-
15. Re: Wildfly 13 and custom (legacy) login module
djapal Jun 11, 2018 4:30 AM (in response to mchoma)OK found the solution.
If I annotate the ejb class with @SecurityDomain and also provide a @RolesAllowed annotation (or @PermitAll etc) then principal and roles work fine.
The weird thing though is why this didnt throw an exception when default application domain was defined in ejb3 subsystem along with jboss-ejb3.xml (without the annotations).
-
16. Re: Wildfly 13 and custom (legacy) login module
mchoma Jun 12, 2018 8:35 AM (in response to djapal)This thread becomes little bit confusing. It seems to me thread is not about original problem anymore. Can you rephrase your current problem and solve it in own thread. Thank you.
-
17. Re: Wildfly 13 and custom (legacy) login module
djapal Jun 12, 2018 8:45 AM (in response to mchoma)Sorry Martin, you are correct.
I got too excited that this worked.
So the first answer to my question (if we say that we use the default ldap realm and not our custom one) is that you have to use the directory manager in order to search for userPassword and authenticate the user.
The final question in order to close this topic is:
Can we avoid such a thing? Why do we need Directory Manager's credentials in order to do that since same thing (authentication) happened with picketbox without having to setup these credentials?
Thank you
-
18. Re: Wildfly 13 and custom (legacy) login module
mchoma Jun 12, 2018 9:17 AM (in response to djapal)I think I understand now. Compared to picketbox in Elytron by default ldap authentication is not direct (direct-verification=false), that mean some admin user credential are expected. So if you want to use application user credentials to bind to ldap use direct-verification=true of standard ldap-realm. Some additional information can be found here [1]
-
19. Re: Wildfly 13 and custom (legacy) login module
djapal Jun 12, 2018 10:11 AM (in response to mchoma)This link doesnt work or I dont the authority to view it but I'll search for this setting and let you know.
Thank you!
-
20. Re: Wildfly 13 and custom (legacy) login module
djapal Jun 13, 2018 4:49 AM (in response to mchoma)Martin I faced a weird situation.
Using the test/demo LDAP from Wildfly documentation, direct-verification= true doesnt need a principal in the dir-context to be setup in order to login and fetch the roles.
But in our ldap system, if I remove this info, user is authenticated but roles are not fetched (I couldn't find out) so user isnt authorized to continue to the application.
Apparently, if i use another normal login user and not the Directory Manager, as principal, roles are fetched correctly.
This is something that I would like to investigate further sometime but for the time being this senario suites our needs.
Many thanks!
-
21. Re: Wildfly 13 and custom (legacy) login module
mchoma Jun 13, 2018 5:35 AM (in response to djapal)Sure, once you will gather more information, feel free to create new thread with detailed description of your problem.
-
22. Re: Wildfly 13 and custom (legacy) login module
sergiu_pienar Nov 14, 2018 9:23 AM (in response to pmm)Philippe,
Did you manage to port your custom login module to Elytron ?
I want to migrate a custom login module that extends DatabaseServerLoginModule to Elytron.
-
23. Re: Wildfly 13 and custom (legacy) login module
pmm Nov 14, 2018 11:18 AM (in response to sergiu_pienar)sergiu_pienar wrote:
Philippe,
Did you manage to port your custom login module to Elytron ?
I want to migrate a custom login module that extends DatabaseServerLoginModule to Elytron.
No, we migrated from user management in the database to user management in Active Directory. This was an application and organisational decision unrelated to the WildFly security subsystem.
The stock Eltytron LDAP integration is working for us.