How to disable container authentication in JBoss EAP7
Hi All,
How to delegate the HTTP request with Authorization header to hosted application in JBoss EAP7 by skipping container authentication and authorization.
I have the below configuration in standalone-full.xml
<server xmlns="urn:jboss:domain:4.1"> <extensions> <extension module="org.jboss.as.clustering.infinispan"/> <extension module="org.jboss.as.connector"/> <extension module="org.jboss.as.deployment-scanner"/> <extension module="org.jboss.as.ee"/> <extension module="org.jboss.as.ejb3"/> <extension module="org.jboss.as.jaxrs"/> <extension module="org.jboss.as.jdr"/> <extension module="org.jboss.as.jmx"/> <extension module="org.jboss.as.jpa"/> <extension module="org.jboss.as.jsf"/> <extension module="org.jboss.as.jsr77"/> <extension module="org.jboss.as.logging"/> <extension module="org.jboss.as.mail"/> <extension module="org.jboss.as.naming"/> <extension module="org.jboss.as.pojo"/> <extension module="org.jboss.as.remoting"/> <extension module="org.jboss.as.sar"/> <extension module="org.jboss.as.security"/> <extension module="org.jboss.as.transactions"/> <extension module="org.jboss.as.webservices"/> <extension module="org.jboss.as.weld"/> <extension module="org.wildfly.extension.batch.jberet"/> <extension module="org.wildfly.extension.bean-validation"/> <extension module="org.wildfly.extension.io"/> <extension module="org.wildfly.extension.messaging-activemq"/> <extension module="org.wildfly.extension.request-controller"/> <extension module="org.wildfly.extension.security.manager"/> <extension module="org.wildfly.extension.undertow"/> <extension module="org.wildfly.iiop-openjdk"/> </extensions> <management> <security-realms> <security-realm name="ManagementRealm"> <authentication> <local default-user="$local" skip-group-loading="true"/> <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> </authentication> <authorization map-groups-to-roles="false"> <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/> </authorization> </security-realm> <security-realm name="ApplicationRealm"> <authentication> <local default-user="$local" allowed-users="*" skip-group-loading="true"/> <properties path="application-users.properties" relative-to="jboss.server.config.dir"/> </authentication> <authorization> <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/> </authorization> </security-realm> </security-realms> ... </management> <profile> ... <subsystem xmlns="urn:jboss:domain:remoting:3.0"> <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/> </subsystem> ... <subsystem xmlns="urn:jboss:domain:security:1.2"> <security-domains> <security-domain name="other" cache-type="default"> <authentication> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module code="RealmDirect" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> <authorization> <policy-module code="Delegating" flag="required"/> </authorization> </security-domain> <security-domain name="jboss-web-policy" cache-type="default"> <authorization> <policy-module code="Delegating" flag="required"/> </authorization> </security-domain> <security-domain name="jboss-ejb-policy" cache-type="default"> <authorization> <policy-module code="Delegating" flag="required"/> </authorization> </security-domain> <!--<security-domain name="jaspitest" cache-type="default"> <authentication-jaspi> <login-module-stack name="dummy"> <login-module code="Dummy" flag="optional"/> </login-module-stack> <auth-module code="Dummy"/> </authentication-jaspi> </security-domain> --> </security-domains> </subsystem> ... </server>
and deployment descriptor has the below configuration
<security-domain>java:/jaas/other</security-domain>
With the above configuration JBoss server is returning 401 response without delegating the HTTP request to my web application. The similar configuration worked fine in previous versions of JBoss server.
Here is the TRACE output from logs:
2017-08-29 04:05:05,898 TRACE [org.jboss.security] (default task-1) PBOX00200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@4f0deb89, cache entry: null 2017-08-29 04:05:05,898 TRACE [org.jboss.security] (default task-1) PBOX00209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@4f0deb89 2017-08-29 04:05:05,900 TRACE [org.jboss.security] (default task-1) PBOX00221: Begin getAppConfigurationEntry(other), size: 5 2017-08-29 04:05:05,901 TRACE [org.jboss.security] (default task-1) PBOX00224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule ControlFlag: LoginModuleControlFlag: optional Options: name=password-stacking, value=useFirstPass [1] LoginModule Class: org.jboss.as.security.RealmDirectLoginModule ControlFlag: LoginModuleControlFlag: required Options: name=password-stacking, value=useFirstPass 2017-08-29 04:05:05,904 TRACE [org.jboss.security] (default task-1) PBOX00236: Begin initialize method 2017-08-29 04:05:05,904 TRACE [org.jboss.security] (default task-1) PBOX00240: Begin login method 2017-08-29 04:05:05,907 TRACE [org.jboss.security] (default task-1) PBOX00236: Begin initialize method 2017-08-29 04:05:05,908 TRACE [org.jboss.security] (default task-1) PBOX00240: Begin login method 2017-08-29 04:05:05,921 DEBUG [org.jboss.security] (default task-1) PBOX00283: Bad password for username newbuildsmokedeveloper 2017-08-29 04:05:05,921 TRACE [org.jboss.security] (default task-1) PBOX00244: Begin abort method, overall result: false 2017-08-29 04:05:05,921 TRACE [org.jboss.security] (default task-1) PBOX00244: Begin abort method, overall result: false 2017-08-29 04:05:05,921 DEBUG [org.jboss.security] (default task-1) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070: Password invalid/Password required at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) at org.jboss.as.security.RealmDirectLoginModule.login(RealmDirectLoginModule.java:152) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406) at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123) at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:94) at io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:161) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219) at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121) at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96) at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:792) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 2017-08-29 04:05:05,923 TRACE [org.jboss.security] (default task-1) PBOX00201: End isValid, result = false 2017-08-29 04:05:05,947 INFO [io.undertow.request.dump] (default task-1) ----------------------------REQUEST--------------------------- URI=/web/BuildSmoke/Utility/AddToApplication characterEncoding=null contentLength=-1 contentType=null header=Postman-Token=dd5eee93-615a-6fce-63e7-87fa2fa25cf8 header=Accept=*/* header=Accept-Language=en-US,en;q=0.8 header=Cache-Control=no-cache header=Accept-Encoding=gzip, deflate header=User-Agent=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 header=Connection=keep-alive header=Authorization=Basic bmV3YnVpbGRzbW9rZWRldmVsb3BlcjpwZWdh header=Host=127.0.0.1:8080 locale=[en_US, en] method=GET parameter=addToKit=false parameter=appName=Student14 parameter=appVersion=01 parameter=insertAtPosition=-1 protocol=HTTP/1.1 queryString=appName=Student14&appVersion=01.01.01&addToKit=false&insertAtPosition=-1 remoteAddr=/127.0.0.1:62332 remoteHost=127.0.0.1 scheme=http host=127.0.0.1:8080 serverPort=8080 --------------------------RESPONSE-------------------------- contentLength=71 contentType=text/html;charset=UTF-8 header=Connection=keep-alive header=WWW-Authenticate=Basic realm="MyServer" header=X-Powered-By=Undertow/1 header=Server=JBoss-EAP/7 header=Content-Type=text/html;charset=UTF-8 header=Content-Length=71 header=Date=Tue, 29 Aug 2017 11:05:05 GMT status=401 ============================================================== 2017-08-29 04:05:05,948 TRACE [org.jboss.security] (default task-1) PBOX00354: Setting security roles ThreadLocal: null
Could you help in this regard. How to know which realm/domain is in effect? How can I proceed with debugging and troubleshooting? Do you aware of any configuration to achieve this?
Thanks.