9 Replies Latest reply on Jun 4, 2019 12:33 AM by shyamag

    Programmatic login not working on Wildfly

    lhelander

      I am porting an application from AS7 to Wildfly. The application is configured without any login-config element in web.xml , but it contains a login REST service that calls HttpServletRequest.login().

       

      On AS7 the web container enforces no calls to the security domain's login modules, but it is only upon call to the REST service that login logic is applied, and a successfull login is remembered for subsequent requests.

       

      On Wildfly the server calls the login modules on each incoming request even after a succefull login via the HttpServletRequest.login().

       

      Is there some way to make Wildfly behave similar to AS7 meaning that the login performed via HttpServletRequest.login() is "remembered" so that subsequents calls to the login modules does not occur?

        • 1. Re: Programmatic login not working on Wildfly
          jwgmeligmeyling

          Facing the same issue here, under Wildfly 10. Have you managed to get this to work?

          • 2. Re: Programmatic login not working on Wildfly
            mchoma

            So in your case security domain "other" is applied? Do you have cache-type="default" specified on that security domain? If not wildfly try to authenticate on each request.

            • 3. Re: Programmatic login not working on Wildfly
              jwgmeligmeyling

              My domain is defined as follows:

               

                              <security-domain name="jboss-web-policy" cache-type="default">

                                  <authorization>

                                      <policy-module code="Delegating" flag="required"/>

                                  </authorization>

                              </security-domain>

                              <security-domain name="jboss-ejb-policy" cache-type="default">

                                  <authorization>

                                      <policy-module code="Delegating" flag="required"/>

                                  </authorization>

                              </security-domain>

                              <security-domain name="MyRealm" cache-type="default">

                                  <authentication>

                                      <login-module code="Database" flag="required">

                                          <module-option name="dsJndiName" value="java:jboss/MysqlXADS"/>

                                          <module-option name="principalsQuery" value="SELECT password AS Password FROM user WHERE username = ?"/>

                                          <module-option name="rolesQuery" value="select 'user' as Role, 'Roles' as RoleGroup union select 'admin' as Role, 'Roles' AS RoleGroup from user where admin is true and username = ?"/>

                                      </login-module>

                                  </authentication>

                              </security-domain>

               

               

              So I don't think that's the problem?

              • 4. Re: Programmatic login not working on Wildfly
                mchoma

                So probably what you want is to get rid of wildfly security domain to be involved. You want to be on your own.

                 

                So based on what you post on wildfly-dev, I believe  you have to remove MyRealm from jboss-web.xml to get what you want.

                • 5. Re: Programmatic login not working on Wildfly
                  jwgmeligmeyling

                  That unfortunately does not have the expected result. What I have currently achieved: Protected API endpoints, when logged in, can be accessed, if your not login, a Basic authentication challenge is started. The basic authentication is connected to the right security domain (so my username / password combination works). Now I was trying to implement another security mechanism, that connects to the same security domain through an unprotected API endpoint. If I remove MyRealm from jboss-web.xml, then httpServletRequest.login does not point to MyRealm and thus throws an error on login. Keep in mind! Even though bypassing the security on the login endpoint, the login method works just fine if MyRealm is defined  in jboss-web.xml (securityContext.getUserPrincipal is not null, without basic auth challenge), but it's somehow forgotten on the successive request (securityContext.getUserPrincipal is null again).

                  • 6. Re: Programmatic login not working on Wildfly
                    mchoma

                    So problem here is this scenario? :

                    1) you access unprotected /api/me/login and logs in

                    2)you expects accessing /api/* will work without BASIC login dialog, but it is there?


                    Probably it is right behaviour. Note, client has to always send user/password as a request on BASIC authentication. But browsers use to cache user/password information and use it. Security domain cache can avoid unnecessary call to login module, in your case Database call from MyRealm security domain.


                    Could you fully protect your API with BASIC authentication - no unsecure channel?

