1 2 Previous Next 17 Replies Latest reply on Feb 20, 2019 4:57 AM by sergiu_pienar

    WildFly 11 programmatic login with Elytron

    tstiemerling

      We are currently using PicketLink to perform a programmatic login from a login screen (not using web.xml) in WildFly10. We are looking into how to do the same in WildFly 11 using Elytron, but it is not clear to me how this can be accomplished. Any one have any ideas?

        • 1. Re: WildFly 11 programmatic login with Elytron
          mchoma

          In general, picketlink is deprecated in WildFly 11 and picketlink features are provided by KeyCloak now.

          If you can elaborate on your usecase we can see if it is possible with pure Elytron.

          In WildFfy 11 you can still use legacy (picketlink) approach - this should work as is - without Elytron.

          And you can always wrap legacy security domain with Elytron security domain.

          • 2. Re: WildFly 11 programmatic login with Elytron
            tstiemerling

            Right, which is why we are looking into using Elytron (using KeyCloak is not in our future at the moment).

            Our application is using a front end UI based on Vaadin, which basically has a login callback (does not use standard web.xml login mechanism directly).

            We have implemented that login callback using PicketLink classes including Identity, PartitionManager, DefaultLoginCallback, etc. using the DB partition.

            We would like to replace that code with some Elytron code, but the only example code for Elytron that does anything remotely similar is using JAAS, which

            is what we were using before PicketLink and dont really want to go back to.

            • 3. Re: WildFly 11 programmatic login with Elytron
              mchoma

              Ok. Now main question is where are your users stored? Is it DB? If so you can use Elytron's jdbc-realm.

               

              So do I understand correctly you want to implement server side action, which get username/password as a parameter and want to verify (using Elytron) user is stored in DB?

               

              If so you could use request.login() in Servlet. Which will authenticate against configured Elytron security-domain. Elytron security-domain can be configured in jboss-web.xml and undertow subsystem using application-security-domain [1].

              [1] wildfly/WebSecurityProgrammaticLoginTestCase.java at 7ab0dd8f5e3a0fb903a7295617c03933d4c97208 · wildfly/wildfly · GitHub

              1 of 1 people found this helpful
              • 4. Re: WildFly 11 programmatic login with Elytron
                tstiemerling

                Yes, exactly that. The users will be stored in the DB realm (eventually

                also we will support LDAP/AD and maybe Kerberos).

                We need to be able to call explicit login that checks user credentials

                against DB. No other support for HTTP/web.xml/EJB currently needed.

                • 5. Re: WildFly 11 programmatic login with Elytron
                  mchoma

                  Elytron supports LDAP/AD by ldap-realm [0].

                  Also Kerberos is supported [1]. In Kerberos case you have to use auth-method SPNEGO in web.xml.

                  Adding also documentation for jdbc-realm [2] for reference.

                   

                  Go! Elytronize it!

                   

                  [0] https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-ConfigureAuthenticationwithanLDAPBasedIdentityStore

                  [1] Configuration of Kerberos with Elytron in WildFly · Honza

                  [2] https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-ConfigureAuthenticationwithaDatabaseIdentityStore

                  • 6. Re: WildFly 11 programmatic login with Elytron
                    tstiemerling

                    Hi, I am trying the example from but I am getting the following errors

                    when I deploy my application:

                     

                    09:57:53,883 ERROR

                    (Controller Boot Thread) WFLYCTL0013: Operation ("deploy") failed -

                    address: ([("deployment" => "app-1.0-SNAPSHOT.war")]) - failure

                    description: {

                        "WFLYCTL0412: Required services that are not installed:" =>

                    ["jboss.security.security-domain.exampleApplicationDomain"],

                        "WFLYCTL0180: Services with missing/unavailable dependencies" => [

                     

                    "jboss.deployment.unit.\"app-1.0-SNAPSHOT.war\".component.CaManager.CREATE

                    is missing ",

                     

                    "jboss.deployment.unit.\"app-1.0-SNAPSHOT.war\".component.ConfigurationService.CREATE

                    is missing ",

                     

                    "jboss.deployment.unit.\"app-1.0-SNAPSHOT.war\".component.ComponentClient.CREATE

                    is missing ",

                     

                    "jboss.deployment.unit.\"app-1.0-SNAPSHOT.war\".component.CaService.CREATE

                    is missing "

                        ]

                    }

                     

                    Not really sure what this is telling me. Do all the EJBs need to be

                    annotated with the domain by default?

                    • 7. Re: WildFly 11 programmatic login with Elytron
                      mchoma

                      Seems EJBs are referencing legacy secrity domain jboss.security.security-domain.exampleApplicationDomain

                       

                      To leverage Elytron security domain you should use similar command:

                      /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain)

                       

                      Yes you have to tell somehow how your EJBs will be secured. Either by annotation or by jboss-ejb3.xml.

                       

                      See Getting started with EJBs and Elytron Part 1: Securing EJBs and invoking them from remote clients  for details.

