0 Replies Latest reply on Aug 29, 2017 7:32 AM by pega_integration

    How to disable container authentication in JBoss EAP7

    pega_integration

      Hi All,

       

      How to delegate the HTTP request with Authorization header to hosted application in JBoss EAP7 by skipping container authentication and authorization.

       

      I have the below configuration in standalone-full.xml

       

      <server xmlns="urn:jboss:domain:4.1">
          <extensions>
              <extension module="org.jboss.as.clustering.infinispan"/>
              <extension module="org.jboss.as.connector"/>
              <extension module="org.jboss.as.deployment-scanner"/>
              <extension module="org.jboss.as.ee"/>
              <extension module="org.jboss.as.ejb3"/>
              <extension module="org.jboss.as.jaxrs"/>
              <extension module="org.jboss.as.jdr"/>
              <extension module="org.jboss.as.jmx"/>
              <extension module="org.jboss.as.jpa"/>
              <extension module="org.jboss.as.jsf"/>
              <extension module="org.jboss.as.jsr77"/>
              <extension module="org.jboss.as.logging"/>
              <extension module="org.jboss.as.mail"/>
              <extension module="org.jboss.as.naming"/>
              <extension module="org.jboss.as.pojo"/>
              <extension module="org.jboss.as.remoting"/>
              <extension module="org.jboss.as.sar"/>
              <extension module="org.jboss.as.security"/>
              <extension module="org.jboss.as.transactions"/>
              <extension module="org.jboss.as.webservices"/>
              <extension module="org.jboss.as.weld"/>
              <extension module="org.wildfly.extension.batch.jberet"/>
              <extension module="org.wildfly.extension.bean-validation"/>
              <extension module="org.wildfly.extension.io"/>
              <extension module="org.wildfly.extension.messaging-activemq"/>
              <extension module="org.wildfly.extension.request-controller"/>
              <extension module="org.wildfly.extension.security.manager"/>
              <extension module="org.wildfly.extension.undertow"/>
              <extension module="org.wildfly.iiop-openjdk"/>
          </extensions>
      
          <management>
              <security-realms>
                  <security-realm name="ManagementRealm">
                      <authentication>
                          <local default-user="$local" skip-group-loading="true"/>      
                          <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                      </authentication>
                      <authorization map-groups-to-roles="false">
                          <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
                      </authorization>
                  </security-realm>
                  <security-realm name="ApplicationRealm">
                      <authentication>
                          <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
                          <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                      </authentication>
                      <authorization>
                          <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                      </authorization>
                  </security-realm>
              </security-realms>
             ...
          </management>
      
          <profile>
             ...
              <subsystem xmlns="urn:jboss:domain:remoting:3.0">            
                  <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
              </subsystem>
             ...
              <subsystem xmlns="urn:jboss:domain:security:1.2">
                  <security-domains>
                      <security-domain name="other" cache-type="default">
                          <authentication>
                              <login-module code="Remoting" flag="optional">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                              <login-module code="RealmDirect" flag="required">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                          </authentication>
                          <authorization>
                              <policy-module code="Delegating" flag="required"/>
                          </authorization>
                      </security-domain>
                      <security-domain name="jboss-web-policy" cache-type="default">
                          <authorization>
                              <policy-module code="Delegating" flag="required"/>
                          </authorization>
                      </security-domain>
                      <security-domain name="jboss-ejb-policy" cache-type="default">
                          <authorization>
                              <policy-module code="Delegating" flag="required"/>
                          </authorization>
                      </security-domain>
                      <!--<security-domain name="jaspitest" cache-type="default">
                          <authentication-jaspi>
                              <login-module-stack name="dummy">
                                  <login-module code="Dummy" flag="optional"/>
                              </login-module-stack>
                              <auth-module code="Dummy"/>
                          </authentication-jaspi> 
                      </security-domain> -->
                  </security-domains>
              </subsystem>
             ...
      </server>
      

       

      and deployment descriptor has the below configuration

      <security-domain>java:/jaas/other</security-domain>
      

       

      With the above configuration JBoss server is returning 401 response without delegating the HTTP request to my web application. The similar configuration worked fine in previous versions of JBoss server.