                    • 7. Re: Programmatic login not working on Wildfly
                      jwgmeligmeyling

                      I am currently using a Basic authentication scheme. I however want to switch to another authentication mechanism, because basic authentication headers are cached in the browser, making it impossible to do a logout (unless you’re in IE where you have control over the cached credentials). Furthermore I don’t like the idea of sending the credentials over the wire for every request.

                       

                      I want to use another authentication scheme, but connect against the same security domain (and benefit from the authentication realm and all the authentication mechanisms in the application server).

                       

                      httpservletrequest.login should give me access (and actually gives me access) to login to the security domain. This also works, the first time. The user principal is correctly set and I can use it for the lifetime of the request.

                       

                      Strange enough, using basic auth the session gets attached to the cookie, and basic authentication headers are not required on the successive request. Using httpservletrequest.login however, on the next request, the principal is null again. (And yes, with basic auth still enabled, it figures out it still needs authentication, and a basic auth challenge is started, but my question really is why the session was not stored in the first place)

                      • 8. Re: Programmatic login not working on Wildfly
                        jwgmeligmeyling

                        Seems that I managed to persist the login by calling httpservletrequest.authenticate(httpservletresponse) after the call on login. See http://stackoverflow.com/a/38976889/2104280 for a more detailled answer.

                        • 9. Re: Programmatic login not working on Wildfly
                          shyamag

                          I have same problem...auhentication working on jboss as 7.1 but not on wildfly..

                           

                          web.xml

                           

                          <filter>

                          <filter-name>springSecurityFilterChain</filter-name>

                          <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

                          </filter>

                          <filter-mapping>

                          <filter-name>springSecurityFilterChain</filter-name>

                          <url-pattern>/*</url-pattern>

                          </filter-mapping>

                          <!--    <security-constraint>

                          <web-resource-collection>

                          <web-resource-name>AgencyPortalUI</web-resource-name>

                          <url-pattern>/*</url-pattern>

                          <http-method>GET</http-method> 

                              <http-method>POST</http-method>

                          </web-resource-collection>

                          <user-data-constraint>

                          <transport-guarantee>CONFIDENTIAL</transport-guarantee>

                          </user-data-constraint>

                          </security-constraint> -->

                          <session-config>

                          <!-- 15 minutes 900000 milliseconds -->

                          <session-timeout>100</session-timeout>

                          </session-config>

                          </web-app>

                           

                           

                          and my jboss configuration ,same on wildfly

                           

                          <subsystem xmlns="urn:jboss:domain:security:1.2">

                                      <security-domains>

                                          <security-domain name="other" cache-type="default">

                                              <authentication>

                                                  <login-module code="Remoting" flag="optional">

                                                      <module-option name="password-stacking" value="useFirstPass"/>

                                                  </login-module>

                                                  <login-module code="RealmDirect" flag="optional">

                                                      <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>

                                                      <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>

                                                      <module-option name="realm" value="ApplicationRealm"/>

                                                      <module-option name="password-stacking" value="useFirstPass"/>

                                                  </login-module>

                                              </authentication>

                                          </security-domain>

                                          <security-domain name="jboss-web-policy" cache-type="default">

                                              <authorization>

                                                  <policy-module code="Delegating" flag="required"/>

                                              </authorization>

                                          </security-domain>

                                          <security-domain name="jboss-ejb-policy" cache-type="default">

                                              <authorization>

                                                  <policy-module code="Delegating" flag="required"/>

                                              </authorization>

                                          </security-domain>

                                      </security-domains>

                                  </subsystem>

                           

                          and my code

                           

                          try {

                           

                          LOGGER.info("before authenticate {}");

                          userTO = restEasyPortalServiceProxy.getLoginService().authenticate(

                          userName, userPass);

                          LOGGER.info("After authenticate : {}", userTO);

                          userSessionData.setAuthToken(userTO.getAuthToken());

                           

                           

                          } catch