1 Reply Latest reply on Jul 11, 2017 4:18 AM by Martin Choma

    JASPIC configuration in Wildfly SWARM

    Obakeng Balatseng Newbie

      I need some assistance with configuring JASPIC authentication in Wildfly Swarm. The JASPIC configuration works perfectly in the normal Wildfly, but I somehow cannot get it to work with Wildfly Swarm. I always this error:

       

       

      2017-07-07 11:15:08,819 ERROR [org.jboss.security] (default task-3) PBOX00374: Error getting ServerAuthContext for authContextId default-host /Tiles and security domain obbi-auth-id: javax.security.auth.message.AuthException
        at org.jboss.security.auth.message.config.JBossServerAuthConfig.getAuthContext(JBossServerAuthConfig.java:169)
        at org.jboss.security.plugins.auth.JASPIServerAuthenticationManager.isValid(JASPIServerAuthenticationManager.java:99)
        at org.wildfly.extension.undertow.security.jaspi.JASPICAuthenticationMechanism.authenticate(JASPICAuthenticationMechanism.java:123)
        at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.tranTISion(SecurityContextImpl.java:245)
        at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)
        at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
        at io.undertow.security.impl.SecurityContextImpl.authTranTISion(SecurityContextImpl.java:99)
        at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
        at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

       

       

      My Wildfly standalone configuration that works is

       

       

        <security-domain name="obbi-auth-id">
        <authentication-jaspi>
        <login-module-stack name="authid-loginmodule-stack">
        <login-module code="com.obbi.domain.security.loginmodule.jwt.JWTLoginModule" flag="sufficient" module="com.obbi.domain.security">
        <module-option name="expectedIssuer" value="CN=DI TIS signer"/>
        <module-option name="expectedAudience" value="obbi"/>
        <module-option name="allowedClockSkewInSeconds" value="30"/>
        <module-option name="validateTokenSignature" value="false"/>
        <module-option name="maxFutureValidityInMinutes" value="525600"/>
        <module-option name="keyStoreFilePath" value="C:/wildfly-10.1.0.Final/standalone/configuration/obbi-token-keystore.jks"/>
        <module-option name="keyStorePassword" value="pass123"/>
        <module-option name="validateCertificate" value="false"/>
        <module-option name="loadSystemPrincipals" value="true"/>
        <module-option name="loadSystemPrincipalsEndpoint" value="https://pu.obbi.co.za:4266/di/services/v1/auth-id?page=0&amp;size=1000&amp;username=%s"/>
        <module-option name="skipAllValidators" value="true"/>
        </login-module>
        <login-module code="com.obbi.domain.security.loginmodule.obbi.obbiLoginModule" flag="sufficient" module="com.obbi.domain.security">
        <module-option name="keyStoreFilePath" value="C:/wildfly-10.1.0.Final/standalone/configuration/obbi-token-keystore.jks"/>
        <module-option name="keyStorePassword" value="pass123"/>
        <module-option name="validateCertificate" value="false"/>
        <module-option name="validateTokenExpiry" value="false"/>
        <module-option name="validateTokenSignature" value="false"/>
        <module-option name="loadSystemPrincipals" value="true"/>
        <module-option name="loadSystemPrincipalsEndpoint" value="https://pu.obbi.co.za:4266/di/services/v1/auth-id?page=0&amp;size=1000&amp;username=%s"/>
        </login-module>
        </login-module-stack>
        <auth-module code="com.obbi.domain.security.JASPICServerAuthModule" flag="required" login-module-stack-ref="authid-loginmodule-stack"/>
        </authentication-jaspi>
        </security-domain>

       

       

      My Wildfly swarm configuration that attempts to mimic the above Wildfly standalone configuration is:

