Hello everyone,

first of all, I'd love to use Wildfly 11, but I can not since the application is not yet ported. But it should be possible to build the same in Wildfly 10.1.

So what I want to archive is the following:

• User opens Browser and hits the applications URL
• Application Sends 401 ... User Authentication using Windows integrated Authenication (SPNEGO)
• After the user is Authenticated fetch his Roles from LDAP
• Map a specific role to another Role so that it matches the web.xml <role-name>-tag

I hope you guys can understand what I'm trying to do and I hope I'm on the right track.

What I managed to archive already:

• Integrated Windows Authentification (IWA) is working
• Roles are fetched from LDAP
  • but only via LDAP Simple Bind
  • Can not use Kerberos (would be nicer since I already have an authenticated user from IWA)
• I do have no clue how to Map a RoleA to RoleB

And web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">
  <display-name>App-IWA</display-name>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <description>App-IWA security test site</description>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>
    <security-role>
        <description>User role is needed to login</description>
        <role-name>Users</role-name>
    </security-role>
  <login-config>
    <auth-method>SPNEGO</auth-method>
    <realm-name>SPNEGO</realm-name>
  </login-config>
</web-app>

Until now I have read quite a lot of Blog posts, Red Hat JBoss Manual, Wildfly Manual etc. where a lot of partial Information is posted, mainly on the how to get the ManagementRealm to use LDAP, which I do not really care about BUT at the same time I cannot destinguish if the Information is also vailid for securing Applications.

Things, I just want to note down for anyone who finds this post later, are:

• The Login modules of a security domain are iterated through in order
• The Flags correspond to Configuration (Java Platform SE 8 )
• Password-Stacking (Authentication Modules - WildFly 10 - Project Documentation Editor), when set makes it so, that the first module does authentication and the following do authorization (Roles fetching only)

But after I introduced my problem, I'd like to ask some questions:

Q1: When I try to use the Kerberos "host" configuration for the AdvancedLdap login-module I always get the error that I do not have a bind to the LDAP

The configuration I tried to use for this looks like

/subsystem=security/security-domain=SPNEGO/authentication=classic/:write-attribute(
    name=login-modules,
    value=[{
        code="SPNEGOUsers",
        flag="requisite",
        module="org.jboss.security.negotiation",
        module-options={
            password-stacking="useFirstPass",
            serverSecurityDomain="host",
            removeRealmFromPrincipal=true
        }
    },{
        code="org.jboss.security.negotiation.AdvancedADLoginModule",
        flag="required",
        module="org.jboss.security.negotiation",
        module-options={
            password-stacking="useFirstPass",
            java.naming.provider.url="ldap://kdc.domain.dev:389",
            bindAuthentication="GSSAPI",
            jaasSecurityDomain="host",
            baseCtxDN="CN=Users,DC=domain,DC=dev",
            baseFilter="(sAMAccountName={0})",
            rolesCtxDN="CN=Users,DC=domain,DC=dev",
            roleFilter="(member={1})",
            roleAttributeID="cn"
        }
    }]
) {allow-resource-service-restart=true}

What confuses me is, that I already must have had a binding in SPNEGOUsers, right? The login always fails on org/jboss/security/negotiation/AdvancedLdapLoginModule.java:536 of the findUser function. It seems that when I reuse the credentials from the SPNEGO the filter attribute will be set to "Administrator" which would be fine, since it will match sAMAccountName.

The error usually looked like

Q2: Map LDAP Roles to Application Role

Since the roles in LDAP will look a lot different, than what will be "Generic" in the web.xml the "Users" is there a way to add the Users Role to the User/Principal (I do not get the difference) based on a specific LDAP Group?

So for example Administrator is part o the following LDAP Groups:

• Domain User
• Remote Desktopusers
• ApplicationUsers
• ZeWebApplicationWhichICoded

My Idea was, that after I fetched the Roles from LDAP and the user is part of "ZeWebApplicationWhichICoded" then I add him also to the Role "Users". But is this even possible with the given Tools of Wildfly or do I need to code something on my own?

Q3: Can I make Elytron work with Wildfly 10.1?

I read quite a lot about Elytron and it seems to have more of the Stuff I want than the current WFLY10.1 security subsystem. Is there a nice and easy way to get the latest Elytron version and enable it in Wildfly 10.1?

Anyways thanks for reading so far and I hope someone might be able to push me into the right direction.

Benjamin