Using failover realm in Elytron
source link: https://wildfly-security.github.io/wildfly-elytron/blog/failover-realm/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Example
Below is an example of adding a failover-realm with primary LDAP realm and fail over filesystem realm.
To make this example simple, we are going to use containerised version of OpenLdap. You can use docker and run the following:
$ docker run --env LDAP_ORGANISATION="wildfly" --env LDAP_DOMAIN="wildfly.org" --env LDAP_ADMIN_PASSWORD="admin" --detach osixia/openldapYou can check its IP address with the following command:
$ docker inspect --format '{{ .NetworkSettings.IPAddress }}' $(docker ps -q)
172.17.0.2Use any LDAP browser to check that the connection is working and to import a sample ldif file containing a single user named "user" which is granted the Role “Admin”.
dn: ou=Users,dc=wildfly,dc=org
objectClass: organizationalUnit
objectClass: top
ou: Users
dn: uid=user,ou=Users,dc=wildfly,dc=org
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: Jane
sn: user
uid: user
userPassword: secret123
dn: ou=Roles,dc=wildfly,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Roles
dn: cn=Admin,ou=Roles,dc=wildfly,dc=org
objectClass: top
objectClass: groupOfNames
cn: Admin
member: uid=user,ou=Users,dc=wildfly,dc=orgNext, configure the LDAP realm in the elytron subsystem with appropriate identity and attribute mappings.
/subsystem=elytron/dir-context=exampleDC:add(url="ldap://172.17.0.2:389",principal="cn=admin,dc=wildfly,dc=org",credential-reference={clear-text="admin"})
/subsystem=elytron/ldap-realm=exampleLdapRealm:add(dir-context=exampleDC,identity-mapping={search-base-dn="ou=Users,dc=wildfly,dc=org",rdn-identifier="uid",user-password-mapper={from="userPassword"},attribute-mapping=[{filter-base-dn="ou=Roles,dc=wildfly,dc=org",filter="(&(objectClass=groupOfNames)(member={1}))",from="cn",to="Roles"}]})Add filesystem realm with identity user and role Admin as well.
/subsystem=elytron/filesystem-realm=exampleFSRealm:add(path=demofs-realm-users,relative-to=jboss.server.config.dir)
/subsystem=elytron/filesystem-realm=exampleFSRealm:add-identity(identity=user)
/subsystem=elytron/filesystem-realm=exampleFSRealm:set-password(identity=user,clear={password="secret123"})
/subsystem=elytron/filesystem-realm=exampleFSRealm:add-identity-attribute(identity=user,name=Roles, value=["Admin"])Configure failover-realm to use the file system realm as a failover when LDAP realm is not available.
/subsystem=elytron/failover-realm=failoverRealm:add(delegate-realm=exampleLdapRealm,failover-realm=exampleFSRealm)Add a security domain that uses this failover realm and role decoder that decodes roles from the Roles attribute.
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
/subsystem=elytron/security-domain=failoverSD:add(default-realm=failoverRealm,permission-mapper=default-permission-mapper,realms=[{realm=failoverRealm,role-decoder="from-roles-attribute"}])Add HTTP authentication factory with this new security domain and BASIC authentication mechanism. Finally, configure undertow to use this HTTP authentication factory.
/subsystem=elytron/http-authentication-factory=example-failover-http-auth:add(http-server-mechanism-factory="global",mechanism-configurations=[{mechanism-name="BASIC",mechanism-realm-configurations=[{realm-name="RealmUsersRoles"}]}],security-domain=failoverSD)
/subsystem=undertow/application-security-domain=httpSD:add(http-authentication-factory=example-failover-http-auth)Clone the example from this link https://github.com/wildfly-security-incubator/elytron-examples/tree/master/failover-realm and deploy it to the running WildFly instance.
mvn clean install wildfly:deployAfter the application was successfully deployed you can access the http://localhost:8080/failover-realm-demo/secure in your browser. You will be prompted to authenticate. Provide username user and password secret123.
The security domain is configured to use the failover realm. Since the LDAP realm is configured to be the delegate realm, the authentication request was handled by the LDAP realm.
Use docker to pause the OpenLDAP container:
$ docker pause ${CONTAINER}The docker pause command suspends all processes in the specified container. This will make the LDAP realm unable to establish the connection to the OpenLDAP running in the container.
When you access the http://localhost:8080/failover-realm-demo/secure and try to authenticate again, the LDAP realm will try to establish the connection. You might notice a slight delay in your authentication. After a certain timeout is exceeded, the failover filesystem realm will be used for authentication instead. Since the user is present in the filesystem realm as well, you will be able to connect successfully.
To use ldap-realm instead of the filesystem-realm again, you can unpause the container.
$ docker unpause ${CONTAINER}Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK