Based on the many articles I have read on this today, I have updated my config as follows :
apart from the existing ManagementRealm and ApplicationRealm, I have 1 other configured :
<security-realm name="axisHTTPSRealm">
<server-identities>
<ssl>
<keystore path="plugin-key.jks" relative-to="jboss.server.config.dir" keystore-password="xxx"/>
</ssl>
</server-identities>
</security-realm>
I have not specified any LDAP authentication here. My understanding is that the security realm is more relevant to the server that the web application.
My web.xml contains
<security-constraint>
<web-resource-collection>.... </web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>axisHTTPSRealm</realm-name>
</login-config>
I have then created the following security domain :
<security-domain name="myHTTPSDomain" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
<module-option name="bindDN" value="uid=admin,ou=system"/>
<module-option name="bindCredential" value="xxxx"/>
<module-option name="baseCtxDN" value="ou=basicauth,ou=users,ou=axis,o=ventyx,c=au"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="ou=basicauth,ou=users,ou=axis,o=ventyx,c=au"/>
<module-option name="roleFilter" value="(uid={0})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="allowEmptyPasswords" value="true"/>
</login-module>
</authentication>
</security-domain>
Note that we do not use Roles in our LDAP setup, however I have read that if the Roles-related modules-options are not specified, LdapExtLoginModule will search for roles anyway using null values which results in the authentication failing. I read somewhere else that the rolesCtxDN should be the same as the baseCtxDN in this situation. I have no idea if this is true.
ps. have also tried <module-option name="roleFilter" value="(member={1})"/>
with exactly the same result.
I have added this security domain into my jboss-web.xml :
<security-domain>myHTTPSDomain</security-domain>
I have also turned on org.jboss.security logging to trace level and am getting the following output :
.
2015-09-29 20:29:45,581 TRACE [org.jboss.security] (default task-2) PBOX00200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@905313f, cache entry: null
2015-09-29 20:29:45,581 TRACE [org.jboss.security] (default task-2) PBOX00209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@905313f
2015-09-29 20:29:45,581 TRACE [org.jboss.security] (default task-2) PBOX00221: Begin getAppConfigurationEntry(myHTTPSDomain), size: 4
2015-09-29 20:29:45,581 TRACE [org.jboss.security] (default task-2) PBOX00224: End getAppConfigurationEntry(myHTTPSDomain), AuthInfo: AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=baseFilter, value=(uid={0})
name=allowEmptyPasswords, value=true
name=roleFilter, value=(uid={0})
name=bindCredential, value=****
name=bindDN, value=uid=admin,ou=system
name=java.naming.provider.url, value=ldap://localhost:10389
name=rolesCtxDN, value=ou=basicauth,ou=users,ou=axis,o=ventyx,c=au
name=baseCtxDN, value=ou=basicauth,ou=users,ou=axis,o=ventyx,c=au
name=searchScope, value=SUBTREE_SCOPE
name=roleAttributeID, value=cn
2015-09-29 20:29:45,582 TRACE [org.jboss.security] (default task-2) PBOX00236: Begin initialize method
2015-09-29 20:29:45,582 TRACE [org.jboss.security] (default task-2) PBOX00240: Begin login method
2015-09-29 20:29:45,582 DEBUG [org.jboss.security] (default task-2) PBOX00269: Failed to parse roleRecursion as number, using default value 0
2015-09-29 20:29:45,582 TRACE [org.jboss.security] (default task-2) PBOX00220: Logging into LDAP server with env {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, searchScope=SUBTREE_SCOPE, java.naming.security.principal=uid=admin,ou=system, baseCtxDN=ou=basicauth,ou=users,ou=axis,o=ventyx,c=au, roleAttributeID=cn, roleFilter=(uid={0}), allowEmptyPasswords=true, rolesCtxDN=ou=basicauth,ou=users,ou=axis,o=ventyx,c=au, baseFilter=(uid={0}), jboss.security.security_domain=myHTTPSDomain, java.naming.provider.url=ldap://localhost:10389, bindDN=uid=admin,ou=system, bindCredential=******, java.naming.security.authentication=simple, java.naming.security.credentials=******}
2015-09-29 20:29:45,590 DEBUG [org.jboss.security] (default task-2) PBOX00283: Bad password for username B2BTESTSENDER9
2015-09-29 20:29:45,590 TRACE [org.jboss.security] (default task-2) PBOX00244: Begin abort method, overall result: false
2015-09-29 20:29:45,590 DEBUG [org.jboss.security] (default task-2) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070: Password invalid/Password required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) [picketbox-4.9.2.Final.jar:4.9.2.Final]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_79]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_79]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_79]
at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_79]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_79]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_79]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_79]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_79]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_79]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_79]
at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_79]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406) [picketbox-infinispan-4.9.2.Final.jar:4.9.2.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.9.2.Final.jar:4.9.2.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) [picketbox-infinispan-4.9.2.Final.jar:4.9.2.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) [picketbox-infinispan-4.9.2.Final.jar:4.9.2.Final]
at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:111)
at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:82)
at io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:118) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:339) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:356) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:325) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:138) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:113) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:106) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172) [undertow-servlet-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774) [undertow-core-1.2.9.Final.jar:1.2.9.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_79]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_79]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_79]
2015-09-29 20:29:45,601 TRACE [org.jboss.security] (default task-2) PBOX00201: End isValid, result = false
2015-09-29 20:29:45,602 TRACE [org.jboss.security] (default task-2) PBOX00354: Setting security roles ThreadLocal: null
My main concern at the moment is
a) Have I set up all that is theoretically required to get this working?
b) Since the Roles-related modules-options are so vital to the org.jboss.security.auth.spi.LdapExtLoginModule, are the values I have set in those options correct? Like I said - we don't use roles - I merely need to check whether the username and passwords are valid. But my understanding is that I need to specify something meaningful in these options - I'm just not sure what.
It seems from the log that it is connecting to LDAP, but I can't see any tracing from org.jboss.security.auth.spi.LdapExtLoginModule.
Any hints or tips welcome.
Thanks
Julie