Hello Forum Members,

Gentle reminder. I have not been able to get a resolution to this issue. I giving the details of how NTLM authentication is currently configured with JBOSS AS 7.1 for my web application and how I am attempting to port it with Wildfly 8.2

Current configuration with JBoss AS 7.1

• CustomLoginModule - JBoss login module that is passed windows user (domain\username) and looks ups application database for registered users before allowing user to login to application.
• CustomNTLMAuthenticationValve - It is extends from AuthenticatorBase. Performs NTLM authentication using waffle library. If user is authenticated It invokes the configured JBoss login modules (above one).
• standalone.xml - configures the security domain "ntlm" with above login module. Something as shown below:              

<security-domain name="ntlm">
 <authentication>
  <login-module code="com.CustomLoginModule" flag="requisite">
  …
  </login-module>
  <login-module code="DatabaseUsers" flag="requisite">
  …
  </login-module>
  <login-module code="com.AnotherLoginModule" flag="required">
  …
 </login-module>
 </authentication>
 </security-domain>

• jboss-web,xml – Configures security domain and valve to be invoked.

<security-domain>java:/jaas/ntlm</security-domain>
<valve>
            <class-name>com.auth.CustomNTLMAuthenticationValve</class-name>
 </valve>

• web.xml – No login-config is specified.

With the above configure user is automatically authenticated and logged into the application without presenting the login page.

Porting to Wildfly 8.2

I am attempting to do this in Widlfly 8.2 as below

• CustomLoginModule – Remains the same as above.
• NTLMAuthenticationMechanism – implements AuthenticationMechanism and performs the NTLM authentication using waffle library as done in CustomNTLMAuthenticationValve above. However I have not yet figured out how to invoke the JBoss Login module(s) from here as was happening in CustomNTLMAuthenticationValve. In CustomNTLMAuthenticationValve  it is easy to getRealms and call authenticate method but I do not know how to get hold of Realms from HTTPSecurityExchange,or SecurityContext that is passed to the authenticate method of AuthenticationMechanism. Any idea how to do this?
• NTLMAuthenticationFactory – implements AuthenticationMechanismFactory to create the above NTLMAuthencticationMechanism object.
• NTLMAuthenticationServletExtension - implements ServletExtension and adds above AuthenticationMechanism using the above factory class named as “NTLM”.
• io.undertow.servlet.ServletExtension – added to META-INF\services having reference to above servlet extension class.
• standalone.xml – remains the same as above.
• jboss-web,xml – Configures security domain only (no valve).

<security-domain>java:/jaas/ntlm</security-domain>

• web.xml – added login-config as below

<login-config>
 <auth-method>NTLM</auth-method>
 <realm-name>PricingRealm</realm-name>
 </login-config>

With the above, if I run my server now I do not see my NTLMAuthenticationMechanism getting invoke. The user is not presented any login form but neither is he authenticated.

I am not sure if I my above approach is the correct way to migrate my application to Wildfly. If this indeed the right way then I am not sure why my authentication mechanism is not invoked? Any help to resolve the above issue is appreciated.

Thanks.

Hello,

I realized the reason why my authentication mechanism was not invoked earlier. The NTLMAuthenticationMechanism  that I implemented is a separate project that is deployed as JBoss module. I had added io.undertow.servlet.ServletExtension file to META-INF\services in this jar file that is deployed as JBoss module. Once I moved this to my web application's war file and deployed the war the authentication mechanism is now invoked.

This now leaves out one thing that I need to implement in the NTLMAuthenticationMechanism - to invoke login modules that are configured in standalone. This was pretty easy with JBoss AS 7.1 as from AuthenticatorBase class I can invoke it by calling:

principal = context.getRealm().authenticate(fqn, fqn);

where from catalina's context I can retrieve realm and invoke the authentication for configured login modules. However I do not know how to do this from AuthenticationMechanism. What I have access to is HttpServerExchange and SecurityContext objects in authenticate method. Is there a way I can get invoke the login modules from AuthenticationMechanism?

Thanks.

Hello Forum Members,

Gentle reminder.

I need to invoke all configured login modules from AuthenticationMechanism I am implementing and in return get the Principal that is successfully authenticated. How can this be done? Any pointers to help implement this is appreciated.

Thanks.

Hello Forum Members,

Gentle reminder if someone can give me points for above issue.

Thanks.

Hello jaikiran pai,

Thank you for your response.

In order to migrate the custom valve (extending from AuthenticatorBase), in WildFly I have implemented authentication mechanism by extending the io.undertow.security.api.AuthenticationMechanism. This authentication mechanism is able to retrieve the windows user account (using Waffle) of user sending the request in similar fashion how it is implemented by the custom valve. The valve next invokes the three login modules (in standalone.xml) that is configured in the security domain, using the window user account retrieved, to authenticate the user. This is easy to do from Valve by calling principal = context.getRealm().authenticate(fqn, fqn). It invokes the login modules and returns the successfully authenticated Principal. However I am not clear how to do the same from the AuthenticationMechanism I am implementing. Is there way to do the same from AuthenticationMechanism?

Regards,

Nitin

Hello jaikiran,

Gentle reminder.

I am not sure if invoking the configured login modules specified in standalone.xml from the AuthenticationMechanism is going to be difficult to do with Wildfly. If so, is there an alternative way to do this in Wildfly? Few points that I am not clear and I think may help me here are:

1. When adding custom AuthenticationMechanism should one complete the authentication and authorization in the AuthenticationMechanism instead of invoking the the login modules in security domain? At the moment what I am trying to do is to retrieving window user account from request in AuthenticationMechanism that I have implemented but looking to invoke the DatabaseUsers authentication module of Wildfly to perform the authentication and authorization and if that is successful then I return from my AuthenticationMechanism with outcome as AUTHENTICATED or else NOT_AUTHENTICATED. However, how to invoke DatabaseUsers (any other login modules configured under security-domain) from AuthenticationMechanism is something I am trying to figure out now in this discussion.

2. Do I really need to invoke the login modules like DatabaseUsers from AuthenticationMechanism? Can I just return without invoking them after retrieving the windows user account in AuthenticationMechanism? If so when will the DatabaseUsers authentication module be invoked by Wildfly server and how can I pass the user account retrieved by AuthenticationMechanism to the DatabaseUsers authentication module to perform successful authentication and authorization?

Any thoughts and pointers are appreciated.

Thanks.

Regards,

Nitin