How to use unauthenticatedIdentity when calling EJB from JAX-RS ?
jayblanc Mar 10, 2014 7:15 AMHi,
I have setup a small application that should be able to be accessed either as guest nor as an authentified user. Authentication is defined in a custom security domain in the standalone-full.xml.
My application is packaged as an ear composed of :
- an ejb module containing EJB, Entities, MDB, topics, etc...
- a war module containing JAX-RS services that calls EJBs
I want to handle the authentication using http header for allowing REST calls to provide custom credentials (tokens, certificates, etc...) but I don't want to enforce it (anonymous access allowed) and I want to override the unauthenticatedIdentity using "guest" instead of "anonymous".
I have produced a small ServletFilter that is able to parse HTTP headers (or wathever I want) to call the httpRequest.login() method.
Problem is that when I call httpRequest.login(null, null) in the case of a guest call, I have an exception at the undertow layer...
<security-domain name="mydomain" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/mydomain-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/mydomain-roles.properties"/>
<module-option name="unauthenticatedIdentity" value="guest"/>
<module-option name="hashUserPassword" value="false"/>
</login-module>
</authentication>
</security-domain>
Security Domains are defined in jboss-web.xml for the war module and into jboss-ejb3.xml for the ejb module.
Authenticated access works perfectly.
Anauthenticated access gives :
- anonymous user if i don't call httpRequest.login() (AbstractServerLoginModule is never called)
- login failed if i call httpRequest.login(null, null)
javax.servlet.ServletException: UT010031: Login failed
at io.undertow.servlet.spec.HttpServletRequestImpl.login(HttpServletRequestImpl.java:410) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
at org.ortolang.prototype.rest.SecurityFilter.doFilter(SecurityFilter.java:43) [classes:]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:56) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
At the EJB layer it seems that login(null, null) use the unauthenticatedIdentity (AbstractServerLoginModule is called) but at the undertow level, httpAuthentication fail
My question is What is the best way to handle authentication into JAX-RS resources for propagating this authentication to the EJB layer and using the security domain defined into wildfly ?
Is the JAX-RS resource should also be a SessionBean declaring SecurityDomain ?
I'm a little bit confused with this obfuscation of JAAS traditionnal LoginContext usage...
Thanks for any advice, jérôme.
-
GreetingServiceBean.java 989 bytes
-
SecurityFilter.java 2.1 KB
-
SecurityInterceptor.java 1.9 KB
-
GreetingResource.java 1.3 KB