10 Replies Latest reply on Oct 21, 2019 8:12 PM by bschatz

Activating jaspic in wildfly

bschatz Oct 18, 2019 10:19 AM

We have written a authenticaion (oidc) module on top of jaspic

for a seemless and transparent integration of applications

in our authentication infrastructure of our company.

With tomcat i have only to use a xml where i put the implementing class

that has to be registered as the config provider.

With wildfly i didnt find a simple way to get it work.

As a workaround i deploy now a small jar that register our AuthProvider class from our jboss-module (jfoss-java-server-extension)

with the help of CDI.

public class Jaspic implements Extension

{

private static final Logger LOG = Logger.getLogger(Jaspic.class.getName());

private boolean isInitialised = false;

public void init(@Observes final AfterDeploymentValidation event)

{

LOG.log(Level.INFO, () -> "AfterDeploymentValidation event received: " + event.toString());

if (isInitialised)

{

LOG.log(Level.INFO, () -> "Already initialized ");

return;

}

LOG.log(Level.INFO, () -> "Registering Jaspic Config Provider ...");

final String result = AuthConfigFactory.getFactory().registerConfigProvider(AuthProvider.class.getName();new HashMap<>(), "HttpServlet", null, null);

isInitialised = true;

LOG.log(Level.INFO, () -> "Registered Jaspic Config Provider: " + result + " with implementation " + AUTH_PROVIDER);

}

Our module is added as a global module that i activate with:

==================================================

/subsystem=security/security-domain=daimler-jfoss:add(cache-type=default) /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi:add() /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi/login-module-stack=dummy:add() /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi/login-module-stack=dummy/login-module=dummy:add(code=Dummy, flag=optional) /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi/auth-module=jaspi:add(code=dummy, module=jfoss-java-server-extension, flag=required) /subsystem=undertow:write-attribute(name="default-security-domain", value="daimler-jfoss") reload

What is the recommened way to do it ?

1. Re: Activating jaspic in wildfly

zhurlik Oct 18, 2019 10:40 AM (in response to bschatz)

Hi,

Could you show a list of your global modules (Subsystem configuration - WildFly 10 - Project Documentation Editor )
./jboss-cli.sh
[standalone@localhost:9990 subsystem=ee] pwd
/subsystem=ee

[standalone@localhost:9990 subsystem=ee] ls
context-service
managed-executor-service
managed-scheduled-executor-service
managed-thread-factory
service
annotation-property-replacement=false
ear-subdeployments-isolated=false
global-modules=[{"name" => "org.jboss.logging","slot" => "main"},{"name" => "org.apache.log4j","annotations" => true,"meta-inf" => true,"services" => false}]
jboss-descriptor-property-replacement=true
spec-descriptor-property-replacement=false

Thanks,
Vlad
Actions
2. Re: Activating jaspic in wildfly

bschatz Oct 18, 2019 11:16 AM (in response to zhurlik)

the ee-subsystem of my (working) work around looks like this:

[standalone@localhost:9990 subsystem=ee] ls
context-service                                                              annotation-property-replacement=false
managed-executor-service                                                     ear-subdeployments-isolated=false
managed-scheduled-executor-service                                           global-modules=[{"name" => "jfoss-java-server-extension","slot" => "main"}]
managed-thread-factory                                                       jboss-descriptor-property-replacement=true
service                                                                      spec-descriptor-property-replacement=false
Actions
3. Re: Activating jaspic in wildfly

bschatz Oct 21, 2019 3:42 AM (in response to bschatz)

Here the other configurations i use:

<subsystem xmlns="urn:jboss:domain:security:2.0">
            <security-domains>
[...]
            <security-domain name="jaspitest" cache-type="default">
                    <authentication-jaspi>
                        <login-module-stack name="dummy">
                            <login-module code="Dummy" flag="optional"/>
                        </login-module-stack>
                        <auth-module code="Dummy"/>
                    </authentication-jaspi>
                </security-domain>

[...]

<security-domain name="daimler-pai" cache-type="default">
                    <authentication-jaspi>
                        <login-module-stack name="dummy">
                            <login-module name="dummy" code="Dummy" flag="optional"/>
                        </login-module-stack>
                        <auth-module name="jaspi" code="dummy" flag="required" module="jfoss-java-server-extension"/>
                    </authentication-jaspi>
                </security-domain>

The configuration is added with:

module add \ --name=jfoss-java-server-extension \ --resources=jfoss-oidc/build/libs/jfoss-oidc.jar:jfoss-common/build/libs/jfoss-common.jar: \ --dependencies=javax.api,javaee.api

/subsystem=ee:write-attribute(name="global-modules",value=[{"name" => "jfoss-java-server-extension","slot" => "main"}])

/subsystem=security/security-domain=daimler-jfoss:add(cache-type=default) /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi:add() /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi/login-module-stack=dummy:add() /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi/login-module-stack=dummy/login-module=dummy:add(code=Dummy, flag=optional) /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi/auth-module=jaspi:add(code=dummy, module=jfoss-java-server-extension, flag=required) /subsystem=undertow:write-attribute(name="default-security-domain", value="daimler-jfoss") reload

What i miss, is to add the implementing class also to the configuration,
instead of activating it with my workaround with CDI.
Any ideas ?
Actions
4. Re: Activating jaspic in wildfly

zhurlik Oct 21, 2019 4:38 AM (in response to bschatz)

