Friday 14 July 2017

WildFly Elytron - Principal Transformers, Realm Mappings, and Principal Decoders

Within the WildFly Elytron configuration it is possible to specify multiple principal transformers, realm mappers, and a principal decoder - this blog post is to describe how they all fit together during the authentication process.

During the authentication process the principal transformers and principal decoders form a very similar function in that they are both used to map principals from one form to another, principal transformers can also be used to validate a principal as an example double check the formatting so authentication can be terminated early if an invalid principal is detected.

At the appropriate state in the process that is being described in this blog post the realm mappers will then operate on the mapped principal to identify which security realm should be used to load the identity.

Here are a couple of diagrams to illustrate how these concepts fit together, the remainder of this blog post will describe the steps in more detail.

The first diagram illustrates the general states the authentication process undergoes to map the Principal used for authentication.

Identity Assignment States 
The next diagram illustrates how the various transformers, decoders, and mappers can be configured for Elytron authentication.

Configuration Relationships

Resolve Mechanism Configuration

When the authentication processes commences for a single authentication mechanism the first step is to resolve the MechanismConfiguration that should be used, this is resolved by taking into account the name of the selected mechanism, the host name, and the protocol.

During this stage the mechanism realm configuration will also be resolved, the authentication mechanism will either request this by name or if the mechanism does not request this then the first one in the list is used.

Note: The mechanism realm is specifically in relation to the realm name negotiated by the authentication mechanism if applicable and is independent of the security realm representing the identity store.

Pre Realm Mapping

The purpose of this state is to take the Principal from the form that was provided by the authentication mechanism and map it to the form that can be used to identify which security realm to use to load the identity.

At the very end of the authentication process the identity is represented by a SecurityIdentity which contains a single Principal, the Principal will be the one created by this mapping stage.

The principal transformers and principal decoder will be called in the following order: -

1. Mechanism Realm - pre-realm principal-transformer
2. Mechanism Configuration - pre-realm principal transformer
3. Security Domain - principal-decoder
4. Security Domain - pre-realm-principal-transformer

If the end result is a null principal and error will be reported and authentication will terminate.

Realm Mapping

The next stage is to take the mapping principal and map it to a realm name to identify the name of the Security Realm to use to load the identity.

Note:  At this stage the realm name is the name of the SecurityRealm as referenced by the SecurityDomain and is not the mechanism realm name.

The configuration will be inspected for the first realm mapper that can be found in the following locations: -

A. Mechanism Realm - realm-mapper
B. Mechanism Configuration - realm-mapper
C. Security Domain - realm-mapper

If a RealmMapper is identified but that mapper returns null when mapping the Principal then the default-realm specified on the Security Domain will be used instead.

If no RealmMapper is available then the default-realm on the SecurityDomain will be used.

Post Realm Mapping

After the realm has been identified a further round of principal transformation happens, this time the following transformers are called: -

5. Mechanism Realm - post-realm principal-transformer
6. Mechanism Configuration - post-realm principal-transformer
7. Security Domain - post-realm principal-transformer

As before if the result is a null principal an error will be reported and authentication will be terminated.

Final Principal Transformation

After the post realm mapping stage one final round of principal transforming takes place, this time the following transformers are called in order.

8. Mechanism Realm - final principal-transformer
9. Mechanism Configuration - final principal-transformer
10. Realm Mapping - principal-transformer

Once again a null principal will result in an error being reported and authentication being terminated.

Having to transformations after the realm has been identified allows for mechanism specific transformations to be applied both before and after domain specific transformations, if this is not required then either the post-realm principal transformers or the final principal-transformers can be used to obtain the same result.

The End

It is only now at the very end of principal transformation that the security realm previously identified will be call to obtain the RealmIdentity that is now used for authentication to continue.

The key points to keep in mind are: -

  • The Principal created by the pre-realm-principal-transformers is: -
    • The Principal used to map the SecurityRealm
    • The Principal that will be associated with the resulting SecurityIdentity.
  • The Principal created after the final principal transformers is: -
    • The Principal that will be passed to the SecurityRealm to obtain the RealmIdentity.


