webapp in ManagementRealm on Wildfly

Question

I'm writing an administration webapp to be deployed on Wildfly. It's gonna be used by the same users that have access to the Administration Console (http://localhost:9990/). It would be great if I could just declare that my app should use HTTP Basic auth in the ManagementRealm, just like the Console does.

The naive, optimistic try did not work:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="http://java.sun.com/xml/ns/javaee"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
            http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Admin Panel</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>ManagementRealm</realm-name>
    </login-config>
</web-app>

This does not trigger the HTTP Basic login dialog at all. Is there any simple way to plug my app into the ManagementRealm?

score 3 · Accepted Answer · answered Sep 30 '15 at 09:31

I found that I need to create a security domain that's linked with the ManagementRealm. The configuration is spread over three places:

1) A new security domain needs to be added that delegates to ManagementRealm using RealmDirect login module:

<subsystem xmlns="urn:jboss:domain:security:1.2">
    <security-domains>
        ....
        <security-domain name="management" cache-type="default">
            <authentication>
                <login-module code="RealmDirect" flag="required">
                    <module-option name="realm" value="ManagementRealm"/>
                </login-module>
            </authentication>
        </security-domain>

This can be done via jboss-cli:

/subsystem=security/security-domain=management:add(cache-type=default)
/subsystem=security/security-domain=management/authentication=classic:add(\
    login-modules=[{\
        "code"=>"RealmDirect", "flag"=>"required", \
        "module-options"=>[("realm"=>"ManagementRealm")]\
    }])

2) The app need to reference this security domain using WEB-INF/jboss-web.xml:

<jboss-web>
    <security-domain>management</security-domain>
</jboss-web>

3) Than a straightforward web.xml to turn on HTTP Basic login dialog:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns="http://java.sun.com/xml/ns/javaee"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
             http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">
    <security-role>
        <role-name>*</role-name>
    </security-role>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Admin Panel</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>[message show in login dialog]</realm-name>
    </login-config>
</web-app>

thank you @rzymek I was looking specifically how to hook on the management realm and you spotted how — Antoine Wils, Nov 06 '18 at 16:58

score 0 · Answer 2 · answered Sep 29 '15 at 17:27

Wildfly won't follow the security-constraint unless you bind it to a security role:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Admin Panel</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>ManagementRealm</realm-name>
    </login-config>

    <security-role>
        <role-name>*</role-name>
    </security-role>
</web-app>

This will make basic auth load but then you have the problem where ManagementRealm is only bound to the management ports in your standalone.xml, so you will have to change that. You may need to remove ApplicationRealm so it doesn't conflict.

    <management-interfaces>
        <http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
            <socket-binding http="management-http"/>
        </http-interface>
    </management-interfaces>

webapp in ManagementRealm on Wildfly

2 Answers2