1 Reply Latest reply on Sep 25, 2014 8:18 AM by Shane Lemon

    403 Forbidden using BASIC auth and "other" security domain

    Shane Lemon Newbie

      Attempting to secure our WildFly 8.1.0-Final application using BASIC Authentication and ApplicationRealm Authorization but only get a "403: Forbidden".  The authentication works (log line 35) and the role is found (see log line 31 and 32) but it appears authorization is failing (403).

       

      NOTE:

      1. This is clojure app using leiningen and immutant 2 (the deuce)

      2. I have attached a very basic app that fails with 403 as well

      3. Not sure if it is a red herring, but org.jboss.security.SecurityRolesAssociation.setSecurityRoles is getting a null (Threadlocal: null) as seen in last line of log file

       

      Log (TRACE org.jboss.security)


      15:11:24,305 TRACE [io.undertow.request] (default I/O-1) Opened connection with /127.0.0.1:56632
      15:11:24,319 TRACE [io.undertow.request] (default I/O-1) Opened connection with /127.0.0.1:56634
      15:11:24,359 TRACE [io.undertow.server.HttpServerExchange] (default task-1) Starting to write response for HttpServerExchange{ GET /}
      15:11:24,364 TRACE [org.jboss.security] (default task-1) PBOX000354: Setting security roles ThreadLocal: null
      15:11:24,394 TRACE [io.undertow.request] (default I/O-2) Opened connection with /127.0.0.1:56636
      15:11:24,395 TRACE [io.undertow.server.HttpServerExchange] (default task-2) Starting to write response for HttpServerExchange{ GET /}
      15:11:24,396 TRACE [org.jboss.security] (default task-2) PBOX000354: Setting security roles ThreadLocal: null
      15:11:30,245 TRACE [io.undertow.request] (default I/O-2) Opened connection with /127.0.0.1:56638
      15:11:30,250 TRACE [org.jboss.security] (default task-3) PBOX000200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@6854f63, cache entry: null
      15:11:30,251 TRACE [org.jboss.security] (default task-3) PBOX000209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@6854f63
      15:11:30,252 TRACE [org.jboss.security] (default task-3) PBOX000221: Begin getAppConfigurationEntry(other), size: 4
      15:11:30,254 TRACE [org.jboss.security] (default task-3) PBOX000224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]:
      [0]
      LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule
      ControlFlag: LoginModuleControlFlag: optional
      Options:
      name=password-stacking, value=useFirstPass
      [1]
      LoginModule Class: org.jboss.as.security.RealmDirectLoginModule
      ControlFlag: LoginModuleControlFlag: required
      Options:
      name=password-stacking, value=useFirstPass
      
      15:11:30,258 TRACE [org.jboss.security] (default task-3) PBOX000236: Begin initialize method
      15:11:30,258 TRACE [org.jboss.security] (default task-3) PBOX000240: Begin login method
      15:11:30,260 TRACE [org.jboss.security] (default task-3) PBOX000236: Begin initialize method
      15:11:30,261 TRACE [org.jboss.security] (default task-3) PBOX000240: Begin login method
      15:11:30,272 TRACE [org.jboss.security] (default task-3) PBOX000241: End login method, isValid: true
      15:11:30,272 TRACE [org.jboss.security] (default task-3) PBOX000242: Begin commit method, overall result: false
      15:11:30,272 TRACE [org.jboss.security] (default task-3) PBOX000242: Begin commit method, overall result: true
      15:11:30,278 TRACE [org.jboss.security] (default task-3) PBOX000210: defaultLogin, login context: javax.security.auth.login.LoginContext@7f30e759, subject: Subject(559479598).principals=org.jboss.security.SimplePrincipal@865892156(shane)org.jboss.security.SimpleGroup@1404193653(Roles(members:Manager))org.jboss.security.SimpleGroup@1404193653(CallerPrincipal(members:shane))
      15:11:30,279 TRACE [org.jboss.security] (default task-3) PBOX000207: updateCache, input subject: Subject(559479598).principals=org.jboss.security.SimplePrincipal@865892156(shane)org.jboss.security.SimpleGroup@1404193653(Roles(members:Manager))org.jboss.security.SimpleGroup@1404193653(CallerPrincipal(members:shane)), cached subject: Subject(318082014).principals=org.jboss.security.SimplePrincipal@865892156(shane)org.jboss.security.SimpleGroup@1404193653(Roles(members:Manager))org.jboss.security.SimpleGroup@1404193653(CallerPrincipal(members:shane))
      15:11:30,279 TRACE [org.jboss.security] (default task-3) PBOX000208: Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@45929f32
      15:11:30,280 TRACE [org.jboss.security] (default task-3) PBOX000201: End isValid, result = true
      15:11:30,280 TRACE [org.wildfly.extension.undertow] (default task-3) User: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@6854f63 is authenticated
      15:11:30,293 TRACE [io.undertow.server.HttpServerExchange] (default task-3) Starting to write response for HttpServerExchange{ GET /}
      15:11:30,294 TRACE [org.jboss.security] (default task-3) PBOX000354: Setting security roles ThreadLocal: null
      
      
      

       

      jboss-web.xml

       

      <jboss-web>
        <context-root></context-root>
        <security-domain>other</security-domain>
      </jboss-web>
      
      
      
      

       

      web.xml

       

      <web-app>
             <security-constraint>
                 <web-resource-collection>
                          <web-resource-name>HtmlAuth</web-resource-name>
                          <description>application security constraints</description>
                          <url-pattern>/*</url-pattern>
                          <http-method>GET</http-method>
                          <http-method>POST</http-method>
                   </web-resource-collection>
                   <auth-constraint>
                          <role-name>Manager</role-name>
                   </auth-constraint>
             </security-constraint>
             <login-config>
                   <auth-method>BASIC</auth-method>
                   <realm-name>UserRoles simple realm</realm-name>
             </login-config>
             <security-role>
                   <role-name>Manager</role-name>
             </security-role>
      </web-app>
      
      
      
      

       

      standalone.xml (snippet of security domain, full standalone.xml attached)

       

            <subsystem xmlns="urn:jboss:domain:security:1.2">
                  <security-domains>
                      <security-domain name="other" cache-type="default">
                          <authentication>
                              <login-module code="Remoting" flag="optional">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                              <login-module code="RealmDirect" flag="required">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                      <security-domain name="jboss-web-policy" cache-type="default">
                          <authorization>
                              <policy-module code="Delegating" flag="required"/>
                          </authorization>
                      </security-domain>
                      <security-domain name="jboss-ejb-policy" cache-type="default">
                          <authorization>
                              <policy-module code="Delegating" flag="required"/>
                          </authorization>
                      </security-domain>
                  </security-domains>
              </subsystem>
      
      
      
      

       

      Added users to ApplicationRealm with "Manager" Role.

       

      Any help would be greatly appreciated!