JASPIC configuration in Wildfly SWARM
cartess Jul 8, 2017 2:20 AMI need some assistance with configuring JASPIC authentication in Wildfly Swarm. The JASPIC configuration works perfectly in the normal Wildfly, but I somehow cannot get it to work with Wildfly Swarm. I always this error:
2017-07-07 11:15:08,819 ERROR [org.jboss.security] (default task-3) PBOX00374: Error getting ServerAuthContext for authContextId default-host /Tiles and security domain obbi-auth-id: javax.security.auth.message.AuthException at org.jboss.security.auth.message.config.JBossServerAuthConfig.getAuthContext(JBossServerAuthConfig.java:169) at org.jboss.security.plugins.auth.JASPIServerAuthenticationManager.isValid(JASPIServerAuthenticationManager.java:99) at org.wildfly.extension.undertow.security.jaspi.JASPICAuthenticationMechanism.authenticate(JASPICAuthenticationMechanism.java:123) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.tranTISion(SecurityContextImpl.java:245) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231) at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125) at io.undertow.security.impl.SecurityContextImpl.authTranTISion(SecurityContextImpl.java:99) at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
My Wildfly standalone configuration that works is
<security-domain name="obbi-auth-id"> <authentication-jaspi> <login-module-stack name="authid-loginmodule-stack"> <login-module code="com.obbi.domain.security.loginmodule.jwt.JWTLoginModule" flag="sufficient" module="com.obbi.domain.security"> <module-option name="expectedIssuer" value="CN=DI TIS signer"/> <module-option name="expectedAudience" value="obbi"/> <module-option name="allowedClockSkewInSeconds" value="30"/> <module-option name="validateTokenSignature" value="false"/> <module-option name="maxFutureValidityInMinutes" value="525600"/> <module-option name="keyStoreFilePath" value="C:/wildfly-10.1.0.Final/standalone/configuration/obbi-token-keystore.jks"/> <module-option name="keyStorePassword" value="pass123"/> <module-option name="validateCertificate" value="false"/> <module-option name="loadSystemPrincipals" value="true"/> <module-option name="loadSystemPrincipalsEndpoint" value="https://pu.obbi.co.za:4266/di/services/v1/auth-id?page=0&size=1000&username=%s"/> <module-option name="skipAllValidators" value="true"/> </login-module> <login-module code="com.obbi.domain.security.loginmodule.obbi.obbiLoginModule" flag="sufficient" module="com.obbi.domain.security"> <module-option name="keyStoreFilePath" value="C:/wildfly-10.1.0.Final/standalone/configuration/obbi-token-keystore.jks"/> <module-option name="keyStorePassword" value="pass123"/> <module-option name="validateCertificate" value="false"/> <module-option name="validateTokenExpiry" value="false"/> <module-option name="validateTokenSignature" value="false"/> <module-option name="loadSystemPrincipals" value="true"/> <module-option name="loadSystemPrincipalsEndpoint" value="https://pu.obbi.co.za:4266/di/services/v1/auth-id?page=0&size=1000&username=%s"/> </login-module> </login-module-stack> <auth-module code="com.obbi.domain.security.JASPICServerAuthModule" flag="required" login-module-stack-ref="authid-loginmodule-stack"/> </authentication-jaspi> </security-domain>
My Wildfly swarm configuration that attempts to mimic the above Wildfly standalone configuration is:
