1 2 Previous Next 22 Replies Latest reply on Dec 8, 2016 10:46 AM by bubul.dey

    Define and use multiple security domains in JBoss EAP 7

    nitin_jain

      Hello Forum,

       

      In my application till now, I had defined one security domain to authenticate the users.

       

      JBoss Configuration

      <security-domain name="JSFRealm1" cache-type="default">

          <authentication>

             <login-module code="Database" flag="required">

                <module-option name="dsJndiName" value="java:jboss/datasources/jdbc/mysql-1"/>

                <module-option name="principalsQuery" value="select password from user_login where email=?"/>

                <module-option name="rolesQuery" value="select role_name, 'Roles' from user_role u where u.email=?"/>

             </login-module>

          </authentication>

      </security-domain>

       

      jboss-web.xml

      <jboss-web>

         <security-domain>java:/jaas/JSFRealm1</security-domain>

      </jboss-web>

       

      Login Bean

          public String login() throws IOException {

              String navigation = "";

              FacesContext context = FacesContext.getCurrentInstance();

              ExternalContext externalContext = context.getExternalContext();

              HttpServletRequest request = (HttpServletRequest) externalContext.getRequest();

              try {

                  Principal userPrincipal = request.getUserPrincipal();

                  if (null != userPrincipal) {

                      request.logout();

                  }

                  request.login(email, password);

                  HttpSession session = Util.getSession();

                  session.setAttribute("loginName", email);

                  userPrincipal = request.getUserPrincipal();

                  if (request.isUserInRole(AppUserRole.APP_ADMIN.toString())) {

                      message = "Logged in as application administrator!";

                      navigation = "appAdmin";

                      userDetailsVO.setRole(AppUserRole.APP_ADMIN.toString());

                  } else if (request.isUserInRole(AppUserRole.PROJECT_USER.toString())) {

                      message = "Logged in as project administrator!";

                      navigation = "projUser";

                      userDetailsVO.setRole(AppUserRole.PROJECT_USER.toString());

                  }

                  userDetailsVO.setUserName(email);

                  return navigation;

              } catch (ServletException e) {

                  // Handle unknown username/password in request.login().

                  context.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_WARN, "Invalid Login!", "Please Try Again!"));

                  return "login";

              }

          }

       

      Query

      There is a requirement now to use different databases to authenticate 2 different set of users. The databases cannot be merged. Is it possible to define a new security domain (show below) and then choose a particular domain to authenticate the user based on the differentiator?

       

      JBoss Configuration

      <security-domain name="JSFRealm1" cache-type="default">

          <authentication>

             <login-module code="Database" flag="required">

                <module-option name="dsJndiName" value="java:jboss/datasources/jdbc/mysql-1"/>

                ...................................

             </login-module>

          </authentication>

      </security-domain>

      <security-domain name="JSFRealm2" cache-type="default">

          <authentication>

             <login-module code="Database" flag="required">

                <module-option name="dsJndiName" value="java:jboss/datasources/jdbc/mysql-2"/>

                .................................................

             </login-module>

          </authentication>

      </security-domain>

       

      jboss-web.xml

      <jboss-web>

         <security-domain>java:/jaas/JSFRealm1</security-domain>

      </jboss-web>

       

      <jboss-web>

         <security-domain>java:/jaas/JSFRealm2</security-domain>

      </jboss-web>

       

      Please advise.

       

      Best Regards,

      Nitin

        • 1. Re: Define and use multiple security domains in JBoss 7
          nitin_jain

          Hello Forum,

           

          To access the custom login module I have made the following progress.

           

          Login Bean

          public String login() throws IOException {      
               String navigation = "";
               FacesContext context = FacesContext.getCurrentInstance();     
               Principal userPrincipal = null;     
               CallbackHandler handler = new RPJAASCallbackHandler(email, password);     
               try {    
                    LoginContext loginContext;          
                    if (condition == Boolean.TRUE) {               
                         loginContext = new LoginContext("RPJSFRealm1", handler);          
                    } else {               
                         loginContext = new LoginContext("RPJSFRealm2", handler);          
                    }          
                    ......   
                    loginContext.login();          
                    ......          
                    ......          
                    return navigation;     
               } catch (LoginException loginException) {
                    context.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_WARN, "Invalid login credentials!",
                    "Please Try Again!"));
                    return "login";     
               }
          }

          When logging with "login" on "HttpServletRequest", "io.undertow.security.impl.SecurityContextImpl.login(final String username, final String password)" is invoked which sets "this.authenticationState = AuthenticationState.AUTHENTICATED;". This authenticationState is never set in case of "login" on "LogingContext".

           

          Stack trace for the 2 different implementations.

          1. Stacktrace_HttpServletRequest_Login_Request.txt
          2. Stacktrace_LogingContext_Login_Request.txt

           

          Even though by doing so, I am able to invoke different security domains, it seems the user is not authenticated correctly. This is because even though using "login" of "LoginContext", the application home page is displayed; on triggering any action on home page, the session is invalidated.

           

          I am also attaching the stack trace for requests from "homePage".

          1. Stacktrace_HttpServletRequest_FromHomePage.txt
          2. Stacktrace_LogingContext_FromHomePage.txt

           

           

          Comparing the stack traces, the deviation in the 2 approaches takes place in "ServletSecurityConstraintHandler.handleRequest(HttpServerExchange)". The condition at line number 55 of "io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(HttpServerExchange)" is never true for "login" on "LoginContext".

