Shield Custom realm example - Login not working without Native realm

security

(Yashodhara) #1

I am trying to setup Shield Custom realm example which is in the GIT to test out, I build the code and deployed with exact configuration as mentioned in Read.Me note that is

shield:
authc:
realms:
custom:
type: custom
order: 0
users:
john:
password: changeme
roles: user,marvel_user
jane:
password: changeme
roles: admin
native:
type: esusers
order: 1

so in this case when i do a curl or access the ES from browser it sure asks for login credentials and gets authenticated over Jane & John, however if we were to remove the native realm, then the login dialog itself does not appear, hence in order to get the login dialog I modified CustomAuthenticationFailureHandling class to send this > e.addHeader("WWW-Authenticate", "Basic");

with this the Login dialog started appearing however it does not authenticate the Users John & Jane and in the access-log i get the following

[2016-12-28 17:14:37,532] [node-1] [rest] [anonymous_access_denied] origin_address=[192.168.3.117], uri=[/]

Can you help me understand why is this behaviour so?


(Jay Modi) #2

You are using basic authentication with the custom realm. If the native realm is there, it will extract the username and password from the basic authentication header; without it the custom realm relies on the use of different headers (see USER_HEADER and PW_HEADER values) so you will need to change the way you make a request to send the appropriate values in these headers


(Yashodhara) #3

Thanks Jay Understood this, I have another question on this, which section in the custom realm does the forwarding with respect to Order. I mean if the user info is not found in custom realm then it goes and searches in the native realm as it is the next in order.

I have created my own Authentication Token because i was unable to extract the password in the UsernamePasswordToken. The authentication works fine, however if i enter a user who is present in native realm "esuser" that person is not authenticated. So it looks like for some reason if the user is not found in custom realm it does not go ahead and look up in "native". Can you help me understand this?


(Tim Vernum) #4

It sounds like you are creating a custom tokens for all users, even those that ought to be authenticated by the "native" realm.

This will not work. There is only ever 1 token created for each request. If your realm is at the top of the order, and it returns a MyCustomToken result from Realm.token then that is the token that will be used, and passed to each realm via Realm.authenticate until one of the realms successfully authenticates the user.

If you must use your own token type, then you need to make sure you're only returning tokens for users that you want to authenticate, and not for users from the native realm.

However, I don't understand why you aren't using the UsernamePasswordToken. In an earlier post you suggested that UsernamePasswordToken.credentials is encrypted, but that shouldn't be the case - if you are having trouble getting the password from that token, then you should try and resolve that.

To be completely clear, SecuredString (as returned from UsernamePasswordToken.credentials) does not perform encryption. The name is a reflection of the way it handles internal memory. If you need access to the raw password then look at SecuredString.internalChars or SecuredString.copyChars.


(Yashodhara) #5

Hey Tim, Thanks for clarifying this, it made things clear for me, I got the Password form UsernamePasswordToken.basicAuthHeaderValue and I decoded it. Now it is working with both custom realm and Native.


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.