4 Replies Latest reply on Jul 15, 2017 6:55 AM by rsoika

JASPIC Module not working - Error getting ServerAuthContext for authContextId default-host

rsoika Jul 10, 2017 5:15 PM

Hi,

I try to implement a JASPIC (JSR-196) module running on Wildfly 10.1.0.

I think I am familiar with implementing a ServerAuthModule, which I have done several times for GlassFish in the past.

I defined in my standalone.xml a new security domain for my JASPIC module like this:

<security-domain name="jaspimodule1">
  <authentication-jaspi>
  <login-module-stack name="dummymodule1">
  <login-module code="DummyModule1" flag="optional"/>
  </login-module-stack>
  <auth-module code="com.imixs.auth.DummyAuthModule" />
  </authentication-jaspi>
</security-domain>

I also added the following jboss-web.xml to my web application

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
  <security-domain>jaspimodule1</security-domain>
</jboss-web>

I removed the 'login-config' form my web.xml and added only the 'security-constraint' and 'security-role' configuration.

When I try to access my application in debug mode, I see that the 'initialize' method is called, so I think my module is registered in some way.

@Override
  public void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy, CallbackHandler handler,
  Map options) throws AuthException {
  logger.finest("AuthModule:  initialize....");
  this.requestPolicy = requestPolicy;
  this.responsePolicy = responsePolicy;
  if (requestPolicy != null) {
    this.isMandatory = requestPolicy.isMandatory();
  }
  this.handler = handler;
  this.options = options;
  }

But my problem is hat the method 'validateRequest' is never called.

On the wildfly server console I got the following exception:

 | 20:56:44,732 ERROR [org.jboss.security] (default task-47) PBOX00374: Error getting ServerAuthContext for authContextId default-host /office-test and security domain jaspimodule1: javax.security.auth.message.AuthException
  | at org.jboss.security.auth.message.config.JBossServerAuthConfig.getAuthContext(JBossServerAuthConfig.java:187)
  | at org.jboss.security.plugins.auth.JASPIServerAuthenticationManager.isValid(JASPIServerAuthenticationManager.java:99)
  | at org.wildfly.extension.undertow.security.jaspi.JASPICAuthenticationMechanism.authenticate(JASPICAuthenticationMechanism.java:123)
  | at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
  | at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)
  | at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
  | at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
  | at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
  | at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
  | at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  | at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
  | at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
  | at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
  | at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
  | at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
  | at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
  | at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
  | at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
  | at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  | at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
  | at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  | at org.wildfly.extension.undertow.security.jaspi.JASPICSecureResponseHandler.handleRequest(JASPICSecureResponseHandler.java:26)
  | at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  | at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
  | at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
  | at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
  | at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
  | at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
  | at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
  | at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
  | at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
  | at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
  | at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
  | at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
  | at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
  | at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
  | at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
  | at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
  | at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
  | at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
  | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
  | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
  | at java.lang.Thread.run(Thread.java:745)

Can anybody help me what this message means and where the missing part in my configuration could be?

Thanks for help

===
Ralph

1. Re: JASPIC Module not working - Error getting ServerAuthContext for authContextId default-host

mchoma Jul 11, 2017 4:23 AM (in response to rsoika)
As a reference you can use working
JASPIC test in wildfly [1].
recent forum post [2]

I have noticed both configurations specify login-module-stack-ref in auth-module element.

[1] wildfly/JASPIHttpSchemeServerAuthModelTestCase.java at master · wildfly/wildfly · GitHub
[2] https://developer.jboss.org/message/974044?et=watches.email.thread#974044
Actions
2. Re: JASPIC Module not working - Error getting ServerAuthContext for authContextId default-host

rsoika Jul 11, 2017 9:05 AM (in response to mchoma)
It looks like my fault was the way I deployed the auth module. I dropped it into the /deployments directory.
Now after I added the jar file directly into my web module the module is called as expected

But there is still a strange behavior:
When the method 'initialize' is called, the object requestPolicy always is null. Usually I use this object to determine if, for the requested resource, authentication is mandatory. See my example:

@Override public void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy, CallbackHandler handler, Map options) throws AuthException { logger.info("AuthModule: initialize...."); this.requestPolicy = requestPolicy; this.responsePolicy = responsePolicy; if (requestPolicy != null) { this.isMandatory = requestPolicy.isMandatory(); } this.handler = handler; this.options = options; }

Why is the object null?
Actions

3. Re: JASPIC Module not working - Error getting ServerAuthContext for authContextId default-host

rsoika Jul 11, 2017 2:29 PM (in response to rsoika)

I now solved the problem with the missing 'isMandatory' flag. The flag can be verified in the method validateRequest:

@Override
public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject)
  throws AuthException {

  // verify if authentication for the requested resource is mandatory
  Object mandatoryKey=messageInfo.getMap().get(IS_MANDATORY_INFO_KEY);
  if (mandatoryKey==null || Boolean.parseBoolean(mandatoryKey.toString())==false) {
    logger.finest("request not mandatory");
    return AuthStatus.SUCCESS;
  }
  // authentication mandatory...
....
}

4. Re: JASPIC Module not working - Error getting ServerAuthContext for authContextId default-host

rsoika Jul 15, 2017 6:55 AM (in response to rsoika)

I now have solved the configuration and runtime problems.
I published the JSPIC module for JWT on GitHub:

GitHub - imixs/imixs-jwt: JSON Web Token module
Actions

Go to original post