33 comments:

  1. I just saw information on the new Elytron Security Subsystem (looks like coming in Wildfly 11). I'm upgrading to Wildfly 10.1.0 Final now from Wildfly 8.2.1-Final (I have 16 Wildfly servers I support now). Do you know if there will be some kind of conversion process to convert existing Security subsystem items to the Elytron "model"? Like the vault, LDAP/Active Directory configurations, etc... Or will there at least be some kind of migration guide? From what I have read this is a big shift in the security configuration subsystem(s).
    Thanks,

    ReplyDelete
    Replies
    1. It is currently work in progress but we are currently putting together some documentation highlighting some of the most common use cases and how to transition these over to a WildFly Elytron based configuration.

      https://docs.jboss.org/author/display/WFLY/Migrate+Legacy+Security+to+Elytron+Security

      As we receive questions in the forums from users working on migration I expect this will continue to be an evolving document where we add more content based on demand.

      Delete
  2. Is there any way to configure a security domain so it will try a sequence of realms, e.g. ldap, db, etc.

    ReplyDelete
  3. Hi Tom, depends what you mean :) If you mean authenticate with ldap and autorize with db then yes - use aggregate realm. But I doubt you need this. Most probably you need something similar as https://issues.jboss.org/browse/WFCORE-2370. If issue match your needs describe your particular use case there please. We are gathering scenarios to support. Thank you

    ReplyDelete
    Replies
    1. Great post! It helps me understand elytron much better.

      I'm looking for something similar like stacked loginmodules. Aggregating 2 or more realms. First realm returning an identity wins. No realm returns an identity, authentification fails. The given ticket I cannot find, to vote for.

      Christian

      Delete
  4. Can you add detailed example of wildfly configurations?

    ReplyDelete
  5. Saved as a favorite, I like your web site!
    onsite mobile repair bangalore
    Very good post. I'm facing a few of these issues as well..
    asus display replacement
    Way cool! Some extremely valid points! I appreciate you penning this write-up and the rest of the site is also very good.
    huawei display repair bangalore

    ReplyDelete
  6. I like it whenever people get together and share ideas. Great blog, keep it up!
    vivo charging port replacement
    Good info. Lucky me I recently found your website by chance (stumbleupon). I've saved it for later!
    lg service center Bangalore
    This blog was... how do I say it? Relevant!! Finally I have found something that helped me. Cheers!
    motorola display repair bangalore

    ReplyDelete
  7. This comment has been removed by the author.

    ReplyDelete
  8. Hello darran, tahkyou for this blogpost, i configured a pre-realm-principal-transformer for a security-domain (the goal was to create a wrapper for the resulting principal to add a extra information), but i think it is not getting invoked, the modification i did on the principal is never there when checking SecurityContextAssociation.getSecurityContext()

    ReplyDelete
  9. instagram takipçi satın al
    instagram takipçi satın al
    takipçi satın al
    takipçi satın al
    instagram takipçi satın al
    takipçi satın al
    instagram takipçi satın al
    aşk kitapları
    tiktok takipçi satın al
    instagram beğeni satın al
    youtube abone satın al
    twitter takipçi satın al
    tiktok beğeni satın al
    tiktok izlenme satın al
    twitter takipçi satın al
    tiktok takipçi satın al
    youtube abone satın al
    tiktok beğeni satın al
    instagram beğeni satın al
    trend topic satın al
    trend topic satın al
    youtube abone satın al
    beğeni satın al
    tiktok izlenme satın al
    sms onay
    youtube izlenme satın al
    tiktok beğeni satın al
    sms onay
    sms onay
    perde modelleri
    instagram takipçi satın al
    takipçi satın al
    tiktok jeton hilesi
    pubg uc satın al

    ReplyDelete
  10. Thank you for this detailed article! You can make a video about it for youtube and get many likes for your video from this site https://soclikes.com/

    ReplyDelete
  11. Nice Blog. Thanks for Sharing.
    UnoGeeks Offers the best Oracle Fusion Financials Training in the market today. If you want to become Expert Fusion Financials Consultant, Enrol in the Oracle Fusion Financials Online Training offered by UnoGeeks.

    ReplyDelete
  12. a good and fascinating post. Post regularly. Many thanks for sharing. Oracle Recruiting Cloud Training offered by UnoGeeks.

    ReplyDelete