                      [1] [WFLY-9126] Deployment fails when application domain names referrencing one Elytron domain are different in Undertow and…

                      • 8. Re: WildFly 11 programmatic login with Elytron
                        tstiemerling

                        Yes, based on the wiki I had overridden the legacy security domain which was incorrect. I have reverted this and here is my current configuration:

                         

                        Here is the configuration from standalone.xml:

                         

                        Realm:

                         

                        <jdbc-realm name="jdbc-realm">

                            <principal-query sql="SELECT role, password FROM LoginUser WHERE username = ?" data-source="UiDS">

                                <attribute-mapping>

                                    <attribute to="Roles" index="1"/>

                                </attribute-mapping>

                                <clear-password-mapper password-index="2"/>

                            </principal-query>

                        </jdbc-realm>

                         

                        Domain:

                         

                        <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">

                             <realm name="jdbc-realm" role-decoder="groups-to-roles"/>

                             <realm name="ApplicationRealm" role-decoder="groups-to-roles"/>

                             <realm name="local"/>

                        </security-domain>

                         

                        Undertow:

                         

                        <application-security-domains>

                            <application-security-domain name="exampleApplicationDomain" http-authentication-factory="application-http-authentication" override-deployment-config="true"/>

                        </application-security-domains>

                         

                        Now when I try a login it does not even seem to go to the DB realm though:

                         

                        15:54:33,443 DEBUG [org.jboss.security] (default task-25) PBOX00283: Bad password for username admin

                        15:54:33,443 DEBUG [org.jboss.security] (default task-25) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070: Password invalid/Password required

                        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286)

                        at org.jboss.as.security.RealmDirectLoginModule.login(RealmDirectLoginModule.java:157)

                        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

                        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

                        at java.lang.reflect.Method.invoke(Method.java:498)

                        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

                        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)

                        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)

                        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)

                        at java.security.AccessController.doPrivileged(Native Method)

                        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

                        at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

                        at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)

                        at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)

                        at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323)

                        at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)

                        at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)

                        at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:94)

                        at io.undertow.security.impl.SecurityContextImpl.login(SecurityContextImpl.java:198)

                        at io.undertow.servlet.spec.HttpServletRequestImpl.login(HttpServletRequestImpl.java:442)

                        at javax.servlet.http.HttpServletRequestWrapper.login(HttpServletRequestWrapper.java:350)

                        at com.vaadin.cdi.access.JaasAccessControl.login(JaasAccessControl.java:73)

                         

                        I should add that if I try and login with a user that I have added using add-user.sh it works fine.

                        • 9. Re: WildFly 11 programmatic login with Elytron
                          tstiemerling

                          Still missing something. Starting with a fresh standalone.xml, I follow the instructions here:

                           

                          WildFly Elytron Security - Latest WildFly Documentation  - Project Documentation Editor

                           

                          standalone.xml:

                           

                          /subsystem=elytron/jdbc-realm=exampleDbRealm:add(principal-query=[{sql="SELECT password,role FROM LoginUser WHERE username=?",data-source=UiDS,clear-password-mapper={password-index=1},attribute-mapping=[{index=2,to=Roles}]}])

                           

                          /subsystem=elytron/security-domain=exampleDbSD:add(realms=[{realm=exampleDbRealm,role-decoder=groups-to-roles}],default-realm=exampleDbRealm,permission-mapper=default-permission-mapper)

                           

                          /subsystem=elytron/http-authentication-factory=example-db-http-auth:add(http-server-mechanism-factory=global,security-domain=exampleDbSD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=exampleDbSD}]}])

                           

                          /subsystem=undertow/application-security-domain=exampleApplicationDomain:add(http-authentication-factory=example-db-http-auth)

                           

                          jboss-web.xml:

                           

                          <?xml version="1.0" encoding="UTF-8"?>

                          <jboss-web>

                             <context-root>/ui</context-root>

                             <security-domain>exampleApplicationDomain</security-domain>

                          </jboss-web>

                           

                          web.xml:

                           

                          <?xml version="1.0" encoding="UTF-8"?>

                          <web-app>

                              <login-config>

                                  <auth-method>BASIC</auth-method>

                                  <realm-name>exampleApplicationDomain</realm-name>

                              </login-config>

                          </web-app>

                           

                          And now I am back to this error again:

                           

                          11:14:44,394 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "ui-1.0-SNAPSHOT.war")]) - failure description: {

                              "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.exampleApplicationDomain"],

                              "WFLYCTL0180: Services with missing/unavailable dependencies" => [

                          ...

                          • 10. Re: WildFly 11 programmatic login with Elytron
                            mchoma

                            And what happens when you try

                             

                            /subsystem=ejb3/application-security-domain=exampleApplicationDomain:add(security-domain=exampleDbSD)
                            1 of 1 people found this helpful
                            • 11. Re: WildFly 11 programmatic login with Elytron
                              tstiemerling

                              Finally success! After adding that the security domain exception goes away and I can login with a DB user. Thanks for this - maybe the wiki should be updated with this?

                               

                              Another follow-up question. The Picketlink APIs allow you to add the user and credentials to the DB when creating a new user. Is there something similar in Elytron or do I manually have to create the password hash based on the selected algorithm?

                              • 12. Re: WildFly 11 programmatic login with Elytron
                                mchoma

                                Good to hear that.

                                 

                                Do you have any suggestion in which way documentation can be improved? This documentation wants to show realms - it cant be described every place where it can be used. EJB details are described in [1]

                                 

                                For follow up question, please, create new thread.

                                 

                                [1] Getting started with EJBs and Elytron Part 1: Securing EJBs and invoking them from remote clients

                                • 13. Re: WildFly 11 programmatic login with Elytron
                                  tstiemerling

                                  Thanks. My only comment would be that pretty much everywhere in the wiki it mentions adding the security domain to jboss-web.xml, but if you do that you seem to have to add the application-domain to ejb3 module as well, or you will get the exception I was seeing.

                                   

                                  I will start a new thread for the other question.

                                   

                                  Cheers!

                                  • 14. Re: WildFly 11 programmatic login with Elytron
                                    mchoma

                                    Yes because it demonstrates each realm on simplest use case - undertow subsystem.

                                     

                                    Probably this should be described in EJB section [1]. something like "How to integrate with Elytron"  effectively same as [2] .

                                     

                                    [1] Securing EJBs - Latest WildFly Documentation - Project Documentation Editor

                                    [2] Getting started with EJBs and Elytron Part 1: Securing EJBs and invoking them from remote clients

                                    1 2 Previous Next