Security domain not invoked (working)

Question

I try to secure my Application using a Databaselogin in Wildfly 8.2.0.Final.
I configured my datasource in standalone.xml and it seems to work as i can access the database: <datasource jndi-name="java:/jdbc/Racoonda" pool-name="RacoondaDS" enabled="true" use-java-context="true"> <connection-url>jdbc:mysql://localhost:3306/racoonda</connection-url> <driver>mysql</driver> <pool> <min-pool-size>1</min-pool-size> <max-pool-size>100</max-pool-size> <prefill>true</prefill> <use-strict-min>false</use-strict-min> <flush-strategy>Gracefully</flush-strategy> </pool> <security> <user-name>root</user-name> <password>root</password> </security> <validation> <check-valid-connection-sql>select 1</check-valid-connection-sql> <validate-on-match>true</validate-on-match> <background-validation>true</background-validation> <background-validation-millis>10000</background-validation-millis> </validation> <timeout> <idle-timeout-minutes>10</idle-timeout-minutes> </timeout> <statement> <prepared-statement-cache-size>10</prepared-statement-cache-size> <share-prepared-statements>true</share-prepared-statements> </statement> </datasource>
And i also configured my security-domain in standalone.xml as follows:
<security-domain name="racoondaAdmin" cache-type="default"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="dsJndiName" value="java:/jdbc/Racoonda"/> <module-option name="principalsQuery" value="SELECT password FROM Admin WHERE id=?"/> <module-option name="rolesQuery" value="SELECT 'Admin', 'Roles' FROM dual"/> </login-module> </authentication> </security-domain>
I added the domain in my resources/WEB-INF/jboss-web.xml:

`<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:schemaLocation="
          http://www.jboss.com/xml/ns/javaee
          http://www.jboss.org/j2ee/schema/jboss-web_5_1.xsd">
        <security-domain>racoondaAdmin</security-domain>
    </jboss-web>`

I then tried to secure my application in resources/WEB-INF/web.xml:

`<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
        <distributable/>
        <security-constraint>
            <display-name>racoonda</display-name>
            <web-resource-collection>
                <web-resource-name>racoonda</web-resource-name>
                <url-pattern>/*</url-pattern>
                <http-method>GET</http-method>
            </web-resource-collection>
            <auth-constraint>
                <role-name>Admin</role-name>
            </auth-constraint>
        </security-constraint>


       <context-param>
            <param-name>resteasy.role.based.security</param-name>
            <param-value>true</param-value>
        </context-param>
        <security-role>
            <role-name>Admin</role-name>
        </security-role>
        <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>Application</realm-name>
        </login-config>
        </web-app>`

The database access works as i can get values from the service i am trying to secure (it gets them from the datbase).
However i can access it without entering any credentials. I put the log level for security to TRACE and tried every approach i could find for If anyone could help, that would be greatly appreciated. Thanks in advance

score 1 · Accepted Answer · answered Jul 05 '16 at 21:05

1

Put you configuration files in src/main/webapp/WEB-INF folder.

answered Jul 05 '16 at 21:05

Alf

2,291
1
28
34

i tried doing this manually and rezipping the file, but then wildfly threw an error (seemed like it did not like the way it was packaged) and the webapp folder is copied one to one into the WEB-INF/classes/WEB-INF folder – Abbel Jul 05 '16 at 21:13
OK, now i deployed it like this (with WEB-inF and META-INF in the resources/webapp folder) and it has the same behaviour – Abbel Jul 05 '16 at 21:19
ah sorry, i misread it i will try it directly under the main folder – Abbel Jul 05 '16 at 21:19
Do you know what to do whith my deployment-structure and beans.xml ? Do the need to be in webapp/META-INF too? – Abbel Jul 05 '16 at 21:24
it worked! Thank you so, so much...i am no sure if i misunderstood the other guides or it was described the wrong, but i am fairly sure if it was not for you i would have written the whole auth-thing myself out of frustration. I marked your answer as the correct one. Thanks again! – Abbel Jul 05 '16 at 21:25
You're welcome. Put deployment-structure and beans.xml in the webapp/WEB-INF – Alf Jul 05 '16 at 21:27
Ok, i will but now i have to go. Thanks again – Abbel Jul 05 '16 at 21:34
Everything seems to work now but i got a related problem: my passwords are stored in md5 in the database and i added this two lines (i want to use basic auth so thats why i put base64): however i still get the unauthorized error. Any ideas why this might happen? – Abbel Jul 07 '16 at 13:48
Open another question with actual settings. – Alf Jul 08 '16 at 08:40

Abbel · Answer 2 · 2016-07-05T20:44:19.570

0

Yes, i also added it as the default domain since some other posts pointed that out. It seems like wildfly does not invoke it at all
EDIT: i noticed i answered to my question not @Alf ś comment...please ignore this one :)

edited Jul 05 '16 at 20:44

answered Jul 05 '16 at 18:02

Abbel

320
1
9

Try to get the HttpServletRequest from your jax-rs class and call [isUserInRole("Admin")](http://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html#isUserInRole-java.lang.String-) and [getRemoteUser()](http://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html#getRemoteUser--) to understand if you are logged in in some way or not. – Alf Jul 05 '16 at 20:26
User in role Returns false and remoteuser is null :/ seems like the security Domain is not even used – Abbel Jul 05 '16 at 20:39
check your war artifact if configuration files are in the right place – Alf Jul 05 '16 at 20:51
in the .war i got two folders WEB-INF and META-INF. in WEB-INF there is a classes folder and in that there are WEB-INF and META-INF againg and the web.xml and jboss-web.xml are in the WEB-INF/classes/WEB-INF – Abbel Jul 05 '16 at 20:55
Do you know if i can configure this for my maven build? – Abbel Jul 05 '16 at 21:00
My apologies. A couple of years ago I created a parent pom for all of my projects and configured a folder called webconfig where I put all my web config files, so I completely forget that web.xml should be put in the webapp/WEB-INF folder. I deleted the wrong answer and created another one. – Alf Jul 05 '16 at 21:08

Security domain not invoked (working)

2 Answers2