3 Replies Latest reply on Jul 7, 2015 2:53 PM by pierfra

Why security constraint in my web.xml does not work?

pierfra Jul 6, 2015 4:01 PM

i have in standalone.xml in wildfly 9.0.o cr2 this security domain

-<security-domain name="MyLoginModule" cache-type="default">

-<authentication>

-<login-module flag="required" code="Database">

<module-option name="dsJndiName" value="java:/ds/MyDS"/>

<module-option name="principalsQuery" value="Select Password from Principals where PrincipalID=?"/>

<module-option name="rolesQuery" value="Select Role 'Roles', RoleGroup 'RoleGroups' from Roles where PrincipalID=?"/>

<module-option name="hashAlgorithm" value="MD5"/>

<module-option name="hashEncoding" value="HEX"/>

</login-module>

</authentication>

</security-domain>

--------------------------------------------------

The authentication to my application is ok. The authorization instead does not work.

This is the part in web.xml for authorization :

<security-constraint>

<display-name>Vincoli SSN</display-name>

<web-resource-collection>

<web-resource-name>Protette Application Server SSN</web-resource-name>

<description>Protette Application Server</description>

<url-pattern>/HeartBeatAction.do</url-pattern>

<url-pattern>/CU010GestioneApplicationServer.do</url-pattern>

<url-pattern>/CU010DettaglioApplicationServer.do</url-pattern>

<url-pattern>/CU010AcquisizioneApplicationServer.do</url-pattern>

<url-pattern>/CU010ImportazioneApplicationServer.do</url-pattern>

<http-method>GET</http-method>

<http-method>POST</http-method>

<http-method>HEAD</http-method>

<http-method>PUT</http-method>

<http-method>OPTIONS</http-method>

<http-method>TRACE</http-method>

<http-method>DELETE</http-method>

</web-resource-collection>

<auth-constraint>

<description>Amministratore SSN</description>

<role-name>Amministratore_sistema_SSN</role-name>

</auth-constraint>

</security-constraint>

I tried with all roles of my databse module but i can access to my actions and jsp pages only if i cut all security constraint from web.xml.

Someone can help me?

Thanks

Pierfrancesco

1. Re: Why security constraint in my web.xml does not work?

jaikiran Jul 6, 2015 10:36 PM (in response to pierfra)

Enable TRACE level logging of org.jboss.security and org.picketbox packages, in the logging subsystem. The server.log then will probably have enough information to give you an hint on what's wrong.

By the way, 9.0.0.Final has already been released Announcement: WildFly 9.0.2.Final released, so you might want to use that instead of CR2.
Actions
2. Re: Why security constraint in my web.xml does not work?

jameslivingston Jul 7, 2015 1:32 AM (in response to pierfra)

It's not related to your problem, but you should not list all the <http-method>s like that.If you want it to apply to all methods, do not list any of them.

Otherwise if someone uses another method like "XYZ" it will get to your application and if you have a service() method potentially perform actions they should not be allowed to. The old JBoss JMX console had a security flaw like this a few years ago.
Actions
3. Re: Why security constraint in my web.xml does not work?

pierfra Jul 7, 2015 2:53 PM (in response to jaikiran)

Thanks.

In server.log :

[org.jboss.security] (default task-1) PBOX00281: Password hashing activated, algorithm: MD5, encoding: HEX, charset: null, callback: null, storeCallBack: null

So the authentication works fine !

There is no log about authorization issue.

In JBoss 4.2.3 with the same web.xml and the same database login module the authorization works fine.
Actions

Go to original post