0 Replies Latest reply on Jan 13, 2015 7:44 AM by Tigran Babloyan

    BasicAuth with WildFly 8.2.0. RBAC Managed Roles.

    Tigran Babloyan Newbie

      Hi guys,

      I have a simple web application which is deployed into WildFly 8.2.0, the server is configured with RBAC access control enabled and I want a BasicAuth for my web application and the roles managed with RBAC.

      Let's go into details.

       

      I have a WildFly 8.2.0 web server with:

      1. RBAC access provider enabled.
      2. Application user "appuser".
      3. "appuser" is assigned a role "Administrator" with RBAC. (see screen shot below)

      screen1.png

      I'm using standalone-full.xml with following contents (I share only the rbac/security data).

      <server xmlns="urn:jboss:domain:2.2">
           <management>
              <security-realms>
                  <security-realm name="ManagementRealm">
                      <authentication>
                          <local default-user="$local" skip-group-loading="true"/>
                          <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                      </authentication>
                      <authorization map-groups-to-roles="false">
                          <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
                      </authorization>
                  </security-realm>
                  <security-realm name="ApplicationRealm">
                      <authentication>
                          <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
                          <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                      </authentication>
                      <authorization>
                          <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                      </authorization>
                  </security-realm>
              </security-realms>
              <access-control provider="rbac">
                  <role-mapping>
                      <role name="SuperUser">
                          <include>
                              <user name="$local"/>
                              <user alias="manager" name="manager"/>
                          </include>
                      </role>
                      <role name="Administrator">
                          <include>
                              <user name="appuser"/>
                              <user realm="ApplicationRealm" name="appuser"/>
                          </include>
                      </role>
                  </role-mapping>
              </access-control>
           <management>
          
           <profile>
                <subsystem xmlns="urn:jboss:domain:security:1.2">
                  <security-domains>
                      <security-domain name="other" cache-type="default">
                          <authentication>
                              <login-module code="Remoting" flag="optional">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                              <login-module code="RealmDirect" flag="required">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                      <security-domain name="jboss-web-policy" cache-type="default">
                          <authorization>
                              <policy-module code="Delegating" flag="required"/>
                          </authorization>
                      </security-domain>
                      <security-domain name="jboss-ejb-policy" cache-type="default">
                          <authorization>
                              <policy-module code="Delegating" flag="required"/>
                          </authorization>
                      </security-domain>
                  </security-domains>
              </subsystem>
      
           </profile>
      </server>
      
      

       

       

      Also I have an web application with the following configuration:

      WEB-INF/web.xml

      <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
          version="3.1" id="sampleapp">
          <display-name>sampleapp</display-name>  
          <welcome-file-list>
              <welcome-file>index.jsp</welcome-file>
          </welcome-file-list>
          <security-constraint>
              <display-name>Access Pages</display-name>
              <web-resource-collection>
                  <web-resource-name>Pages</web-resource-name>
                  <url-pattern>*.jsp</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>Administrator</role-name>
              </auth-constraint>
          </security-constraint>
          <login-config>
              <auth-method>BASIC</auth-method>
              <realm-name>ApplicationRealm</realm-name>
          </login-config>
          <security-role>
              <description>Permission to access application</description>
              <role-name>Administrator</role-name>
          </security-role>
      </web-app>
      
      
      

       

      WEB-INF/jboss-web.xml

      <jboss-web>
          <security-domain>other</security-domain>
      </jboss-web>
      
      
      

       

      So my problem is after deployment of web app I'm entering the "appuser" credentials at BasicAuth prompt but after get Forbidden page with 403 status code.


      Can anyone suggest a place where I need to dig more, as log files have nothing interesting to tell event in TRACE level.

       

      Thanks in advance,