11 Replies Latest reply on Sep 5, 2017 10:27 AM by ladbrokesldk

LoginModule doesn't set Principal

ladbrokesldk Sep 4, 2017 4:04 AM

Hi all,

I have implemented a custom javax.security.auth.spi.LoginModule that authenticates a user with the Google+ identity (OAUTH) server and adds roles to the Subject from a local database.

On commit, the Subject and its Principals (Roles, members) are set. So far so good.

The urls are protected with in web.xml

<login-config>
<auth-method>FORM</auth-method>
<realm-name>GoogleLogin</realm-name>
<form-login-config>
<form-login-page>/lbsLogin.html</form-login-page>
<form-error-page>/VAADIN/error.html</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>User view-only</description>
<role-name>user</role-name>
</security-role>

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>GoogleLogin</security-domain>
</jboss-web>

The login page /lbsLogin.html is redirected to a link to the Google+ login. The redirect of Google+ triggers the programmatic login.

String code = request.getParameter("code");
GoogleCallbackHandler cbh = new GoogleCallbackHandler(code);
LoginContext loginContext = new LoginContext("GoogleLogin", new Subject(), cbh);
loginContext.login();
Subject subject = loginContext.getSubject();

16:13:34,237 INFO [stdout] (default task-17) Principal = myaccount@gmail.com

16:13:34,237 INFO [stdout] (default task-17) Principal = Roles(members:extuser,user)

16:13:34,237 INFO [stdout] (default task-17) Principal = CallerPrincipal(members:myaccount@gmail.com)

The Subject is correctly populated.

However, when checking for the callerPrincipal or Remote user, they always remain null. So the security context is not propagated to the EJB context. From the point of view of EJB I am "anonymous". As a result, the browser is always redirected to the login page and can't reach /secure/*

Annotations @RolesAllowed("user") on Stateless beans generate javax.ejb.EJBAccessException

What do I do need to do to propagate the Principal to the application ?

This is my standalone-full.xml modification.

<security-domain name="GoogleLogin">
<authentication>
<login-module code="be.authtest.vaadin.oauth.GoogleLoginModule" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/frontDS"/>
<module-option name="rolesQuery" value="select R.role as Role, 'Roles' from lbs_role R inner join lbs_user_role UR on UR.role_id=R.id inner join lbs_user U on U.id=UR.user_id and U.status=1 where U.username=?"/>
<module-option name="callbackUrl" value="http://localhost:8080/vaadin/login/login2"/>
<module-option name="gplusKey" value="******************************"/>
<module-option name="gplusSecret" value="**************************"/>
<module-option name="gplusUrl" value="https://www.googleapis.com/plus/v1/people/me"/>
</login-module>
</authentication>
</security-domain>

Thank you.

Dear, I added a small Maven project to illustrate the problem. Calling AuthService.getSecurityInfo() or any other method of this bean will throw an EJBAccessException. I use Redhat Jboss developer Studio 10.4.0.GA. Thank you for you reply.@

Dear, I added my new LoginModule, the clue must be within that code.

Hi, anybody has an idea as where to look ? I'm at the end of my wits.

vaadin.zip 53.2 KB
GoogleLoginModule.java 7.1 KB

1. Re: LoginModule doesn't set Principal

jaikiran Aug 23, 2017 1:31 AM (in response to ladbrokesldk)

Please post the code (including import statements) of the relevant EJB and any configurations that you done to it in ejb-jar.xml or WildFly specific descriptors.
Actions
2. Re: LoginModule doesn't set Principal

ladbrokesldk Aug 23, 2017 6:46 AM (in response to jaikiran)

Hi, I added a small Maven project that can be directly imported into Redhat Jboss developer Studio 10.4.0.GA. Thank you.
Actions
3. Re: LoginModule doesn't set Principal

jaikiran Aug 23, 2017 11:28 AM (in response to ladbrokesldk)

As suspected you are using the wrong (fully qualified) annotation for SecurityDomain on the EJB:

import org.jboss.security.annotation.SecurityDomain;

