I am trying to migrate wildfly authentication to elytron and got almost everything to work as i want except for one problem.
We are using quartz scheduler to run jobs. These jobs are not bound to a caller principle. Using
SecurityContextAssociation.pushRunAsIdentity(new RunAsIdentity("My_Role", "My_User"));
i was able propagate a princple to following EJB calls. This is not working anymore, the principle is always "anonymous". Is there a way to do the same with Elytron?
Maybe you can use some variation of following:
SecurityIdentity si = SecurityDomain.getCurrent().getCurrentSecurityIdentity();
si.createRunAsIdentity(...);
The current identity needs to have permissions for it to succeed, so if you'll get unauthorized exception you should add RunAsPrincipal permissions to that user: https://developer.jboss.org/people/fjuma/blog/2018/06/01/configuring-permissions-using-elytron-in-wildfly-13
Related
I am facing a weird problem today, when running my MuleSoft application locally from my AnypointStudio and firing a request from postman, I am getting 403 error. When debugging I found out that the application is checking for flowVars._clientName, however it is missing. According to this documentation, actually yes flowVars._clientName is expected.
https://help.mulesoft.com/s/article/How-to-get-the-client-application-name-in-a-flow-based-on-the-client-id-and-client-secret.
So my application fails with 403 error. Seems that other environments are working perfectly fine.
And yes it is using Client Id enforcement.
Any clues?
Without more details it looks like the issue is inside the logic of your application. The KB article that you referenced is a how to in case you need to obtain the client name. It doesn't say that you have to use for authentication. You don't describe how the application does authentication/authorization. Is it in a flow? Or in a policy? If it is the standard Client ID enforcement policy, the expressions to evaluate client id and secret can be configured, but I don't think the default is not #[flowVars._clientName] nor #[flowVars._clientId].
Note that Exchange is basically a repository of APIs and other artifacts. It doesn't authenticate anything at execution time. Unless your application is trying to use it somehow, but I can't think of a reason for that.
The issue was resolved only by re-downloading Anypoint Studio and mule runtime. Very weird, it was happening only for one application, not for the others. Creating a new workspace did not help, deleting the application and re-cloning and installing did not help, even recloning in a new directory did not help. Only using a new Anypoint Studio and runtime installation resolved it (even with the old code base) ...
I've installed FusionAuth (awesome product) into a Docker Swarm cluster using the official docker-compose.yml file and everything seems to work brilliantly.
EXCEPT
Periodically, when a user goes to login they will be presented with the above error stating that the search engine is not available. If they try again immediately then everything works correctly! I would, obviously, prefer that they never saw the error.
Elasticsearch is definitely running and is responding to API calls correctly, and I can see the fusionauth_user index is present and populated with docs.
I guess my question is two fold:
1) What role does the ElasticSearch engine play in the FusionAuth ecosystem and can it be disabled?
2) Is there a configurable timeout somewhere that is causing the error message and, if so, where can change it?
I've search the docs for answers to the above but I can't seem to find anything :-(
Thanks for the kind feedback.
1) What role does the ElasticSearch engine play in the FusionAuth ecosystem and can it be disabled?
Elasticsearch provides full text search of user data. Each time a user is created or updated the user is re-indexed. In this case during login, we are updating the search index with the last login instant.
This service is required and cannot be disabled. We have had clients request to make this service optional for embedded applications or small scale scenarios where Elasticsearch may not be required. While this is not currently in plan, it is possible we may revisit this option in the future.
2) Is there a configurable timeout somewhere that is causing the error message and, if so, where can change it?
Not currently.
Full disclosure, I am not a Docker or Docker Swarm expert at all - perhaps there are some nuances to Swarm and response time due to spin up and spin down of resources?
Do you see any exceptions in the log when a user sees this error on the login?
I have Storm working on my own Kerberos realm, but in order to connect to my corporate realm, I'm beholden to their rules. There is only one production AD, so I need to make non-prod and prod versions of all principals. Thus far, I have changed my Storm cluster config to use "storm_np" in non-prod and everything works. (i.e. storm_np#REALM and storm_np/HOST#REALM)
However, the UI seems to always try to run as HTTP/HOST#REALM so I can't get in. Before I changed the principals, I would kinit as HTTP#REALM and I could see the UI just fine. Now, I'm not sure how to (1) tell the UI to run as a different principal and (2) kinit locally so i can get to it
I'm hoping for a property of some kind. To make the "storm_np" changes, I was able to change startup properties and jaas configs. I'd love to find the same for this.
I'm using ActiveMQ 5.10 and would like to create a user that has read-only access through the web console.
Red Hat published this article, mentioning that it's not really read only due to a bug in ActiveMQ.
According to the bug report AMQ-4567, the bug is fixed as of ActiveMQ 5.9. However, I'm not seeing it work appropriately.
I have tried a number of different configurations, with the most recent being two separate JAAS implementations, one for Jetty and one for ActiveMQ. The relevant property files are excerpted below.
I can mostly log in to the web console using the "system" user. But the guest user doesn't work at all. The application user (appuser) doesn't need access to the web console at all.
My authN/authZ needs are pretty trivial: one admin user, one application account, and one read-only monitoring account.
Is there any good way to get this working with a recent version of ActiveMQ (>= 5.9.0)?
groups.properties
admins=system
users=appuser,admin
guests=guest
users.properties
system={password redacted}
appuser=appuser
guest=guest
jetty-realm.properties
system: MD5:46cf1b5451345f5176cd70713e0c9e07,user,admin
guest: guest,guest
As an aside, I used the Jetty tutorial and the Rundeck instructions to figure out the jetty-realm.properties file and chapter 6 of ActiveMQ in Action to work out the ActiveMQ JAAS.
I was finally able to get to what I wanted by deploying the web console to an external Tomcat instance. I assume that when it runs out of process, it can't bypass security and so has to use whatever credentials you provide. In this case, I gave the Tomcat instance the read-only JMX user credentials.
It's not great, as there is no security trimmed UI. You can still attempt to create new destinations, delete destinations, etc. When you try with a read-only user, you get an error. That gets a "D" for UX, but a "B" for security.
I just went through this tutorial:
http://java.sun.com/docs/books/tutorial/security/tour2/index.html
And was curios about the basic concept of JAAS... If every applcation needs to be run with the '-Djava.security.manager -Djava.security.policy=...' flags, what is enforcing security? Is it up to the end user to know when any Java application is being run, and modify the executable/script/whatever to include those flags? Or, how does a developer enforce that an application is run with the security manager enabled?
The whole concept doesnt seem very functional to me - as it is by default not enabled... Am I missing something?
This code should work:
// Set policy
System.setProperty("java.security.policy", "PATH_TO_POLICY_FILE");
// Enable security manager
System.setSecurityManager(new SecurityManager());