4 Replies Latest reply on Feb 13, 2019 7:38 PM by gersonjohan

Request authentication from servlet filter in Elytron

gersonjohan Feb 7, 2019 12:02 PM

Hi,

I'm new in Elytron Security. I've been trying to migrate a wildfly application from 10 to 15. I need to authenticate the requests that comme through a Servlet. What is the best way to do this programmatically?

I do not have web security configured, since the application is (Single Page Application) made with GWT. Currently, each request is authenticated in a filter servlet using Client-Login and Custom Login Module (Database access login module) definded in a legacy security domain.

LoginContext lc = new LoginContext("client-login", new ClientCallbackHandler(login, password));
lc.login();

What is the best alternative to replace this? The authentication cache will continue to working, so as not to access the database in each request?

Thank you

Gerson Samaniego

1. Re: Request authentication from servlet filter in Elytron

mayerw01 Feb 8, 2019 6:19 AM (in response to gersonjohan)

The login could be done via the HttpServletRequest like:

protected void processRequest(HttpServletRequest request, HttpServletResponse response)
    throws ServletException {
              request.login(username, password);
     ...

You should mention the security-domain in your jboss-web.xml like
<jboss-web>
      ...
     <security-domain>mySecurityDomain</security-domain>
     ...
</jboss-web>
1 of 1 people found this helpful
Actions
2. Re: Request authentication from servlet filter in Elytron

gersonjohan Feb 10, 2019 10:34 PM (in response to mayerw01)

Hi Mayer,

I followed your recommendations and it did not work. The login method is invoked without problems, but in a next invokation to de ejb sever (via @EJB injection), I get the exception "EJBAccessException: WFLYEJB0364: Invocation on method ... is not allowed." It seems that the authentication against the server is not carried out.

On the other hand, how would authentication be done in case of being in a non-web context, such as a task scheduled with @Schedule, which I did in the same way with LoginContext.login?

Thank you
Actions
3. Re: Request authentication from servlet filter in Elytron

mayerw01 Feb 11, 2019 5:22 AM (in response to gersonjohan)

WildFly (Elytron) uses the standard EJB security annotations. So you should make sure that your user has a role assigned which is allowed via the @RolesAllowed annotation like:

@Stateless
@RolesAllowed({"admin"})
public class HelloBean {
...

On the other hand, how would authentication be done in case of being in a non-web context, such as a task scheduled with @Schedule, which I did in the same way with LoginContext.login?
You could use the @RunAs annotation to "simulate" some login.
But I'd suggest to look also into the JavaEE tutorial and the 'quickstart' (GitHub - wildfly/quickstart: Holds all versioned WildFly quickstarts )
Actions
4. Re: Request authentication from servlet filter in Elytron

gersonjohan Feb 13, 2019 7:38 PM (in response to mayerw01)

Thank you Mayer,

It worked. I forgot enable this property in EJB:

<default-missing-method-permissions-deny-access value="false"/>
Actions

Go to original post