0 Replies Latest reply on Jun 22, 2017 4:54 AM by Ravish Srivastava

    JBoss AS7 REST Web application security migration to WidlFly 10

    Ravish Srivastava Newbie

      Hi All,

      I have migrated my web application (REST APIs) from JBOSS 7.1.1 to WildFly10.

      There are total 2 REST APIs which are getting migrated to WildFly10. Initially i do not find any challenges while migrating my application, until i executed my test cases for user authentication.

      In JBoss 7.1.1 (web.xml) my security for the APIs are mentioned as below:

      <context-param>

               <param-name>resteasy.role.based.security</param-name>

            <param-value>true</param-value>

               </context-param>

      <security-constraint>

            <web-resource-collection>

               <web-resource-name>Resteasy</web-resource-name>

               <url-pattern>/message</url-pattern>

               <http-method>GET</http-method>

            </web-resource-collection>

             <auth-constraint id="AuthConstraint_1">

               <role-name>cli</role-name>

            </auth-constraint>

        </security-constraint>

         <login-config>

            <auth-method>BASIC</auth-method>

            <realm-name>ApplicationRealm</realm-name>

         </login-config>

         <security-role>

            <role-name>cli</role-name>

         </security-role>

       

      Service API:

       

      @Path("/message")

      public class RestService {

       

      - API1

      @GET

      @Path("/message1/{param}")

      @RolesAllowed("sumo")

      public Response printMessage1(@PathParam("param") String msg) {

      String result = "You passed : " + msg;

      System.out.println("printMessage1: "+result);

      return Response.status(200).entity(result).build();

      }

       

      -- API2

      @GET

      @Path("/message2/{param}")

      public Response printMessage2(@PathParam("param") String msg) {

      String result = "Reverse passed : " + new StringBuffer(msg).reverse().toString();

      System.out.println("printMessage2: "+result);

      return Response.status(200).entity(result).build();

      }

      }

       

      JBoss 7.1.1:

       

      While running the test cases for authentication in JBoss 7.1.1, with correct user name and password having role "sumo" the both the APIs are working fine.

      if i provide wrong user name or password for the APIs in JBOSS 7. The API having NO security constraint ( API2 ) was getting called and and logic was getting executed. For API having security (API 1) was having error thrown by Jboss 7 saying "401 Un-authorize access".

      Wildlfly 10 :

      When i ran same testcases in Wildlfly 10, I found that when correct user name or password having role "sumo" is passed both the APIs are getting executed.

      But when wrong user name or password is passed to invoke the APIs. The API 1  having security is set error "401 Un-authorize access" is thrown by WildFLy which is correct.

      But the issue is error "401 Un-authorize access" is also thrown for the API2 having no security.

      i.e. Wildlfly 10 checking security for every resources no matter the security is set.