        private static SecurityFraction getSecurityFraction1() {
        return new SecurityFraction()
        .securityDomain("obbi-auth-id", sd -> {
        sd.jaspiAuthentication(jaspi -> {
        jaspi.loginModuleStack("authid-loginmodule-stack", stack -> {
        stack.loginModule("com.obbi.domain.security.loginmodule.jwt.JWTLoginModule", value -> {
        value.code("com.obbi.domain.security.loginmodule.jwt.JWTLoginModule")
        .flag(Flag.SUFFICIENT)
        .module("com.obbi.domain.security")
        .moduleOption("expectedIssuer", "CN=DI TIS signer")
        .moduleOption("expectedAudience", "obbi")
        .moduleOption("allowedClockSkewInSeconds", "30")
        .moduleOption("validateTokenSignature", "false")
        .moduleOption("maxFutureValidityInMinutes", "525600")
        .moduleOption("keyStoreFilePath", "C:/wildfly-10.1.0.Final/standalone/configuration/obbi-token-keystore.jks")
        .moduleOption("keyStorePassword", "pass123")
        .moduleOption("validateCertificate", "false")
        .moduleOption("loadSystemPrincipals", "true")
        .moduleOption("loadSystemPrincipalsEndpoint", "https://pu.obbi.co.za:4266/di/services/v1/auth-id?page=0&size=1000&username=%s")
        .moduleOption("skipAllValidators", "true");
        stack.loginModule("com.obbi.domain.security.loginmodule.obbi.obbiLoginModule", value1 -> {
        value1.code("com.obbi.domain.security.loginmodule.obbi.obbiLoginModule")
        .flag(Flag.SUFFICIENT)
        .module("com.obbi.domain.security")
        .moduleOption("keyStoreFilePath", "C:/wildfly-10.1.0.Final/standalone/configuration/obbi-token-keystore.jks")
        .moduleOption("keyStorePassword", "pass123")
        .moduleOption("validateCertificate", "false")
        .moduleOption("validateTokenExpiry", "false")
        .moduleOption("validateTokenSignature", "false")
        .moduleOption("loadSystemPrincipals", "true")
        .moduleOption("loadSystemPrincipalsEndpoint", "https://pu.obbi.co.za:4266/di/services/v1/auth-id?page=0&size=1000&username=%s");
        });
        });
        });
      

        jaspi.authModule("com.obbi.domain.security.JASPICServerAuthModule", authModule -> {
        authModule.code("com.obbi.domain.security.JASPICServerAuthModule")
        .flag(Flag.SUFFICIENT)
        .loginModuleStackRef("authid-loginmodule-stack");
        });
        });
        });
        }

       

       

      On my POM I have added all dependencies that correspond to the module dependencies from the normal wildfly

       

      <dependency> 
      <groupId>org.picketbox</groupId>
      <artifactId>picketbox</artifactId>
      <version>4.9.6.Final
      </version>
      <type>pom</type>
      </dependency>

      <dependency>
      <groupId>org.picketbox</groupId>
      <artifactId>picketbox-infinispan</artifactId>
      <version>4.9.6.Final</version>
      </dependency>

      <dependency>
      <groupId>org.picketbox</groupId>
      <artifactId>picketbox-commons</artifactId>
      <version>1.0.0.final</version>
      </dependency>

      <dependency>
      <groupId>org.jboss.spec.javax.security.auth.message</groupId>
      <artifactId>jboss-jaspi-api_1.1_spec</artifactId>
      <version>1.0.0.Final</version>
      </dependency>

      <dependency>
      <groupId>org.jboss.security</groupId>
      <artifactId>jbossxacml</artifactId>
      <version>2.0.8.Final</version>
      </dependency>

      <dependency>
      <groupId>org.jboss.spec.javax.servlet</groupId>
      <artifactId>jboss-servlet-api_3.1_spec</artifactId>
      <version>1.0.0.Final</version>
      </dependency>

      <dependency>
      <groupId>org.jboss.logging</groupId>
      <artifactId>jboss-logging</artifactId>
      <version>3.3.0.Final</version>
      </dependency>

      <dependency>
      <groupId>org.jboss.spec.javax.xml.bind</groupId>
      <artifactId>jboss-jaxb-api_2.2_spec</artifactId>
      <version>1.0.4.Final</version>
      </dependency>

      <dependency>
      <groupId>javax.activation</groupId>
      <artifactId>activation</artifactId>
      <version>1.1.1</version>
      </dependency>

      <dependency>
      <groupId>org.jboss.spec.javax.security.jacc</groupId>
      <artifactId>jboss-jacc-api_1.5_spec</artifactId>
      <version>1.0.0.Final</version>
      </dependency>

      <dependency>
      <groupId>org.jboss.spec.javax.resource</groupId>
      <artifactId>jboss-connector-api_1.7_spec</artifactId>
      <version>1.0.0.Final</version>
      </dependency>