I have set up a custom security-domain in Wildfly 9.0.2.Final for testing which looks like this:
<security-domain name="LDAPAuth" cache-type="default"> <authentication> <login-module code="LdapExtended" flag="required"> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> <module-option name="java.naming.provider.url" value="ldap://localhost:389"/> <module-option name="java.naming.security.authentication" value="simple"/> <module-option name="baseCtxDN" value="ou=People,dc=acme,dc=com"/> <module-option name="baseFilter" value="(uid={0})"/> <module-option name="rolesCtxDN" value="ou=Roles,dc=acme,dc=com"/> <module-option name="roleFilter" value="(member={1})"/> <module-option name="roleAttributeID" value="cn"/> <module-option name="searchScope" value="ONELEVEL_SCOPE"/> </login-module> </authentication> </security-domain>
In my web.xml I have referenced this security-domain name (LDAPAuth) in my login-config.
When I provide valid username and password configured in my local LDAP, I am allowed in, otherwise authentication fails. This works great. The problem is, once I've authenticated once, I'm never prompted again unless I close that browser window and open a new one. It doesn't matter if I manually call session.invalidate(); in my code, if the session just naturally expires (I have it set to 1 minute for testing), or even if I restart the server! I'm new to Wildfly but my experience working with other apps servers tells me that I should be re-prompted in any of the above scenarios, so what am I missing?
Really dumb. This was due to BASIC authentication.