1 2 Previous Next 23 Replies Latest reply on Nov 14, 2018 11:18 AM by pmm Go to original post
      • 15. Re: Wildfly 13 and custom (legacy) login module
        djapal

        OK found the solution.

        If I annotate the ejb class with @SecurityDomain and also provide a @RolesAllowed annotation (or @PermitAll etc) then principal and roles work fine.

        The weird thing though is why this didnt throw an exception when default application domain was defined in ejb3 subsystem along with jboss-ejb3.xml (without the annotations).

        • 16. Re: Wildfly 13 and custom (legacy) login module
          mchoma

          This thread becomes little bit confusing. It seems to me thread is not about original problem anymore. Can you rephrase your current problem and solve it in own thread. Thank you.

          • 17. Re: Wildfly 13 and custom (legacy) login module
            djapal

            Sorry Martin, you are correct.

            I got too excited that this worked.

            So the first answer to my question (if we say that we use the default ldap realm and not our custom one) is that you have to use the directory manager in order to search for userPassword and authenticate the user.

            The final question in order to close this topic is:

            Can we avoid such a thing? Why do we need Directory Manager's credentials in order to do that since same thing (authentication) happened with picketbox without having to setup these credentials?

            Thank you

            • 18. Re: Wildfly 13 and custom (legacy) login module
              mchoma

              I think I understand now. Compared to picketbox in Elytron by default ldap authentication is not direct (direct-verification=false), that mean some admin user credential are expected. So if you want to use application user credentials to bind to ldap use direct-verification=true of standard ldap-realm. Some additional information can be found here [1]

               

              [1] https://issues.jboss.org/browse/JBEAP-13565

              • 19. Re: Wildfly 13 and custom (legacy) login module
                djapal

                This link doesnt work or I dont the authority to view it but I'll search for this setting and let you know.

                Thank you!

                • 20. Re: Wildfly 13 and custom (legacy) login module
                  djapal

                  Martin I faced a weird situation.

                  Using the test/demo LDAP from Wildfly documentation, direct-verification= true doesnt need a principal in the dir-context to be setup in order to login and fetch the roles.

                  But in our ldap system, if I remove this info, user is authenticated but roles are not fetched (I couldn't find out) so user isnt authorized to continue to the application.

                  Apparently, if i use another normal login user and not the Directory Manager, as principal, roles are fetched correctly.

                  This is something that I would like to investigate further sometime but for the time being this senario suites our needs.

                  Many thanks!

                  • 21. Re: Wildfly 13 and custom (legacy) login module
                    mchoma

                    Sure, once you will gather more information, feel free to create new thread with detailed description of your problem.

                    • 22. Re: Wildfly 13 and custom (legacy) login module
                      sergiu_pienar

                      Philippe,

                       

                      Did you manage to port your custom login module to Elytron ?

                      I want to migrate a custom login module that extends DatabaseServerLoginModule to Elytron.

                      • 23. Re: Wildfly 13 and custom (legacy) login module
                        pmm

                        sergiu_pienar  wrote:

                         

                        Philippe,

                         

                        Did you manage to port your custom login module to Elytron ?

                        I want to migrate a custom login module that extends DatabaseServerLoginModule to Elytron.

                        No, we migrated from user management in the database to user management in Active Directory. This was an application and organisational decision unrelated to the WildFly security subsystem.

                        The stock Eltytron LDAP integration is working for us.

                        1 2 Previous Next