-
1. Re: WildFly 11 programmatic login with Elytron
mchoma Jan 18, 2018 2:58 PM (in response to tstiemerling)In general, picketlink is deprecated in WildFly 11 and picketlink features are provided by KeyCloak now.
If you can elaborate on your usecase we can see if it is possible with pure Elytron.
In WildFfy 11 you can still use legacy (picketlink) approach - this should work as is - without Elytron.
And you can always wrap legacy security domain with Elytron security domain.
-
2. Re: WildFly 11 programmatic login with Elytron
tstiemerling Jan 18, 2018 3:19 PM (in response to mchoma)Right, which is why we are looking into using Elytron (using KeyCloak is not in our future at the moment).
Our application is using a front end UI based on Vaadin, which basically has a login callback (does not use standard web.xml login mechanism directly).
We have implemented that login callback using PicketLink classes including Identity, PartitionManager, DefaultLoginCallback, etc. using the DB partition.
We would like to replace that code with some Elytron code, but the only example code for Elytron that does anything remotely similar is using JAAS, which
is what we were using before PicketLink and dont really want to go back to.
-
3. Re: WildFly 11 programmatic login with Elytron
mchoma Jan 19, 2018 3:15 AM (in response to tstiemerling)1 of 1 people found this helpfulOk. Now main question is where are your users stored? Is it DB? If so you can use Elytron's jdbc-realm.
So do I understand correctly you want to implement server side action, which get username/password as a parameter and want to verify (using Elytron) user is stored in DB?
If so you could use request.login() in Servlet. Which will authenticate against configured Elytron security-domain. Elytron security-domain can be configured in jboss-web.xml and undertow subsystem using application-security-domain [1].
-
4. Re: WildFly 11 programmatic login with Elytron
tstiemerling Jan 19, 2018 1:39 PM (in response to mchoma)Yes, exactly that. The users will be stored in the DB realm (eventually
also we will support LDAP/AD and maybe Kerberos).
We need to be able to call explicit login that checks user credentials
against DB. No other support for HTTP/web.xml/EJB currently needed.
-
5. Re: WildFly 11 programmatic login with Elytron
mchoma Jan 22, 2018 12:39 AM (in response to tstiemerling)Elytron supports LDAP/AD by ldap-realm [0].
Also Kerberos is supported [1]. In Kerberos case you have to use auth-method SPNEGO in web.xml.
Adding also documentation for jdbc-realm [2] for reference.
Go! Elytronize it!
[1] Configuration of Kerberos with Elytron in WildFly · Honza
-
6. Re: WildFly 11 programmatic login with Elytron
tstiemerling Jan 22, 2018 10:01 AM (in response to mchoma)Hi, I am trying the example from but I am getting the following errors
when I deploy my application:
(Controller Boot Thread) WFLYCTL0013: Operation ("deploy") failed -
address: ([("deployment" => "app-1.0-SNAPSHOT.war")]) - failure
description: {
"WFLYCTL0412: Required services that are not installed:" =>
["jboss.security.security-domain.exampleApplicationDomain"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => [
"jboss.deployment.unit.\"app-1.0-SNAPSHOT.war\".component.CaManager.CREATE
"jboss.deployment.unit.\"app-1.0-SNAPSHOT.war\".component.ConfigurationService.CREATE
"jboss.deployment.unit.\"app-1.0-SNAPSHOT.war\".component.ComponentClient.CREATE
"jboss.deployment.unit.\"app-1.0-SNAPSHOT.war\".component.CaService.CREATE
]
}
Not really sure what this is telling me. Do all the EJBs need to be
annotated with the domain by default?
-
7. Re: WildFly 11 programmatic login with Elytron
mchoma Jan 22, 2018 4:06 PM (in response to tstiemerling)Seems EJBs are referencing legacy secrity domain jboss.security.security-domain.exampleApplicationDomain
To leverage Elytron security domain you should use similar command:
/subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain)
Yes you have to tell somehow how your EJBs will be secured. Either by annotation or by jboss-ejb3.xml.
See Getting started with EJBs and Elytron Part 1: Securing EJBs and invoking them from remote clients for details.