...
@SecurityDomain(value="GoogleLogin")
@RolesAllowed("user")
public class AuthService {

The org.jboss.security.annotation.SecurityDomain was applicable only in JBoss AS 4.x days. The right annotation to use is org.jboss.ejb3.annotation.SecurityDomain. The WildFly testsuite has example usages like the one here https://github.com/wildfly/wildfly/blob/a3a85c9d574a3f3664f14be5b091387d9fc669b9/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/security/authentication/WhoAmIBean.java#L35
Actions
4. Re: LoginModule doesn't set Principal

ladbrokesldk Aug 24, 2017 4:13 AM (in response to jaikiran)

Hi Jaikiran, thank you for you response. Unfortunately this doesn't work either.
The root cause is that the pricipal and roles are not propagated to the SessionContext.
I even extended org.jboss.security.auth.spi.AbstractServerLoginModule to make sure the commit() logic was OK.
These principals are returned after the login to the Subject :
10:03:46,469 INFO [stdout] (default task-6) 2017-08-24 10:03:46,468 [default task-6] DEBUG be.authtest.vaadin.ui.GoogleLoginUI - Line 105 - Principal = account@gmail.com
10:03:46,469 INFO [stdout] (default task-6) 2017-08-24 10:03:46,469 [default task-6] DEBUG be.authtest.vaadin.ui.GoogleLoginUI - Line 105 - Principal = Roles(members:extuser,user)
10:03:46,469 INFO [stdout] (default task-6) 2017-08-24 10:03:46,469 [default task-6] DEBUG be.authtest.vaadin.ui.GoogleLoginUI - Line 105 - Principal = CallerPrincipal(members:account@gmail.com)

SessionContext.getCallerPrincipal() always returns "anonymous", that is why the request remains unauthorized, no matter what security annotation I use.

I'll be looking for an alternative to J2EE.
Actions
5. Re: LoginModule doesn't set Principal

ladbrokesldk Sep 4, 2017 4:05 AM (in response to ladbrokesldk)

Hi, anybody has an idea as where to look ? I'm at the end of my wits.
Any help is welcome.
Actions
6. Re: LoginModule doesn't set Principal

ctomc Sep 4, 2017 9:01 AM (in response to ladbrokesldk)

What exact version of server are you using?

Did you try with latest version? currently being WildFly 11 CR1
Actions
7. Re: LoginModule doesn't set Principal

ladbrokesldk Sep 4, 2017 9:11 AM (in response to ctomc)

Hi Tomaz, I am using Jboss EAP 7.0.
Unfortunately I can't change the version of my server easily because only this version is authorized.
Cheers.
Actions
8. Re: LoginModule doesn't set Principal

ctomc Sep 4, 2017 9:52 AM (in response to ladbrokesldk)

That changes pretty much everything, as AS7 and EAP7 don't have much in common....

I've moved your post to proper forum.
Actions
9. Re: LoginModule doesn't set Principal

ladbrokesldk Sep 5, 2017 4:40 AM (in response to ctomc)

Hi Tomaz,

That shouldn't be the case. The login module is a pure JAAS implementation. So the server version should make no difference, unless it is a bug.
Regards.
Actions
10. Re: LoginModule doesn't set Principal

jcacek Sep 5, 2017 5:33 AM (in response to ladbrokesldk)

Isn't the problem related to the fact, the JAAS call is used directly here (LoginContext.login)? IMO the proper way would be to call either HttpServletRequest.login() or HttpServletRequest.authenticate().
Actions
11. Re: LoginModule doesn't set Principal

ladbrokesldk Sep 5, 2017 10:27 AM (in response to jcacek)

Hi Josef,

HttpServletRequest.login(usename,password) indeed does the trick as expected.
However, if I need multiple login modules with specific CallbackHandlers, and since HttpServletRequest.login() only exists with one signature, how am I going to call different LoginModules with their respective CallbackHandlers ?
Regards
Actions

Go to original post