       

      Here is the TRACE output from logs:

       

      2017-08-29 04:05:05,898 TRACE [org.jboss.security] (default task-1) PBOX00200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@4f0deb89, cache entry: null
      2017-08-29 04:05:05,898 TRACE [org.jboss.security] (default task-1) PBOX00209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@4f0deb89
      2017-08-29 04:05:05,900 TRACE [org.jboss.security] (default task-1) PBOX00221: Begin getAppConfigurationEntry(other), size: 5
      2017-08-29 04:05:05,901 TRACE [org.jboss.security] (default task-1) PBOX00224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]:
      [0]
      LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule
      ControlFlag: LoginModuleControlFlag: optional
      Options:
      name=password-stacking, value=useFirstPass
      [1]
      LoginModule Class: org.jboss.as.security.RealmDirectLoginModule
      ControlFlag: LoginModuleControlFlag: required
      Options:
      name=password-stacking, value=useFirstPass
      
      
      2017-08-29 04:05:05,904 TRACE [org.jboss.security] (default task-1) PBOX00236: Begin initialize method
      2017-08-29 04:05:05,904 TRACE [org.jboss.security] (default task-1) PBOX00240: Begin login method
      2017-08-29 04:05:05,907 TRACE [org.jboss.security] (default task-1) PBOX00236: Begin initialize method
      2017-08-29 04:05:05,908 TRACE [org.jboss.security] (default task-1) PBOX00240: Begin login method
      2017-08-29 04:05:05,921 DEBUG [org.jboss.security] (default task-1) PBOX00283: Bad password for username newbuildsmokedeveloper
      2017-08-29 04:05:05,921 TRACE [org.jboss.security] (default task-1) PBOX00244: Begin abort method, overall result: false
      2017-08-29 04:05:05,921 TRACE [org.jboss.security] (default task-1) PBOX00244: Begin abort method, overall result: false
      2017-08-29 04:05:05,921 DEBUG [org.jboss.security] (default task-1) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070: Password invalid/Password required
      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286)
      at org.jboss.as.security.RealmDirectLoginModule.login(RealmDirectLoginModule.java:152)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)
      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
      at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
      at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
      at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
      at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333)
      at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
      at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
      at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:94)
      at io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:161)
      at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
      at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
      at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
      at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
      at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
      at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
      at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
      at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
      at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
      at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
      at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
      at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
      at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
      at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
      at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
      at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
      at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
      at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:792)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at java.lang.Thread.run(Thread.java:745)
      
      
      2017-08-29 04:05:05,923 TRACE [org.jboss.security] (default task-1) PBOX00201: End isValid, result = false
      2017-08-29 04:05:05,947 INFO  [io.undertow.request.dump] (default task-1) 
      ----------------------------REQUEST---------------------------
                     URI=/web/BuildSmoke/Utility/AddToApplication
       characterEncoding=null
           contentLength=-1
             contentType=null
                  header=Postman-Token=dd5eee93-615a-6fce-63e7-87fa2fa25cf8
                  header=Accept=*/*
                  header=Accept-Language=en-US,en;q=0.8
                  header=Cache-Control=no-cache
                  header=Accept-Encoding=gzip, deflate
                  header=User-Agent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  header=Connection=keep-alive
                  header=Authorization=Basic bmV3YnVpbGRzbW9rZWRldmVsb3BlcjpwZWdh
                  header=Host=127.0.0.1:8080
                  locale=[en_US, en]
                  method=GET
               parameter=addToKit=false
               parameter=appName=Student14
               parameter=appVersion=01
               parameter=insertAtPosition=-1
                protocol=HTTP/1.1
             queryString=appName=Student14&appVersion=01.01.01&addToKit=false&insertAtPosition=-1
              remoteAddr=/127.0.0.1:62332
              remoteHost=127.0.0.1
                  scheme=http
                    host=127.0.0.1:8080
              serverPort=8080
      --------------------------RESPONSE--------------------------
           contentLength=71
             contentType=text/html;charset=UTF-8
                  header=Connection=keep-alive
                  header=WWW-Authenticate=Basic realm="MyServer"
                  header=X-Powered-By=Undertow/1
                  header=Server=JBoss-EAP/7
                  header=Content-Type=text/html;charset=UTF-8
                  header=Content-Length=71
                  header=Date=Tue, 29 Aug 2017 11:05:05 GMT
                  status=401
      ==============================================================
      2017-08-29 04:05:05,948 TRACE [org.jboss.security] (default task-1) PBOX00354: Setting security roles ThreadLocal: null
      

       

      Could you help in this regard. How to know which realm/domain is in effect? How can I proceed with debugging and troubleshooting? Do you aware of any configuration to achieve this?

       

      Thanks.