-
8. Re: WildFly 11 programmatic login with Elytron
tstiemerling Jan 22, 2018 4:21 PM (in response to mchoma)Yes, based on the wiki I had overridden the legacy security domain which was incorrect. I have reverted this and here is my current configuration:
Here is the configuration from standalone.xml:
Realm:
<jdbc-realm name="jdbc-realm">
<principal-query sql="SELECT role, password FROM LoginUser WHERE username = ?" data-source="UiDS">
<attribute-mapping>
<attribute to="Roles" index="1"/>
</attribute-mapping>
<clear-password-mapper password-index="2"/>
</principal-query>
</jdbc-realm>
Domain:
<security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
<realm name="jdbc-realm" role-decoder="groups-to-roles"/>
<realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
<realm name="local"/>
</security-domain>
Undertow:
<application-security-domains>
<application-security-domain name="exampleApplicationDomain" http-authentication-factory="application-http-authentication" override-deployment-config="true"/>
</application-security-domains>
Now when I try a login it does not even seem to go to the DB realm though:
15:54:33,443 DEBUG [org.jboss.security] (default task-25) PBOX00283: Bad password for username admin
15:54:33,443 DEBUG [org.jboss.security] (default task-25) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070: Password invalid/Password required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286)
at org.jboss.as.security.RealmDirectLoginModule.login(RealmDirectLoginModule.java:157)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:94)
at io.undertow.security.impl.SecurityContextImpl.login(SecurityContextImpl.java:198)
at io.undertow.servlet.spec.HttpServletRequestImpl.login(HttpServletRequestImpl.java:442)
at javax.servlet.http.HttpServletRequestWrapper.login(HttpServletRequestWrapper.java:350)
at com.vaadin.cdi.access.JaasAccessControl.login(JaasAccessControl.java:73)
I should add that if I try and login with a user that I have added using add-user.sh it works fine.
-
9. Re: WildFly 11 programmatic login with Elytron
tstiemerling Jan 23, 2018 11:33 AM (in response to mchoma)Still missing something. Starting with a fresh standalone.xml, I follow the instructions here:
WildFly Elytron Security - Latest WildFly Documentation - Project Documentation Editor
standalone.xml:
/subsystem=elytron/jdbc-realm=exampleDbRealm:add(principal-query=[{sql="SELECT password,role FROM LoginUser WHERE username=?",data-source=UiDS,clear-password-mapper={password-index=1},attribute-mapping=[{index=2,to=Roles}]}])
/subsystem=elytron/security-domain=exampleDbSD:add(realms=[{realm=exampleDbRealm,role-decoder=groups-to-roles}],default-realm=exampleDbRealm,permission-mapper=default-permission-mapper)
/subsystem=elytron/http-authentication-factory=example-db-http-auth:add(http-server-mechanism-factory=global,security-domain=exampleDbSD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=exampleDbSD}]}])
/subsystem=undertow/application-security-domain=exampleApplicationDomain:add(http-authentication-factory=example-db-http-auth)
jboss-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<context-root>/ui</context-root>
<security-domain>exampleApplicationDomain</security-domain>
</jboss-web>
web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>exampleApplicationDomain</realm-name>
</login-config>
</web-app>
And now I am back to this error again:
11:14:44,394 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "ui-1.0-SNAPSHOT.war")]) - failure description: {
"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.exampleApplicationDomain"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => [
...
-
10. Re: WildFly 11 programmatic login with Elytron
mchoma Jan 23, 2018 11:42 AM (in response to tstiemerling)1 of 1 people found this helpfulAnd what happens when you try
/subsystem=ejb3/application-security-domain=exampleApplicationDomain:add(security-domain=exampleDbSD)
-
11. Re: WildFly 11 programmatic login with Elytron
tstiemerling Jan 23, 2018 11:54 AM (in response to mchoma)Finally success! After adding that the security domain exception goes away and I can login with a DB user. Thanks for this - maybe the wiki should be updated with this?
Another follow-up question. The Picketlink APIs allow you to add the user and credentials to the DB when creating a new user. Is there something similar in Elytron or do I manually have to create the password hash based on the selected algorithm?
-
12. Re: WildFly 11 programmatic login with Elytron
mchoma Jan 23, 2018 12:11 PM (in response to tstiemerling)Good to hear that.
Do you have any suggestion in which way documentation can be improved? This documentation wants to show realms - it cant be described every place where it can be used. EJB details are described in [1]
For follow up question, please, create new thread.
[1] Getting started with EJBs and Elytron Part 1: Securing EJBs and invoking them from remote clients
-
13. Re: WildFly 11 programmatic login with Elytron
tstiemerling Jan 23, 2018 12:20 PM (in response to mchoma)Thanks. My only comment would be that pretty much everywhere in the wiki it mentions adding the security domain to jboss-web.xml, but if you do that you seem to have to add the application-domain to ejb3 module as well, or you will get the exception I was seeing.
I will start a new thread for the other question.
Cheers!
-
14. Re: WildFly 11 programmatic login with Elytron
mchoma Jan 23, 2018 12:36 PM (in response to tstiemerling)Yes because it demonstrates each realm on simplest use case - undertow subsystem.
Probably this should be described in EJB section [1]. something like "How to integrate with Elytron" effectively same as [2] .
[1] Securing EJBs - Latest WildFly Documentation - Project Documentation Editor
[2] Getting started with EJBs and Elytron Part 1: Securing EJBs and invoking them from remote clients