-
1. Re: JSF form based authentication with Security API doesn't work on WildFly
mayerw01 Jan 23, 2019 4:39 AM (in response to vasouv)"Forbidden" indicates that the Security API is working indeed. But the user is not allowed at all (eg if your application requires a certain role but your user is not assigned any role). As you ca see in LoginBacking.java there is a check on the roles ADMIN and USER
Which configuration did you chose? For Elytron you shoold check chap 4 WildFly Elytron Security
-
2. Re: JSF form based authentication with Security API doesn't work on WildFly
vasouv Jan 23, 2019 2:53 PM (in response to mayerw01)You're right about the "Forbidden" part, security does indeed work because it doesn't let the user in.
As for the rest, I'm confused. This is the CredentialValidationResult I'm returning in the custom identity store because it passes a Set of the roles associated with the user. When I'm printing the "isUserInRole" in the LoginBackingBean I get the booleans I expect. Unless I misunderstood your pointers.
Still though, I'm baffled as to why this works on Payara Full and not on WildFly standalone full. No configuration on either, I downloaded them a couple of days ago and haven't set them up yet.
Actually I don't want to use Elytron because we have our own authentication (I know, I know, not my decision) and this CustomIdentityStore would be quite helpful.
-
3. Re: JSF form based authentication with Security API doesn't work on WildFly
mayerw01 Jan 24, 2019 11:43 AM (in response to vasouv)Still though, I'm baffled as to why this works on Payara Full and not on WildFly standalone full. No configuration on either, I downloaded them a couple of days ago and haven't set them up yet.
I also don't know why this is working in Payara/Glassfish. But my understanding is that the program is not taking the correct approach. As you can see in the specs https://www.google.de/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwiWzO2n5IbgAhUDIlAKHV89DpYQFjAAe… (13.6.3 Form Based Authentication)
"The login form must contain fields for entering a username and a password. These fields must be named j_username and j_password, respectively."
So it usually looks like:
<form method="post" action="j_security_check">
<h:form prependId="false">
<p:growl id="messages"/>
<table columns="2" role="presentation">
<tr>
<td>
<p:outputLabel for="j_username" value="Username:"/>
</td>
<!-- <td><input type="text" name="j_username" /></td> -->
<td>
<p:inputText id="j_username" required="true" immediate="true"
requiredMessage="#{msg.userid_required}"/>
</td>
</tr>
<tr>
<td>
<p:outputLabel for="j_password" value="Password:"/>
</td>
<td>
<p:password id="j_password" required="true" immediate="true"
requiredMessage="#{msg.password_required}"/>
<!-- <input type="password" name="j_password"/> -->
</td>
</tr>
</table>
<p>
<input type="submit" value="#{msg.button_login}" class="button"/>
<input type="reset" value="#{msg.button_reset}" class="button"/>
</p>
The user should then be made avaiable by the application server ("The container attempts to authenticate the user using the information from the
form") and not injected by the program.
No configuration on either, I downloaded them a couple of days ago and haven't set them up yet.
Usually the credentials are not hard coded in the program but taken from some other container like file, database, ldap etc,
And then you will have to configure the link between the program and the security container indeed. In Glassfish you will probably do this via the "Security" area
Actually I don't want to use Elytron because we have our own authentication (I know, I know, not my decision) and this CustomIdentityStore would be quite helpful.
Elytron does not actually do the authentication but links to the container (similar to the "Security" feature in Glassfish)
-
4. Re: JSF form based authentication with Security API doesn't work on WildFly
vasouv Jan 28, 2019 3:22 PM (in response to mayerw01)Right, I know about the way you mention and I've used it successfully in the past. It's what I wanted to avoid though, not having to configure the server specifically.
Managed to find the solution though. Here it's mentioned that WildFly 14 uses the old Picketbox security mechanism. So I have to reference the jaspitest security domain for this to work.
When I added the following to the jboss-web.xml, the project worked as intended! I actually bought the book in order to learn more about WF since I'll be using it in production as well.
<jboss-web>
<security-domain>jaspitest</security-domain>
</jboss-web>