I am trying to configure WildFly Elytron to allow authentication on the Management Interface using two different Realms with a fallback.
For the example I have a ManagementRealm and a MyLDAPRealm that I want to use. If the user is recognized in the ManagementRealm, the user should have access to the management interface. If not, I want to try the MyLDAPRealm. If the user is recognized this time, he should have access to the management interface. If not, it should fail. A simple fallback.
I updated the standalone.xml configuration to use Elytron but it is currently not working and the documentation is not helping as much as hoped. Currently I have the following configuration bits.
The management interface is using the authentication factory that I want to configure:
<management-interfaces>
<http-interface http-authentication-factory="management-http-authentication" ssl-context="localhostSslContext">
<http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
<socket-binding http="management-http" https="management-https"/>
</http-interface>
</management-interfaces>
The authentication factory links to the Management Domain that I will update:
<http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="DIGEST">
<mechanism-realm realm-name="Management and LDAP"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
And the Management Domain I updated to include an additional Realm:
<security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
<realm name="ManagementRealm" role-decoder="groups-to-roles"/>
<realm name="MyLDAPRealm" role-decoder="groups-to-roles"/>
<realm name="local" role-mapper="super-user-mapper"/>
</security-domain>
With this configuration, the user is authenticated and allowed in if it is in the ManagementRealm but not if it is in the MyLDAPRealm.
Is this configuration possible or am I missing something in the Elytron chain ?
I think you should try a failover-realm like here:
http://www.mastertheboss.com/jboss-server/jboss-security/managing-failover-and-distributed-realms-in-elytron