Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PAYARA-2598 Hook up Soteria Identity Stores to Payara Realms #4298

Merged
merged 9 commits into from Nov 21, 2019

Conversation

@jGauravGupta
Copy link
Contributor

jGauravGupta commented Nov 5, 2019

Description

This is a feature request which provides an implementation of Identity Store mapped to realm.

Following annotations are used to trigger realm identity store and authentication mechanism implementation:

Existing Realm instance:

If the realm already exists (e.g default realm file, certificate, etc) in the server then following annotation can be used to create Identity Store mapping by proving the realm name:

  • @RealmIdentityStoreDefinition
    
  • @RealmIdentityStoreDefinitions
    

@RealmIdentityStoreDefinition annotation is repeatable hence authentication can be performed across multiple realms.

Dynamic Realm instance:

The new instance of realm is created and registered using create-auth-realm asadmin command and Realm instance is fetched from RealmManager to perform authentication.

  • @FileIdentityStoreDefinition
    

Creates a new file realm instance and register it in DAS.

  • @CertificateAuthenticationMechanismDefinition
    

To configure the Client Certificate Authentication just by using the annotation on a CDI bean.

  • @CertificateIdentityStoreDefinition
    

Creates a new certificate realm instance and register it in DAS.

  • @PamIdentityStoreDefinition
    

Creates a new pam realm instance and register it in DAS.

  • @SolarisIdentityStoreDefinition
    

Creates a new solaris realm instance and register it in DAS.

Note: If @CertificateIdentityStoreDefinition annotation is defined then @CertificateAuthenticationMechanismDefinition annotation must also be defined on CDI bean.

Limitation: @CertificateIdentityStoreDefinition annotation can only be used with other identity stores by providing the custom HTTPAuthenticationMechanism implementation which must be compatible across all used IdentityStores.

Testing

New tests

  • Payara Samples testcase for existing and dynamic Realm instance.

Testing Performed

  • Manually Tested File Realm, Certificate Realm, JDBC Realm, and Pam Realm.

Test suites executed

  • Payara Samples

Testing Environment

JDK 1.8.0_172, Windows 10, Ubuntu 18.04.3 LTS (Pam realm manual testing), Oracle Solaris 11.4 (Solaris realm mock manual test)

@ggam

This comment has been minimized.

Copy link

ggam commented Nov 5, 2019

Very cool. What happens when an application that created a realm is undeployed or redeployed? Is the realm removed/recreated?

@jGauravGupta jGauravGupta force-pushed the jGauravGupta:PAYARA-2598 branch from 696e7b0 to d956798 Nov 5, 2019
@jGauravGupta

This comment has been minimized.

Copy link
Contributor Author

jGauravGupta commented Nov 5, 2019

Hi @ggam,
On the undeployment of application, the newly created realm is not removed. And on the redeployment of application, Identity Store checks for the existing realm before creating the new realm instance.

@jGauravGupta jGauravGupta requested a review from OndroMih Nov 6, 2019
@ggam

This comment has been minimized.

Copy link

ggam commented Nov 6, 2019

On the undeployment of application, the newly created realm is not removed. And on the redeployment of application, Identity Store checks for the existing realm before creating the new realm instance.

You probably have already discussed this stuff but what happens when redeploying an application with a modified realm? Would you need to remove the realm before deploying the application again? how would that work in case two applications use the same realm name?

Crazy idea: when using @DatasourceDefinition, @MailSessionDefinition and the likes, you define a JNDI namespace that can be application or server scoped. Redeploying always regenerates the resources. What about doing the same for realms? Behaviour would just be the same as for other resources, so it's predictable.

@jGauravGupta

This comment has been minimized.

Copy link
Contributor Author

jGauravGupta commented Nov 7, 2019

redeploying an application with a modified realm

It depends on which attribute/property modified:

  • If name modified and no realm already exists with such name then-new realm created.
  • If annotation changed (e.g FileIdentityStoreDefinition -> PamIdentityStoreDefinition) but the name remains the same and the realm already exists with the same name but different realm class then exception thrown on deployment.
  • Other properties modification is ignored if the realm already exists with the correct realm class.

Would you need to remove the realm before deploying the application again?

Not required, but If the realm already exist with the same name but different realm class then an exception is thrown and deployment fails.

how would that work in case two applications use the same realm name?

The realm is managed by RealmsManager (server scoped), the same realm can be used across multiple applications.

application or server scoped

Already did some POC on the application-scoped realms which are created on each deployment but the con is they cannot be managed from asadmin commands (or console) e.g create-file-user etc.

@arjantijms

This comment has been minimized.

Copy link
Contributor

arjantijms commented Nov 7, 2019

Nice work @jGauravGupta :) Happy to see this issue, which internally took quite some preparation, has now finally been picked-up.

One remark, I originally thought of creating a mapping to just whatever realm has been configured as the default already. It was even planned for being put in the spec, but we ran out of time.

This is essentially what javax.security.auth.message.callback.PasswordValidationCallback does in JASPIC, though in JASPIC it has the limitation to being strongly restricted to username/password.

Copy link
Contributor

pdudits left a comment

Predefined JAAS contexts should be used for realms, this is what makes this review a "Request changes" one.

@jGauravGupta jGauravGupta requested a review from pdudits Nov 11, 2019
@jGauravGupta

This comment has been minimized.

Copy link
Contributor Author

jGauravGupta commented Nov 11, 2019

jenkins test please

@jGauravGupta jGauravGupta merged commit ea6afa6 into payara:master Nov 21, 2019
58 checks passed
58 checks passed
Payara Quick Build and Test Quick build and test passed!
Details
security/snyk - api/payara-api/pom.xml (payara-ci) No new issues
Details
security/snyk - api/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/admin/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/admingui/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/ant-tasks/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/appclient/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/batch/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/common/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/concurrent/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/connectors/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/core/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/deployment/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/distributions/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/ejb/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/extras/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/featuresets/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/flashlight/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/grizzly/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/ha/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/installer/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/jdbc/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/jms/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/load-balancer/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/orb/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/osgi-platforms/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/packager/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/payara-appserver-modules/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/persistence/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/registration/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/resources/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/security/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/tests/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/transaction/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/web/pom.xml (payara-ci) No new issues
Details
security/snyk - appserver/webservices/pom.xml (payara-ci) No new issues
Details
security/snyk - copyright/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/admin/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/cluster/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/common/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/core/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/deployment/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/diagnostics/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/distributions/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/flashlight/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/grizzly/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/hk2/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/osgi-platforms/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/packager/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/payara-modules/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/resources-l10n/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/resources/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/security/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/test-utils/pom.xml (payara-ci) No new issues
Details
security/snyk - nucleus/tests/pom.xml (payara-ci) No new issues
Details
security/snyk - pom.xml (payara-ci) No new issues
Details
@pdudits pdudits mentioned this pull request Nov 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.