Wildfly 12: Elytron-Configuration - LDAP-Issue
balok1701 May 3, 2018 3:57 AMHello,
for the presentation of a prototype I'm trying to implement following scenario.
The authentication should happen by an Active Directory Server. Because the roles used in my prototype are not available in the ADS I want to add role information statically. So I started by adding a dir-context to the elytron -subsystem:
<dir-contexts>
<dir-context name="zivadDC" url="ldap://aaa.bbb.cc:389" principal="cn=xxx,dc=yyy,dc=bbb,dc=cc">
<credential-reference clear-text="password"/>
</dir-context>
</dir-contexts>
Next I added a role mapper:
<constant-role-mapper name="rdm-mapper">
<role name="rdmadmin"/>
<role name="rdmuser"/>
</constant-role-mapper>
Then the security-realm:
<ldap-realm name="zivadLR" dir-context="zivadDC">
<identity-mapping rdn-identifier="cn" search-base-dn="dc=yyy,dc=bbb,dc=cc"/>
</ldap-realm>
The security-domain:
<security-domain name="zivadSD" default-realm="zivadLR" permission-mapper="default-permission-mapper">
<realm name="zivadLR" role-mapper="rdm-mapper"/>
</security-domain>
And the http-authentication-factory:
<http-authentication-factory name="zivad-authentication" security-domain="zivadSD" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="BASIC">
<mechanism-realm realm-name="ZivADRealm"/>
</mechanism>
<mechanism mechanism-name="FORM"/>
</mechanism-configuration>
</http-authentication-factory>
At last I added an application-security-domain to the undertow-subsystem:
<application-security-domains>
<application-security-domain name="ZivADRealm" http-authentication-factory="zivad-authentication"/>
</application-security-domains>
Which I also added to the jboss-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<context-root>/rdm</context-root>
<security-domain>ZivADRealm</security-domain>
</jboss-web>
... and to web.xml
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ZivADRealm</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
In the log this leads to:
09:44:03,010 DEBUG [io.undertow.request] (default I/O-14) Matched prefix path /rdm for path /rdm/j_security_check
09:44:03,011 DEBUG [io.undertow.request.security] (default task-1) Security constraints for request /rdm/j_security_check are [SingleConstraintMatch{emptyRoleSema
ntic=PERMIT, requiredRoles=[]}]
09:44:03,011 DEBUG [io.undertow.request.security] (default task-1) Setting authentication required for exchange HttpServerExchange{ POST /rdm/j_security_check req
uest {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8], Accept-Language=[de,de-DE;q=0.8,en;q=0.5,en-US;q=0.3], Accept-Encoding=[gzip, defl
ate, br], User-Agent=[Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0], Connection=[keep-alive], Content-Type=[application/x-www-form
-urlencoded], Content-Length=[122], Cookie=[JSESSIONID=-Nj-svihYJ-p0dFy51lFi2Uoqghf55ZN-4hDY744.ubdd033; __utma=111872281.339145959.1522313935.1522313935.15223139
35.1; __utmz=111872281.1522313935.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)], Referer=[https://localhost:8443/rdm/], Upgrade-Insecure-Requests=[1], Host=[
localhost:8443]} response {X-Powered-By=[Undertow/1], Server=[WildFly/12]}}
09:44:03,016 DEBUG [org.wildfly.security.http.password] (default task-1) Username authentication. Realm: [null], Username: [gressho].
09:44:03,017 DEBUG [org.wildfly.security] (default task-1) Obtaining lock for identity [gressho]...
09:44:03,017 DEBUG [org.wildfly.security] (default task-1) Obtained lock for identity [gressho].
09:44:03,023 DEBUG [org.wildfly.security.http.form] (default task-1) User [gressho] authentication failed
09:44:03,024 DEBUG [io.undertow.request.security] (default task-1) Authentication failed with message ELY06006: An authorization check for user 'gressho' failed.
and mechanism FORM for HttpServerExchange{ POST /rdm/j_security_check request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8], Accept-La
nguage=[de,de-DE;q=0.8,en;q=0.5,en-US;q=0.3], Accept-Encoding=[gzip, deflate, br], User-Agent=[Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Fir
efox/59.0], Connection=[keep-alive], Content-Type=[application/x-www-form-urlencoded], Content-Length=[122], Cookie=[JSESSIONID=-Nj-svihYJ-p0dFy51lFi2Uoqghf55ZN-4
hDY744.ubdd033; __utma=111872281.339145959.1522313935.1522313935.1522313935.1; __utmz=111872281.1522313935.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)], Ref
erer=[https://localhost:8443/rdm/], Upgrade-Insecure-Requests=[1], Host=[localhost:8443]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidat
e], X-Powered-By=[Undertow/1], Server=[WildFly/12], Pragma=[no-cache]}}
09:44:04,835 DEBUG [io.undertow.request] (default I/O-14) Matched prefix path /rdm for path /rdm/xhtml/index.xhtml
09:44:04,836 DEBUG [io.undertow.request.security] (default task-1) Security constraints for request /rdm/xhtml/index.xhtml are [SingleConstraintMatch{emptyRoleSem
antic=PERMIT, requiredRoles=[rdmuser, rdmadmin]}]
I'm especially puzzled about the line "Username authentication. Realm: [null], Username" with realm = null!
The login page keep popping up forever!
Has anyone some ideas how to fix this?
Best regards
Werner