboss.naming.client.connect.options.org.xnio.Options.SSL_ENABLED", "false");
properties.put("jboss.naming.client.connect.options.org.xnio.Options.SSL_STARTTLS", "false");
InitialContext ic = new InitialContext(properties);
SecurityServiceRemote remote = (SecurityServiceRemote) ic.lookup("ejb:j-lawyer-server/j-lawyer-server-ejb//SecurityService!com.jdimension.jlawyer.services.SecurityServiceRemote");
remote.dummy();
(3) 使用 HTTP 基础身份验证的 REST API
EJB 客户端和 HTTP BASIC 可以很好地协同工作。
野蝇30
现在,在 Wildfly 30 中,我正在努力设置 Elytron 来实现同样的目标。
我在 Wildflystandalone.xml 中有什么:
(1) 我更改了安全领域以支持基于数据库的身份验证:
<security-realms>
<identity-realm name="local" identity="$local"/>
<jdbc-realm name="ApplicationRealm">
<principal-query sql="select password from security_users where principalId=?" data-source="somedb">
<clear-password-mapper password-index="1"/>
</principal-query>
<principal-query sql="select role, 'Roles' from security_roles where principalId=?" data-source="jlawyerdb">
<attribute-mapping>
<attribute to="Roles" index="1"/>
</attribute-mapping>
</principal-query>
</jdbc-realm>
</security-realms>
在 Elytron 模块中,我有
<http>
<http-authentication-factory name="application-http-authentication" security-domain="ApplicationDomain" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="BASIC">
<mechanism-realm realm-name="ApplicationRealm"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
<provider-http-server-mechanism-factory name="global"/>
</http>
<sasl>
<sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
<mechanism mechanism-name="DIGEST-SHA-256">
<mechanism-realm realm-name="ApplicationRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
在潜流模块中:
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
</application-security-domains>
对于远程EJB客户端,查找代码成功执行了查找,但是在调用某些业务逻辑时却失败了。奇怪的是,当我创建 SHA-256 和 Base64 并将该值作为密码传递到查找属性中时,它成功进行了身份验证!
这对我来说没有意义,因为它本质上与在服务器端存储明文密码相同,而在 Wildfly 16 中不需要这样的东西。
HTTP 客户端(我尝试打开也托管 REST 后端的 Web 应用程序)要求提供凭据(浏览器弹出窗口),但没有任何效果,不是纯文本密码,也不是哈希值。
我将安全性设置为 TRACE 级别日志记录,这就是我在浏览器中进行身份验证时得到的结果:
2023-11-24 21:26:31,706 TRACE [org.wildfly.security.http.servlet] (default task-1) Created ServletSecurityContextImpl enableJapi=true, integratedJaspi=true, applicationContext=default-host /j-lawyer-io
2023-11-24 21:26:31,706 TRACE [org.wildfly.security.http.servlet] (default task-1) No AuthConfigProvider for layer=HttpServlet, appContext=default-host /j-lawyer-io
2023-11-24 21:26:31,706 TRACE [org.wildfly.security.http.servlet] (default task-1) JASPIC Unavailable, using HTTP authentication.
2023-11-24 21:26:31,706 TRACE [org.wildfly.security] (default task-1) No CachedIdentity to restore.
2023-11-24 21:26:31,706 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1@6c3c7599] for mechanism [BASIC]
2023-11-24 21:26:31,706 TRACE [org.wildfly.security] (default task-1) Handling AvailableRealmsCallback: realms = [j-lawyer-security-application]
2023-11-24 21:26:31,706 DEBUG [org.wildfly.security.http.password] (default task-1) Username authentication. Realm: [j-lawyer-security-application], Username: [admin].
2023-11-24 21:26:31,706 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [j-lawyer-security-application]
2023-11-24 21:26:31,706 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = admin
2023-11-24 21:26:31,706 TRACE [org.wildfly.security] (default task-1) Principal assigning: [admin], pre-realm rewritten: [admin], realm name: [ApplicationRealm], post-realm rewritten: [admin], realm rewritten: [admin]
2023-11-24 21:26:31,706 TRACE [org.wildfly.security] (default task-1) Executing principalQuery select password from security_users where principalId=? with value admin
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Key Mapper: Password credential created using algorithm column value [clear]
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Executing principalQuery select role, 'Roles' from security_roles where principalId=? with value admin
2023-11-24 21:26:31,707 TRACE [org.wildfly.security.http.basic] (default task-1) User admin authenticated successfully!
2023-11-24 21:26:31,707 DEBUG [org.wildfly.security.http.password] (default task-1) Username authorization. Username: [admin].
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [admin] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Authorizing principal admin.
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Authorizing against the following attributes: [Roles] => [loginRole, writeAddressRole, createAddressRole, readArchiveFileRole, createOptionGroupRole, commonReportRole, createArchiveFileRole, writeOptionGroupRole, removeAddressRole, confidentialReportRole, readAddressRole, adminRole, writeArchiveFileRole, removeArchiveFileRole, deleteOptionGroupRole, importRole]
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Authorizing against the following runtime attributes: [] => []
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Permission mapping: identity [admin] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Authorization succeed
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) RunAs authorization succeed - the same identity
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Handling AuthorizeCallback: authenticationID = admin authorizationID = admin authorized = true
2023-11-24 21:26:31,707 DEBUG [org.wildfly.security.http.basic] (default task-1) User admin authorization succeeded!
2023-11-24 21:26:31,707 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: succeed
2023-11-24 21:26:31,708 TRACE [org.wildfly.security] (default task-1) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=admin, securityDomain=org.wildfly.security.auth.server.SecurityDomain@3ea8f016, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='ApplicationRealm', securityRealm=org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm@51bd3c04}, creationTime=2023-11-24T20:26:31.707702901Z}
2023-11-24 21:26:31,708 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [admin] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
2023-11-24 21:26:31,708 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [admin] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
2023-11-24 21:26:31,708 TRACE [org.wildfly.security] (default task-1) Permission mapping: identity [admin] with roles [] implies ("jakarta.security.jacc.WebResourcePermission" "/swagger-ui/" "GET") = false
问题:
谢谢!
在这里回答我自己的问题,以防其他人遇到这个问题:
使用
<simple-digest-mapper algorithm="simple-digest-sha-256" password-index="1"/>
在 jdbc-realm 和 SASL auth 工厂的“PLAIN”机制:
<sasl-authentication-factory name="jlawyer-sasl-authentication-factory" sasl-server-factory="configured" security-domain="jlawyer-security-domain">
<mechanism-configuration>
<mechanism mechanism-name="PLAIN">
<mechanism-realm realm-name="jlawyer-jdbc-realm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
这成功了。