Digest authentication with JBoss AS7
philippe.ventrillon Sep 28, 2011 9:15 AMHello,
I am porting an application from JBoss 6 to JBoss 7, and I experience problems with setting up DIGEST authentication.
Digest authentication never succeeds.
I am using JBoss as 7.0.2-Final.
As i have spent a lot of time googling around the problem, and trying lots of combinations, and because it works nearly as it with JBoss 6, I ask the following questions:
- Is Digest authentication supposed to work with JBOSS 7 ?
- Is this behavior a bug ?
- Did I miss something related to JBoss 7 changes ?
Digging further I also found 2 strange things:
- the class RFC2617Digest is not included in JBoss AS 7
- traces seems to indicate the LoginModule is never called
Please help
Follows some highlights of what my application is.
I have a very little test case easy and straightfoward to deploy (at least with JBoss 7) with one servlet, one jsp and one static page.
I set up the following authentication constraints in WEB.xml
WEB.xml (extract) |
---|
<security-constraint> <web-resource-collection> <web-resource-name>Snoop resources</web-resource-name> <url-pattern>/SnoopServlet</url-pattern> </web-resource-collection>
<auth-constraint> <role-name>friend</role-name> </auth-constraint> </security-constraint>
<security-role> <role-name>friend</role-name> </security-role>
<login-config> <auth-method>DIGEST</auth-method> <realm-name>wtpTuto1Realm</realm-name> </login-config> |
Here is my jboss-web.xml
jboss-web.xml |
---|
<?xml version="1.0"?>
<jboss-web> <context-root>wtpTuto1</context-root>
<!-- Reference au domaine de securite --> <security-domain>java:/jaas/wtpTuto1</security-domain>
</jboss-web> |
standalone.xml(extract) |
---|
<security-domain name="wtpTuto1"> <authentication> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="props/users.properties" /> <module-option name="rolesProperties" value="props/roles.properties" /> <module-option name="unauthenticatedIdentity" value="anonymous" /> <module-option name="hashAlgorithm" value="MD5" /> <module-option name="hashEncoding" value="rfc2617" /> <module-option name="hashUserPassword" value="false" /> <module-option name="hashStorePassword" value="true" /> <module-option name="passwordIsA1Hash" value="true" /> <module-option name="storeDigestCallback" value="org.jboss.security.auth.spi.RFC2617Digest" /> </login-module> </authentication> </security-domain> |
Trace shows the following output after I enter login and password:
14:31:42,739 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--0.0.0.0-8080-1) Security checking request GET /wtpTuto1/SnoopServlet
14:31:42,739 DEBUG [org.apache.catalina.realm.RealmBase] (http--0.0.0.0-8080-1) Checking constraint 'SecurityConstraint[Snoop resources]' against GET /SnoopServlet --> true
14:31:42,740 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--0.0.0.0-8080-1) Calling hasUserDataPermission()
14:31:42,740 DEBUG [org.apache.catalina.realm.RealmBase] (http--0.0.0.0-8080-1) User data constraint has no restrictions
14:31:42,740 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--0.0.0.0-8080-1) Calling authenticate()
14:31:42,742 DEBUG [org.apache.catalina.realm.RealmBase] (http--0.0.0.0-8080-1) Digest : 5ce5c01cd76610d80c389675e8a5db80 Username:mlo ClientSigest:5ce5c01cd76610d80c389675e8a5db80 nOnce:ce105e03e45722b0022e5a8d830c32fc nc:00000001 cnonce:8c76ad16afaeaac3 qop:auth realm:wtpTuto1Realmmd5a2:54b07f4a17d8f6ceb23410fc1309b1ac Server digest:13bc7742a1a0bb080686ed120d76c947
14:31:42,742 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--0.0.0.0-8080-1) Failed authenticate() test