0 Replies Latest reply on Apr 1, 2016 1:46 AM by Alexander Mintchev

    Implement a custom ServerAuthModule for JBoss

    Alexander Mintchev Newbie

      Can somebody help me with this problem, please?

       

      http://stackoverflow.com/questions/36348377/implement-a-custom-serverauthmodule-for-jboss

       

      I need to "remember" the orgiginal URL of the Http Request, then redirect this request to a web form for a user authentication. In case of a successfull authentication, the user must be redirected to the "original" URL just "remembered" above. I am using JBoss 7.1.1 Final, a "standard" web.xml, and the JBoss Login Module org.jboss.security.auth.spi.DatabaseServerLoginModule:

      My question relates to:

       

      JBoss AS7: Enabling JASPI Authentication for Web Applications

       

      http://stackoverflow.com/questions/34429932/java-intercept-all-requests-before-they-go-to-login-authentication

       

      http://stackoverflow.com/questions/17654020/precedence-of-security-constraint-over-filters-in-servlets

       

      http://stackoverflow.com/questions/36119266/jaspic-serverauthmodule-delegating-to-jaas-krb5loginmodule/

       

      http://arjan-tijms.omnifaces.org/2012/11/implementing-container-authentication.html

       

      https://docs.oracle.com/cd/E19798-01/821-1752/gizdx/index.html

       

      However, after impltementing my solution, my custom ServerAuthModule is not called at all. What is even worse, I did not get any HttpResponse from the server. Something got broken, please help!

       

      My web.xml:

       

      <security-constraint>
        
      <web-resource-collection>
        
      <web-resource-name>All resources in /pages/*</web-resource-name>
        <description>All resources in /pages/*</description>
        <url-pattern>/pages/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
        <role-name>general</role-name>
        </auth-constraint>
        </security-constraint>

        <security-constraint>
        <display-name>Restrict direct access to the /resources folder.</display-name>
        <web-resource-collection>
        <web-resource-name>The /resources folder.</web-resource-name>
        <url-pattern>/resources/*</url-pattern>
        </web-resource-collection>
        <auth-constraint />
        </security-constraint>

        <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
        <form-login-page>/login.jsf</form-login-page>
        <form-error-page>/loginFailed.jsf</form-error-page>
        </form-login-config>
        </login-config>

        <security-role>
        <role-name>general</role-name>
        </security-role>

       

      My jboss-web.xml:

       

      <?xml version="1.0" encoding="UTF-8"?>
        
      <jboss-web>
        
      <security-domain>jBossJaasMysqlRealm</security-domain>
        
      <valve>
        
      <class-name>org.jboss.as.web.security.jaspi.WebJASPIAuthenticator</class-name>
        
      </valve>
        
      </jboss-web>


      My standalone.xml:


      <security-domain name="jBossJaasMysqlRealm" cache-type="default">
        
      <authentication-jaspi>
        
      <login-module-stack name="lm-stack">
        
      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
        
      <module-option name="dsJndiName" value="java:/MySqlDS_IamOK"/>
        
      <module-option name="principalsQuery" value="select password from user where username=?"/>
        
      <module-option name="rolesQuery" value="select role, 'Roles' from user_role where username=?"/>
        
      </login-module>
        
      </login-module-stack>
        
      <auth-module code="at.alex.ok.web.utils.RequestMarkerServerAuthModule" login-module-stack-ref="lm-stack"/>
        
      </authentication-jaspi>
        
      </security-domain>


      My custom WebServerAuthModule:


      import org.jboss.as.web.security.jaspi.modules.WebServerAuthModule;

        
      public class RequestMarkerServerAuthModule extends WebServerAuthModule {

        
      public static final String ORIGINAL_URL = "originalURL";

        
      protected static final Class[] supportedMessageTypes = new Class[] {
        
      HttpServletRequest.class, HttpServletResponse.class };


        
      public void initialize(MessagePolicy reqPolicy, MessagePolicy resPolicy,
        
      CallbackHandler cBH, Map opts) throws AuthException {

        
      System.out.println( this.getClass().getName() + ".initialize() called");
        
      }

        
      public Class[] getSupportedMessageTypes() {
        
      return supportedMessageTypes;
        
      }

        
      public AuthStatus validateRequest(MessageInfo msgInfo, Subject client,
        
      Subject server) throws AuthException {
        
      try {
        
      System.out.println( this.getClass().getName() + ".validateRequest() called");

        processAuthorizationToken
      (msgInfo, client);
        
      return AuthStatus.SUCCESS;

        
      } catch (Exception e) {
        
      AuthException ae = new AuthException();
        ae
      .initCause(e);
        
      throw ae;
        
      }
        
      }

        
      private void processAuthorizationToken(MessageInfo msgInfo, Subject s)
        
      throws AuthException {

        
      HttpServletRequest request = (HttpServletRequest) msgInfo
        
      .getRequestMessage();

        
      String originalURL = request.getRequestURL().toString();
        request
      .getSession().setAttribute(ORIGINAL_URL, originalURL);
        
      }


        
      public AuthStatus secureResponse(MessageInfo msgInfo, Subject service)
        
      throws AuthException {

        
      System.out.println( this.getClass().getName() + ".secureResponse() called");

        
      return AuthStatus.SEND_SUCCESS;
        
      }

        
      public void cleanSubject(MessageInfo msgInfo, Subject subject)
        
      throws AuthException {
        
      System.out.println( this.getClass().getName() + ".cleanSubject() called");

        
      }

      }


      Any help will be appreciated. Thanks in advance!