1

I'm trying to become more familiar with WildFly security configuration and have some problems with understanding of relation between options in server side configs like standalone.xml and application side configs like web.xml and jboss-web.xml.

I have several question about this configuration which was based on Wildfly servlet security example. I already try it out and it works but several things are not clear for me.

  1. How I see the basic type of authentication is defined in Authentication Factory on server side and in web.xml on application side. Which one have a priority. Is that obligatory to declare it twice.
  2. The name of realm 'RealmUsersRoles'. Is it mean the same entity in server side configs and web.xml
  3. In ideal case I want to get explanation of interconnection between all security entities which are mentioned in this configuration.

Here is JBoss CLI configuration script

# 1. Add the JDBC security realm creation
/subsystem=elytron/jdbc-realm=servlet-security-jdbc-realm:add(\
principal-query=[\
{sql="SELECT PASSWORD FROM USERS WHERE USERNAME = ?", data-source="MySQLDS", clear-password-mapper={password-index=1}},\
{sql="SELECT R.NAME, 'Roles' FROM USERS_ROLES UR INNER JOIN ROLES R ON R.ID = UR.ROLE_ID INNER JOIN USERS U ON U.ID = UR.USER_ID WHERE U.USERNAME = ?", data-source="MySQLDS", attribute-mapping=[{index=1, to=roles}]}])

# 2. Add a simple role decoder for the "roles" attribute mapping
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=roles)

# 3. Configure the servlet-security-quickstart security domain
/subsystem=elytron/security-domain=servlet-security-quickstart-sd:add(\
default-realm=servlet-security-jdbc-realm, \
realms=[{realm=servlet-security-jdbc-realm, role-decoder=from-roles-attribute}], \
permission-mapper=default-permission-mapper)

# 4. Configure the HTTP Authentication Factory
/subsystem=elytron/http-authentication-factory=servlet-security-quickstart-http-auth:add(\
http-server-mechanism-factory=global,\
security-domain=servlet-security-quickstart-sd,\
mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=RealmUsersRoles}]}])

# 5. Configure Undertow's application security domain
/subsystem=undertow/application-security-domain=servlet-security-quickstart:add(\
http-authentication-factory=servlet-security-quickstart-http-auth)

web.xml

<?xml version="1.0"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>RealmUsersRoles</realm-name>
    </login-config>
</web-app>

jboss-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
    <security-domain>servlet-security-quickstart</security-domain>
</jboss-web>

Here is a link to Wildfly example I use as a base https://github.com/wildfly/quickstart/tree/master/servlet-security

Here is all my code based on this example with some modifications https://github.com/usharik/GeekBrainsJavaEE/tree/master/lesson8-security

Jens Piegsa
  • 7,399
  • 5
  • 58
  • 106
Alexey Usharovski
  • 1,404
  • 13
  • 31

1 Answers1

2
  1. You need to configure the basic type of authentication in the server configuration but not in web.xml
  2. The name of realm is not important. It is just displayed in the browser when you get the 401 Unauthorized (the WWW-Authenticate header). If the ream name is configured in web.xml it is used, otherwise the one from the server config is used.
Erhard Siegl
  • 557
  • 2
  • 8
  • How I find out from some experiments. On server side we are defining all authentication method which should be possible for application we run on this server. In web.xml we select the exact method we want to use in this app. If I have only BASIC authentication in server config ant try to use some other in application I get an error. May be I'm wrong somethere here. Planning to recheck that. – Alexey Usharovski Apr 04 '19 at 09:15