1 Reply Latest reply on Sep 25, 2014 8:18 AM by shane.lemon

403 Forbidden using BASIC auth and "other" security domain

shane.lemon Sep 24, 2014 9:21 AM

Attempting to secure our WildFly 8.1.0-Final application using BASIC Authentication and ApplicationRealm Authorization but only get a "403: Forbidden". The authentication works (log line 35) and the role is found (see log line 31 and 32) but it appears authorization is failing (403).

NOTE:

1. This is clojure app using leiningen and immutant 2 (the deuce)

2. I have attached a very basic app that fails with 403 as well

3. Not sure if it is a red herring, but org.jboss.security.SecurityRolesAssociation.setSecurityRoles is getting a null (Threadlocal: null) as seen in last line of log file

Log (TRACE org.jboss.security)

15:11:24,305 TRACE [io.undertow.request] (default I/O-1) Opened connection with /127.0.0.1:56632
15:11:24,319 TRACE [io.undertow.request] (default I/O-1) Opened connection with /127.0.0.1:56634
15:11:24,359 TRACE [io.undertow.server.HttpServerExchange] (default task-1) Starting to write response for HttpServerExchange{ GET /}
15:11:24,364 TRACE [org.jboss.security] (default task-1) PBOX000354: Setting security roles ThreadLocal: null
15:11:24,394 TRACE [io.undertow.request] (default I/O-2) Opened connection with /127.0.0.1:56636
15:11:24,395 TRACE [io.undertow.server.HttpServerExchange] (default task-2) Starting to write response for HttpServerExchange{ GET /}
15:11:24,396 TRACE [org.jboss.security] (default task-2) PBOX000354: Setting security roles ThreadLocal: null
15:11:30,245 TRACE [io.undertow.request] (default I/O-2) Opened connection with /127.0.0.1:56638
15:11:30,250 TRACE [org.jboss.security] (default task-3) PBOX000200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@6854f63, cache entry: null
15:11:30,251 TRACE [org.jboss.security] (default task-3) PBOX000209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@6854f63
15:11:30,252 TRACE [org.jboss.security] (default task-3) PBOX000221: Begin getAppConfigurationEntry(other), size: 4
15:11:30,254 TRACE [org.jboss.security] (default task-3) PBOX000224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule
ControlFlag: LoginModuleControlFlag: optional
Options:
name=password-stacking, value=useFirstPass
[1]
LoginModule Class: org.jboss.as.security.RealmDirectLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=password-stacking, value=useFirstPass

15:11:30,258 TRACE [org.jboss.security] (default task-3) PBOX000236: Begin initialize method
15:11:30,258 TRACE [org.jboss.security] (default task-3) PBOX000240: Begin login method
15:11:30,260 TRACE [org.jboss.security] (default task-3) PBOX000236: Begin initialize method
15:11:30,261 TRACE [org.jboss.security] (default task-3) PBOX000240: Begin login method
15:11:30,272 TRACE [org.jboss.security] (default task-3) PBOX000241: End login method, isValid: true
15:11:30,272 TRACE [org.jboss.security] (default task-3) PBOX000242: Begin commit method, overall result: false
15:11:30,272 TRACE [org.jboss.security] (default task-3) PBOX000242: Begin commit method, overall result: true
15:11:30,278 TRACE [org.jboss.security] (default task-3) PBOX000210: defaultLogin, login context: javax.security.auth.login.LoginContext@7f30e759, subject: Subject(559479598).principals=org.jboss.security.SimplePrincipal@865892156(shane)org.jboss.security.SimpleGroup@1404193653(Roles(members:Manager))org.jboss.security.SimpleGroup@1404193653(CallerPrincipal(members:shane))
15:11:30,279 TRACE [org.jboss.security] (default task-3) PBOX000207: updateCache, input subject: Subject(559479598).principals=org.jboss.security.SimplePrincipal@865892156(shane)org.jboss.security.SimpleGroup@1404193653(Roles(members:Manager))org.jboss.security.SimpleGroup@1404193653(CallerPrincipal(members:shane)), cached subject: Subject(318082014).principals=org.jboss.security.SimplePrincipal@865892156(shane)org.jboss.security.SimpleGroup@1404193653(Roles(members:Manager))org.jboss.security.SimpleGroup@1404193653(CallerPrincipal(members:shane))
15:11:30,279 TRACE [org.jboss.security] (default task-3) PBOX000208: Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@45929f32
15:11:30,280 TRACE [org.jboss.security] (default task-3) PBOX000201: End isValid, result = true
15:11:30,280 TRACE [org.wildfly.extension.undertow] (default task-3) User: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@6854f63 is authenticated
15:11:30,293 TRACE [io.undertow.server.HttpServerExchange] (default task-3) Starting to write response for HttpServerExchange{ GET /}
15:11:30,294 TRACE [org.jboss.security] (default task-3) PBOX000354: Setting security roles ThreadLocal: null

jboss-web.xml

<jboss-web>
  <context-root></context-root>
  <security-domain>other</security-domain>
</jboss-web>

web.xml

<web-app>
       <security-constraint>
           <web-resource-collection>
                    <web-resource-name>HtmlAuth</web-resource-name>
                    <description>application security constraints</description>
                    <url-pattern>/*</url-pattern>
                    <http-method>GET</http-method>
                    <http-method>POST</http-method>
             </web-resource-collection>
             <auth-constraint>
                    <role-name>Manager</role-name>
             </auth-constraint>
       </security-constraint>
       <login-config>
             <auth-method>BASIC</auth-method>
             <realm-name>UserRoles simple realm</realm-name>
       </login-config>
       <security-role>
             <role-name>Manager</role-name>
       </security-role>
</web-app>

standalone.xml (snippet of security domain, full standalone.xml attached)

      <subsystem xmlns="urn:jboss:domain:security:1.2">
            <security-domains>
                <security-domain name="other" cache-type="default">
                    <authentication>
                        <login-module code="Remoting" flag="optional">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                        <login-module code="RealmDirect" flag="required">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                    </authentication>
                </security-domain>
                <security-domain name="jboss-web-policy" cache-type="default">
                    <authorization>
                        <policy-module code="Delegating" flag="required"/>
                    </authorization>
                </security-domain>
                <security-domain name="jboss-ejb-policy" cache-type="default">
                    <authorization>
                        <policy-module code="Delegating" flag="required"/>
                    </authorization>
                </security-domain>
            </security-domains>
        </subsystem>

Added users to ApplicationRealm with "Manager" Role.

Any help would be greatly appreciated!

standalone.xml 19.1 KB
sample-app.zip 12.0 KB

1. Re: 403 Forbidden using BASIC auth and "other" security domain

shane.lemon Sep 25, 2014 8:18 AM (in response to shane.lemon)
Thanks to jcrossley3 and tcrawley from immutant for a solution on this one. web.xml was missing a listener.

<listener> <listener-class> org.projectodd.wunderboss.wildfly.ServletListener </listener-class> </listener>
Actions