14 Replies Latest reply on Jan 23, 2018 12:36 PM by Martin Choma

    WildFly 11 programmatic login with Elytron

    Tom Stiemerling Newbie

      We are currently using PicketLink to perform a programmatic login from a login screen (not using web.xml) in WildFly10. We are looking into how to do the same in WildFly 11 using Elytron, but it is not clear to me how this can be accomplished. Any one have any ideas?

        • 1. Re: WildFly 11 programmatic login with Elytron
          Martin Choma Master

          In general, picketlink is deprecated in WildFly 11 and picketlink features are provided by KeyCloak now.

          If you can elaborate on your usecase we can see if it is possible with pure Elytron.

          In WildFfy 11 you can still use legacy (picketlink) approach - this should work as is - without Elytron.

          And you can always wrap legacy security domain with Elytron security domain.

          • 2. Re: WildFly 11 programmatic login with Elytron
            Tom Stiemerling Newbie

            Right, which is why we are looking into using Elytron (using KeyCloak is not in our future at the moment).

            Our application is using a front end UI based on Vaadin, which basically has a login callback (does not use standard web.xml login mechanism directly).

            We have implemented that login callback using PicketLink classes including Identity, PartitionManager, DefaultLoginCallback, etc. using the DB partition.

            We would like to replace that code with some Elytron code, but the only example code for Elytron that does anything remotely similar is using JAAS, which

            is what we were using before PicketLink and dont really want to go back to.

            • 3. Re: WildFly 11 programmatic login with Elytron
              Martin Choma Master

              Ok. Now main question is where are your users stored? Is it DB? If so you can use Elytron's jdbc-realm.

               

              So do I understand correctly you want to implement server side action, which get username/password as a parameter and want to verify (using Elytron) user is stored in DB?

               

              If so you could use request.login() in Servlet. Which will authenticate against configured Elytron security-domain. Elytron security-domain can be configured in jboss-web.xml and undertow subsystem using application-security-domain [1].

              [1] wildfly/WebSecurityProgrammaticLoginTestCase.java at 7ab0dd8f5e3a0fb903a7295617c03933d4c97208 · wildfly/wildfly · GitHub

              • 4. Re: WildFly 11 programmatic login with Elytron
                Tom Stiemerling Newbie

                Yes, exactly that. The users will be stored in the DB realm (eventually

                also we will support LDAP/AD and maybe Kerberos).

                We need to be able to call explicit login that checks user credentials

                against DB. No other support for HTTP/web.xml/EJB currently needed.

                • 6. Re: WildFly 11 programmatic login with Elytron
                  Tom Stiemerling Newbie

                  Hi, I am trying the example from but I am getting the following errors

                  when I deploy my application:

                   

                  09:57:53,883 ERROR

                  (Controller Boot Thread) WFLYCTL0013: Operation ("deploy") failed -

                  address: ([("deployment" => "app-1.0-SNAPSHOT.war")]) - failure

                  description: {

                      "WFLYCTL0412: Required services that are not installed:" =>

                  ["jboss.security.security-domain.exampleApplicationDomain"],

                      "WFLYCTL0180: Services with missing/unavailable dependencies" => [

                   

                  "jboss.deployment.unit.\"app-1.0-SNAPSHOT.war\".component.CaManager.CREATE

                  is missing ",

                   

                  "jboss.deployment.unit.\"app-1.0-SNAPSHOT.war\".component.ConfigurationService.CREATE

                  is missing ",

                   

                  "jboss.deployment.unit.\"app-1.0-SNAPSHOT.war\".component.ComponentClient.CREATE

                  is missing ",

                   

                  "jboss.deployment.unit.\"app-1.0-SNAPSHOT.war\".component.CaService.CREATE

                  is missing "

                      ]

                  }

                   

                  Not really sure what this is telling me. Do all the EJBs need to be

                  annotated with the domain by default?

                  • 7. Re: WildFly 11 programmatic login with Elytron
                    Martin Choma Master

                    Seems EJBs are referencing legacy secrity domain jboss.security.security-domain.exampleApplicationDomain

                     

                    To leverage Elytron security domain you should use similar command:

                    /subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain)

                     

                    Yes you have to tell somehow how your EJBs will be secured. Either by annotation or by jboss-ejb3.xml.

                     

                    See Getting started with EJBs and Elytron Part 1: Securing EJBs and invoking them from remote clients  for details.

                    [1] [WFLY-9126] Deployment fails when application domain names referrencing one Elytron domain are different in Undertow and…

                    • 8. Re: WildFly 11 programmatic login with Elytron
                      Tom Stiemerling Newbie

                      Yes, based on the wiki I had overridden the legacy security domain which was incorrect. I have reverted this and here is my current configuration:

                       

                      Here is the configuration from standalone.xml:

                       

                      Realm:

                       

                      <jdbc-realm name="jdbc-realm">

                          <principal-query sql="SELECT role, password FROM LoginUser WHERE username = ?" data-source="UiDS">

                              <attribute-mapping>

                                  <attribute to="Roles" index="1"/>

                              </attribute-mapping>

                              <clear-password-mapper password-index="2"/>

                          </principal-query>

                      </jdbc-realm>

                       

                      Domain:

                       

                      <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">

                           <realm name="jdbc-realm" role-decoder="groups-to-roles"/>

                           <realm name="ApplicationRealm" role-decoder="groups-to-roles"/>

                           <realm name="local"/>

                      </security-domain>

                       

                      Undertow:

                       

