9 Replies Latest reply on May 16, 2014 10:21 AM by simas_ch

security constraint does not work

simas_ch Apr 11, 2014 10:21 AM

Hi,

I'm trying to migrate an application from GlassFish to WildFly.

I have some security constraints in my web.xml

<security-constraint>

<display-name>Spaces</display-name>

<web-resource-collection>

<web-resource-name>spaces</web-resource-name>

<url-pattern>/spaces/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>user</role-name>

</auth-constraint>

</security-constraint>

<login-config>

<auth-method>FORM</auth-method>

<realm-name>jtaf</realm-name>

<form-login-config>

<form-login-page>/login.html</form-login-page>

<form-error-page>/login_error.html</form-error-page>

</form-login-config>

</login-config>

<security-role>

<role-name>user</role-name>

</security-role>

My jboss-web.xml looks like this

<jboss-web>

<context-root>/jtaf</context-root>

<security-domain>java:/jaas/jtaf</security-domain>

</jboss-web>

And in standalone.xml I have

<security-domain name="jtaf" cache-type="default">

<login-module code="Database" flag="required">

<module-option name="dsJndiName" value="java:jboss/datasources/jtaf"/>

<module-option name="principalsQuery" value="select secret from securityuser where email = ?"/>

<module-option name="rolesQuery" value="select name from securitygroup where email = ?"/>

<module-option name="password-stacking" value="useFirstPass"/>

<module-option name="hashAlgorithm" value="MD5"/>

<module-option name="hashEncoding" value="base64"/>

</login-module>

</authentication>

</security-domain>

But when I access https://localhost:8443/jtaf/spaces/index.html it does not redirect to the login form.

What's wrong with my configuration?

Thanks, Simon

1. Re: security constraint does not work

jaikiran Apr 15, 2014 3:33 AM (in response to simas_ch)

I don't see why that wouldn't work. Is that still a problem with the just released WildFly 8.1.0.CR1 Downloads · WildFly?

Just out of curiosity what happens if you change index.html file to index.jsp and then try accessing https://localhost:8443/jtaf/spaces/index.jsp
Actions
2. Re: security constraint does not work

jaikiran Apr 15, 2014 3:35 AM (in response to simas_ch)

Simon Martinelli wrote:

My jboss-web.xml looks like this

<jboss-web>

<context-root>/jtaf</context-root>

<security-domain>java:/jaas/jtaf</security-domain>

</jboss-web>

On a slightly unrelated note, the java:/jaas/ prefix is no longer needed while referring to the security domain name. In fact, I don't know if that prefixing it will work in AS7 and WildFly. So just change it to

<security-domain>jtaf</security-domain>
Actions
3. Re: security constraint does not work

simas_ch Apr 15, 2014 4:58 AM (in response to jaikiran)

I just downloaded 8.1.0.CR1 and it still doesn't work.

On EAP 6.2.2 and JBoss 7.1.1.Final it works fine with exactly the same configuration!
Actions
4. Re: security constraint does not work

jaikiran Apr 15, 2014 5:19 AM (in response to simas_ch)

WildFly has a new web container (Undertow) and it's likely that there might be a bug in there. Can you file a WFLY JIRA with the details?

By the way, did you try the index.jsp change I suggested?
Actions
5. Re: security constraint does not work

sfcoy Apr 15, 2014 6:15 AM (in response to simas_ch)
I've never bothered to find out why, but the rolesQuery usually has the form:
<module-option name="rolesQuery" value="select name, 'Roles' from securitygroup where email = ?"/>

Maybe the missing 'Roles' is the problem?
Actions
6. Re: security constraint does not work

simas_ch Apr 15, 2014 7:56 AM (in response to sfcoy)

@Stephen
The query is like yours. I missed that in the first post.

@Jaikiran
It's very strange that this is not working. Other users should already have noticed that because it does not protect the pages.
But I will fill a bug.
Actions
7. Re: security constraint does not work

ctomc Apr 15, 2014 8:48 AM (in response to simas_ch)

Can you enable trace logging for org.jboss.security ad org.jboss.as.security
it will help understand what the problem is.
Actions
8. Re: security constraint does not work

simas_ch Apr 15, 2014 9:07 AM (in response to ctomc)

Now that I switched on logs there must be something different because now it works sometimes.
so there must be a problem on server startup but I cannot see anything. I just see that there are no roles associated but the request to the protected resource works anyway.

I will try to find out how to reproduce.
Actions
9. Re: security constraint does not work

simas_ch May 16, 2014 10:21 AM (in response to simas_ch)

It was a caching issue: https://issues.jboss.org/browse/WFLY-3261
Fixed in WildFly 8.1.0
Actions

Go to original post