           

          Please advise.

           

          Best Regards,

          Nitin

          • 2. Re: Define and use multiple security domains in JBoss 7
            nitin_jain

            Hello Forum,

             

            I am still trying to resolve this. Any ideas?

             

            Best Regards,

            Nitin

            • 3. Re: Define and use multiple security domains in JBoss 7
              nitin_jain

              Hello Forum,

               

              Some more updates.

               

              In "web.xml" if the "auth-method" is "FORM", the user is redirected to login from home page.

               

                  <login-config>

                      <auth-method>FORM</auth-method>

                      <form-login-config>

                          <form-login-page>/pages/public/login.xhtml</form-login-page>

                          <form-error-page>/pages/public/loginError.xhtml</form-error-page>

                      </form-login-config>

                  </login-config>

               

              If the "auth-method" is "BASIC", the user is asked for credentials again on triggering any action from home page.

               

                  <login-config>

                      <auth-method>BASIC</auth-method>

                      <form-login-config>

                          <form-login-page>/pages/public/login.xhtml</form-login-page>

                          <form-error-page>/pages/public/loginError.xhtml</form-error-page>

                      </form-login-config>

                  </login-config>

               

              Best Regards,

              Nitin

              • 4. Re: Define and use multiple security domains in JBoss 7
                sidde3

                Hello Nitin,

                 

                Please have a reference of [1] to implement custom security domain.

                 

                [1] Using the operating system to authenticate users on Red Hat JBoss Enterprise Application Platform (EAP) ? – Red Hat Deve…

                • 5. Re: Define and use multiple security domains in JBoss EAP 7
                  nitin_jain

                  Hello Bubul,

                   

                  Thank you for the updates. I did try to create a JBoss module for the custom login; however I still get same issue.

                   

                  Best Regards,

                  Nitin

                  • 6. Re: Define and use multiple security domains in JBoss EAP 7
                    bubul.dey

                    Hi Nitin,

                     

                    I have very limited knowledge about jsf, can you please share a simple reproducer. I have triggered Jaas and enable LoginContext("SecurityDomain", handler) in jsp and it is working for me.

                    • 7. Re: Define and use multiple security domains in JBoss EAP 7
                      nitin_jain

                      Hello Bubul,

                       

                      Please find attached artifacts that you can use to set up a working application to recreate the issue.

                       

                      1. Source Code - auth-poc.zip (maven build)
                      2. Database Scripts – DataBase.zip (used MySQL DB)
                      3. JBoss EAP 7 Configuration – standalone-full-ha.xml

                       

                      Steps to reproduce the issue

                      1. Application URL - http://localhost:8082/auth-poc
                      2. Login using username – "njain@gmail.com" and Password – "t"
                      3. From home page, click on URL in widget.

                       

                      Best Regards,

                      Nitin

                      • 8. Re: Define and use multiple security domains in JBoss EAP 7
                        sidde3

                        Hello Nitin,

                         

                        I don't have much knowledge about jsf. I have created a sample with JSP where it is working. Please have a look.

                         

                        Note: I have not implemented any roles here.  I am not able to upload my code here, please share me your mail-id I can share you my sample code.

                         

                        Regards,

                        Bubul

                        • 9. Re: Define and use multiple security domains in JBoss EAP 7
                          nitin_jain

                          Hello Bubul,

                           

                          I can be reached on "mail.njain@gmail.com".

                           

                          Best Regards,

                          Nitin Jain

                          • 10. Re: Define and use multiple security domains in JBoss EAP 7
                            bubul.dey

                            Hi Nitin,

                             

                            Please find the attachment.

                             

                            Regards,

                            Siddhartha

                            • 11. Re: Define and use multiple security domains in JBoss EAP 7
                              nitin_jain

                              Hello Siddhartha,

                               

                              Please share the JBoss AS configurations as well.

                               

                              Thanks.

                              Nitin

                              • 12. Re: Define and use multiple security domains in JBoss EAP 7
                                bubul.dey

                                Hi Nitin,

                                 

                                In Jboss I have configured the security domain like below

                                 

                                <security-domain name="other" cache-type="default">
                                                   <login-module code="Database" flag="optional">
                                                       <module-option name="dsJndiName" value="java:jboss/derbyDS"/>
                                                       <module-option name="principalsQuery" value="select password from app.USERS where username=?"/>
                                                       <module-option name="rolesQuery" value="select role, 'Roles' from app.ROLES where username=?"/>
                                                   </login-module>
                                                   <login-module code="org.jboss.as.security.RealmDirectLoginModule" flag="optional">
                                                       <module-option name="realm" value="ManagementRealm"/>
                                                   </login-module>
                                               </authentication>
                                           </security-domain>
                                • 13. Re: Define and use multiple security domains in JBoss EAP 7
                                  bubul.dey

                                  Hello Nitin,

                                   

                                  Please let me know if you are able to test my code.

                                   

                                  Regards,

                                  Bubul

                                  • 14. Re: Define and use multiple security domains in JBoss EAP 7
                                    nitin_jain

                                    Hello Bubul,

                                     

                                    I am able to run your code, but you will notice that "code" of the login-module is "Database" not your custom login module "com.sid.loginweb.loginBean".

                                     

                                    The aim is to use custom login module through LoginContext.login, which is currently not working.

                                     

                                    Best Regards,

                                    Nitin

                                    1 2 Previous Next