                      <application-security-domains>

                          <application-security-domain name="exampleApplicationDomain" http-authentication-factory="application-http-authentication" override-deployment-config="true"/>

                      </application-security-domains>

                       

                      Now when I try a login it does not even seem to go to the DB realm though:

                       

                      15:54:33,443 DEBUG [org.jboss.security] (default task-25) PBOX00283: Bad password for username admin

                      15:54:33,443 DEBUG [org.jboss.security] (default task-25) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070: Password invalid/Password required

                      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286)

                      at org.jboss.as.security.RealmDirectLoginModule.login(RealmDirectLoginModule.java:157)

                      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

                      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

                      at java.lang.reflect.Method.invoke(Method.java:498)

                      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

                      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)

                      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)

                      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)

                      at java.security.AccessController.doPrivileged(Native Method)

                      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

                      at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

                      at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)

                      at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)

                      at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323)

                      at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)

                      at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)

                      at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:94)

                      at io.undertow.security.impl.SecurityContextImpl.login(SecurityContextImpl.java:198)

                      at io.undertow.servlet.spec.HttpServletRequestImpl.login(HttpServletRequestImpl.java:442)

                      at javax.servlet.http.HttpServletRequestWrapper.login(HttpServletRequestWrapper.java:350)

                      at com.vaadin.cdi.access.JaasAccessControl.login(JaasAccessControl.java:73)

                       

                      I should add that if I try and login with a user that I have added using add-user.sh it works fine.

                      • 9. Re: WildFly 11 programmatic login with Elytron
                        Tom Stiemerling Newbie

                        Still missing something. Starting with a fresh standalone.xml, I follow the instructions here:

                         

                        WildFly Elytron Security - Latest WildFly Documentation  - Project Documentation Editor

                         

                        standalone.xml:

                         

                        /subsystem=elytron/jdbc-realm=exampleDbRealm:add(principal-query=[{sql="SELECT password,role FROM LoginUser WHERE username=?",data-source=UiDS,clear-password-mapper={password-index=1},attribute-mapping=[{index=2,to=Roles}]}])

                         

                        /subsystem=elytron/security-domain=exampleDbSD:add(realms=[{realm=exampleDbRealm,role-decoder=groups-to-roles}],default-realm=exampleDbRealm,permission-mapper=default-permission-mapper)

                         

                        /subsystem=elytron/http-authentication-factory=example-db-http-auth:add(http-server-mechanism-factory=global,security-domain=exampleDbSD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=exampleDbSD}]}])

                         

                        /subsystem=undertow/application-security-domain=exampleApplicationDomain:add(http-authentication-factory=example-db-http-auth)

                         

                        jboss-web.xml:

                         

                        <?xml version="1.0" encoding="UTF-8"?>

                        <jboss-web>

                           <context-root>/ui</context-root>

                           <security-domain>exampleApplicationDomain</security-domain>

                        </jboss-web>

                         

                        web.xml:

                         

                        <?xml version="1.0" encoding="UTF-8"?>

                        <web-app>

                            <login-config>

                                <auth-method>BASIC</auth-method>

                                <realm-name>exampleApplicationDomain</realm-name>

                            </login-config>

                        </web-app>

                         

                        And now I am back to this error again:

                         

                        11:14:44,394 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "ui-1.0-SNAPSHOT.war")]) - failure description: {

                            "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.exampleApplicationDomain"],

                            "WFLYCTL0180: Services with missing/unavailable dependencies" => [

                        ...

                        • 10. Re: WildFly 11 programmatic login with Elytron
                          Martin Choma Master

                          And what happens when you try

                           

                          /subsystem=ejb3/application-security-domain=exampleApplicationDomain:add(security-domain=exampleDbSD)
                          1 of 1 people found this helpful
                          • 11. Re: WildFly 11 programmatic login with Elytron
                            Tom Stiemerling Newbie

                            Finally success! After adding that the security domain exception goes away and I can login with a DB user. Thanks for this - maybe the wiki should be updated with this?

                             

                            Another follow-up question. The Picketlink APIs allow you to add the user and credentials to the DB when creating a new user. Is there something similar in Elytron or do I manually have to create the password hash based on the selected algorithm?

                            • 12. Re: WildFly 11 programmatic login with Elytron
                              Martin Choma Master

                              Good to hear that.

                               

                              Do you have any suggestion in which way documentation can be improved? This documentation wants to show realms - it cant be described every place where it can be used. EJB details are described in [1]

                               

                              For follow up question, please, create new thread.

                               

                              [1] Getting started with EJBs and Elytron Part 1: Securing EJBs and invoking them from remote clients

                              • 13. Re: WildFly 11 programmatic login with Elytron
                                Tom Stiemerling Newbie

                                Thanks. My only comment would be that pretty much everywhere in the wiki it mentions adding the security domain to jboss-web.xml, but if you do that you seem to have to add the application-domain to ejb3 module as well, or you will get the exception I was seeing.

                                 

                                I will start a new thread for the other question.

                                 

                                Cheers!

                                • 14. Re: WildFly 11 programmatic login with Elytron
                                  Martin Choma Master

                                  Yes because it demonstrates each realm on simplest use case - undertow subsystem.

                                   

                                  Probably this should be described in EJB section [1]. something like "How to integrate with Elytron"  effectively same as [2] .

                                   

                                  [1] Securing EJBs - Latest WildFly Documentation - Project Documentation Editor

                                  [2] Getting started with EJBs and Elytron Part 1: Securing EJBs and invoking them from remote clients