2

I have been attempting to get a simple Basic Authentication example working with WildFly 8.1.0, immutant, and friend. I'm willing to post any code desired, but I'm not sure what would be needed at this point. For now, I'll assume my standalone.xml, web.xml, and jboss-web.xml all contain the correct data -- that may not be the case, but for now I'll just dive in to the problem.

I have an application with a simple /test resource. I've deployed it on WildFly and use Basic Authentication to attempt to access it. Also, I've checked my application-roles.properties and application-users.properties files and they seem fine.

When I attempt to log in, I see the following trace from WildFly:

14:30:36,681 TRACE [org.jboss.security] (default task-1) PBOX000210: defaultLogin, login context: javax.security.auth.login.LoginContext@4c89fc2c, subject: Subject(1313538088).principals=org.jboss.security.SimplePrincipal@99148614(tester-na)org.jboss.security.SimpleGroup@83654093(Roles(members:elm-nss-admin))org.jboss.security.SimpleGroup@83654093(CallerPrincipal(members:tester-na))

The user is tester-na and you can see that it is a member of elm-nss-admin.

When I use a bad password, WildFly catches it and my application never does any check. However, when I sent the correct password the above trace is logged and it calls my authentication handler.

The problem is that my authentication handler fails because a call to getUserPrincipal() returns NULL. The resource is protected, here are my security constraints:

 <security-constraint>
      <web-resource-collection>
          <web-resource-name>Protected Resources</web-resource-name>
          <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
          <role-name>*</role-name>
      </auth-constraint>
      <user-data-constraint>
          <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
  </security-constraint>

When I use LDAP, this isn't a problem. I think it's because LDAP supplied a certificate and WildFly passes up the cookie.

But with Basic Auth, I'm not getting a cookie, I won't barf the debug output unless requested, it's quite verbose, but the relevant bits are: :cookies {}, :context , :session nil

I'm guessing that getUserPrincipal() fails because I'm still in the act of authenticating?

So, any ideas on how I can get the user data/permissions from WildFly so friend can be passed the proper data to authenticate/authorize with?

#

Update: I was able to create a simple application with the same XML files I'm using for the production app and it isn't failing. For interest, and those who use stackoverflow for answers as much as I do, here are the relevant parts:

From standalone.xml in security-realms:

<security-realm name="ApplicationRealm">
                <authentication>
                    <local default-user="$local" allowed-users="*"/>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>

and in <subsystem xmlns="urn:jboss:domain:security:1.2"> I have:

<security-domain name="other" cache-type="default">
                    <authentication>
                        <login-module code="Remoting" flag="optional">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                        <login-module code="RealmDirect" flag="required">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                    </authentication>
                </security-domain>
                <security-domain name="jboss-web-policy" cache-type="default">
                    <authorization>
                        <policy-module code="Delegating" flag="required"/>
                    </authorization>
                </security-domain>
                <security-domain name="jboss-ejb-policy" cache-type="default">
                    <authorization>
                        <policy-module code="Delegating" flag="required"/>
                    </authorization>
                </security-domain>

In my web.xml file (in the war-resources/WEB-INF folder):

 <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>ApplicationRealm</realm-name>
  </login-config>

The jboss.xml file, in the same directory is:

<jboss-web>
  <context-root></context-root>
  <security-domain>other</security-domain>
</jboss-web>

Since these settings are working with my simple application, I'll start looking for something project specific as to why WildFly isn't giving me the user in my production code.

Any helpful suggestions would be greatly appreciated. Even just a suggestion as to where to start looking.

#

Problem solved. Turns out the user was being logged out before I was attempting to authorize access to a specific resource. :P

VC1
  • 1,660
  • 4
  • 25
  • 42
Steven Robinson
  • 21
  • 4

1 Answers1

2

Steven solved the problem himself:

Problem solved. Turns out the user was being logged out before I was attempting to authorize access to a specific resource. :P

Jon Onstott
  • 13,499
  • 16
  • 80
  • 133