Hi,

Could you share your module.xml, full path to the folder that contains your new module with jars and module.xml?
Something like this:

/opt/jboss-eap-7.2/modules/system/layers/base/org/javassist/main$ ls -l

total 760
-rw-rw-r-- 1 zhurlik zhurlik 771181 Jan 7 2019 javassist-3.23.1.GA-redhat-00001.jar
-rw-rw-r-- 1 zhurlik zhurlik   1421 Jan 7 2019 module.xml

/opt/jboss-eap-7.2/modules/system/layers/base/org/javassist/main$ cat module.xml
<?xml version="1.0" encoding="UTF-8"?>

<module name="org.javassist" xmlns="urn:jboss:module:1.5">
    <properties>
        <property name="jboss.api" value="private"/>
    </properties>
    <resources>
        <resource-root path="javassist-3.23.1.GA-redhat-00001.jar"/>
    </resources>
    <dependencies>
        <module name="sun.jdk"/>
    </dependencies>
</module>

Thanks,
Vlad
Actions
5. Re: Activating jaspic in wildfly

bschatz Oct 21, 2019 4:42 AM (in response to zhurlik)

20191021_090922] $ cd /usr/local/wildfly/modules/jfoss-java-server-extension/main/
beschat@CSTRD0027405045:/usr/local/wildfly/modules/jfoss-java-server-extension/main (#jobs: 0) (exit 0) 747
20191021_104216] $ ls -l
insgesamt 1796
-rw-r--r-- 1 beschat beschat    4956 Okt 17 13:40 jfoss-common.jar
-rw-r--r-- 1 beschat beschat 1824135 Okt 17 13:40 jfoss-oidc.jar
-rw-r--r-- 1 beschat beschat     363 Okt 17 13:40 module.xml
beschat@CSTRD0027405045:/usr/local/wildfly/modules/jfoss-java-server-extension/main (#jobs: 0) (exit 0) 748
20191021_104218] $ cat module.xml
<?xml version='1.0' encoding='UTF-8'?>

<module xmlns="urn:jboss:module:1.1" name="jfoss-java-server-extension">

    <resources>
        <resource-root path="jfoss-oidc.jar"/>
        <resource-root path="jfoss-common.jar"/>
    </resources>

    <dependencies>
        <module name="javax.api"/>
        <module name="javaee.api"/>
    </dependencies>
</module>
Actions
6. Re: Activating jaspic in wildfly

zhurlik Oct 21, 2019 8:04 AM (in response to bschatz)

I guess that your problem is related with the folder where your module is located. At least in should be under: /usr/local/wildfly/modules/system/layers/base/jfoss-java-server-extension (you missed system/layers/base)
Also I am suggesting to add a package into your module name and the folder, for example as
name -> org.javassist
path -> opt/jboss-eap-7.2/modules/system/layers/base/org/javassist/main

Thanks,
Vlad
Actions
7. Re: Activating jaspic in wildfly

bschatz Oct 21, 2019 11:08 AM (in response to zhurlik)

Without the cdi-workaround i get still the same error:

17:06:33,652 ERROR [org.jboss.security] (default task-1) PBOX00374: Error getting ServerAuthContext for authContextId default-host /SimpleWebExample and security domain daimler-jfoss: javax.security.auth.message.AuthException
        at org.jboss.security.auth.message.config.JBossServerAuthConfig.getAuthContext(JBossServerAuthConfig.java:187)
        at org.jboss.security.plugins.auth.JASPIServerAuthenticationManager.isValid(JASPIServerAuthenticationManager.java:99)
        at org.wildfly.extension.undertow.security.jaspi.JASPICAuthenticationMechanism.authenticate(JASPICAuthenticationMechanism.java:125)
        at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
        at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)
        at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
        at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
        at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)

The question is, how does widlfly knows which class in the module is implementing the jaspic interface ?
Does he get this via reflection (searching which class implements the jaspic interfaces, what if there are more than one class ?)
If he does not automatically detect the class,
i still think that i have to add the implementing class (com.daimler.jfoss.oidc.jaspic.AuthProvider) somewhere to the standalone.xml ...

but as of now, i only mention the JBoss-Module that contains that class ==>

==============
<security-domain name="daimler-jfoss" cache-type="default">
                    <authentication-jaspi>
                        <login-module-stack name="dummy">
                            <login-module name="dummy" code="Dummy" flag="optional"/>
                        </login-module-stack>
                        <auth-module name="jaspi" code="dummy" flag="required" module="system.layers.base.jfoss-java-server-extension"/>
                    </authentication-jaspi>
                </security-domain>
=====================
Actions
8. Re: Activating jaspic in wildfly

bschatz Oct 21, 2019 11:15 AM (in response to bschatz)

e.g. for tomcat i have to add the implementing class into a file called jaspic-providers-xml ==>
<provider className="com.daimler.jfoss.oidc.jaspic.AuthProvider" layer="HttpServlet">
Actions
9. Re: Activating jaspic in wildfly

zhurlik Oct 21, 2019 5:11 PM (in response to bschatz)

My understand is that you can add this jaspic-providers.xml file as a resource in the module folder and insert into module.xml.
It means that this resource will be available in the classpath.
Actions
10. Re: Activating jaspic in wildfly

bschatz Oct 21, 2019 8:12 PM (in response to zhurlik)

The jaspic-providers.xml is a **tomcat** specific configuration file.
Actions

Go to original post