private static SecurityFraction getSecurityFraction1() { return new SecurityFraction() .securityDomain("obbi-auth-id", sd -> { sd.jaspiAuthentication(jaspi -> { jaspi.loginModuleStack("authid-loginmodule-stack", stack -> { stack.loginModule("com.obbi.domain.security.loginmodule.jwt.JWTLoginModule", value -> { value.code("com.obbi.domain.security.loginmodule.jwt.JWTLoginModule") .flag(Flag.SUFFICIENT) .module("com.obbi.domain.security") .moduleOption("expectedIssuer", "CN=DI TIS signer") .moduleOption("expectedAudience", "obbi") .moduleOption("allowedClockSkewInSeconds", "30") .moduleOption("validateTokenSignature", "false") .moduleOption("maxFutureValidityInMinutes", "525600") .moduleOption("keyStoreFilePath", "C:/wildfly-10.1.0.Final/standalone/configuration/obbi-token-keystore.jks") .moduleOption("keyStorePassword", "pass123") .moduleOption("validateCertificate", "false") .moduleOption("loadSystemPrincipals", "true") .moduleOption("loadSystemPrincipalsEndpoint", "https://pu.obbi.co.za:4266/di/services/v1/auth-id?page=0&size=1000&username=%s") .moduleOption("skipAllValidators", "true"); stack.loginModule("com.obbi.domain.security.loginmodule.obbi.obbiLoginModule", value1 -> { value1.code("com.obbi.domain.security.loginmodule.obbi.obbiLoginModule") .flag(Flag.SUFFICIENT) .module("com.obbi.domain.security") .moduleOption("keyStoreFilePath", "C:/wildfly-10.1.0.Final/standalone/configuration/obbi-token-keystore.jks") .moduleOption("keyStorePassword", "pass123") .moduleOption("validateCertificate", "false") .moduleOption("validateTokenExpiry", "false") .moduleOption("validateTokenSignature", "false") .moduleOption("loadSystemPrincipals", "true") .moduleOption("loadSystemPrincipalsEndpoint", "https://pu.obbi.co.za:4266/di/services/v1/auth-id?page=0&size=1000&username=%s"); }); }); });
jaspi.authModule("com.obbi.domain.security.JASPICServerAuthModule", authModule -> { authModule.code("com.obbi.domain.security.JASPICServerAuthModule") .flag(Flag.SUFFICIENT) .loginModuleStackRef("authid-loginmodule-stack"); }); }); }); }
On my POM I have added all dependencies that correspond to the module dependencies from the normal wildfly
<dependency>
<groupId>org.picketbox</groupId>
<artifactId>picketbox</artifactId>
<version>4.9.6.Final
</version>
<type>pom</type>
</dependency>
<dependency>
<groupId>org.picketbox</groupId>
<artifactId>picketbox-infinispan</artifactId>
<version>4.9.6.Final</version>
</dependency>
<dependency>
<groupId>org.picketbox</groupId>
<artifactId>picketbox-commons</artifactId>
<version>1.0.0.final</version>
</dependency>
<dependency>
<groupId>org.jboss.spec.javax.security.auth.message</groupId>
<artifactId>jboss-jaspi-api_1.1_spec</artifactId>
<version>1.0.0.Final</version>
</dependency>
<dependency>
<groupId>org.jboss.security</groupId>
<artifactId>jbossxacml</artifactId>
<version>2.0.8.Final</version>
</dependency>
<dependency>
<groupId>org.jboss.spec.javax.servlet</groupId>
<artifactId>jboss-servlet-api_3.1_spec</artifactId>
<version>1.0.0.Final</version>
</dependency>
<dependency>
<groupId>org.jboss.logging</groupId>
<artifactId>jboss-logging</artifactId>
<version>3.3.0.Final</version>
</dependency>
<dependency>
<groupId>org.jboss.spec.javax.xml.bind</groupId>
<artifactId>jboss-jaxb-api_2.2_spec</artifactId>
<version>1.0.4.Final</version>
</dependency>
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
<version>1.1.1</version>
</dependency>
<dependency>
<groupId>org.jboss.spec.javax.security.jacc</groupId>
<artifactId>jboss-jacc-api_1.5_spec</artifactId>
<version>1.0.0.Final</version>
</dependency>
<dependency>
<groupId>org.jboss.spec.javax.resource</groupId>
<artifactId>jboss-connector-api_1.7_spec</artifactId>
<version>1.0.0.Final</version>
</dependency>