2 Replies Latest reply on Mar 7, 2018 5:49 AM by stv acom

    HTTP/Form with LDAP Authentication gives 'Internal Error'

    stv acom Newbie

      Hello,

       

          I'm try trying to enable authentication for a webapp using an http form post ( action='j_security_check', input='j_username' and 'j_password' ).

       

      When the form is submitted the server responds with an internal error.

       

      The war deployed for testing purpose contains a very small web.xml

      web.xml ( relevant part )

      <login-config>

           <security-constraint>

       

                <web-resource-collection>

                <web-resource-name>ExploitationProtectedWebResourceCollection</web-resource-name>

                <url-pattern>/*</url-pattern>

                <http-method>GET</http-method>

                <http-method>POST</http-method>

                </web-resource-collection>

       

                <auth-constraint>

                     <role-name>reader</role-name>

                </auth-constraint>

           </security-constraint>

       

           <auth-method>FORM</auth-method>

           <realm-name>stvaDefaultRealm</realm-name>

           <form-login-config>

                <form-login-page>/login.html</form-login-page>

           </form-login-config>

      </login-config>

       

      <security-role>

           <role-name>reader</role-name>

      </security-role>

      Here is the jboss-web.xml

      jboss-web.xml

      <?xml version="1.0"?>

      <jboss-web>

          <security-domain>java:/jaas/stvaDefaultRealm</security-domain>

      </jboss-web>

      please note, I also tryed to specify the security domain this way 'java:stvaDefaultRealm' and this way 'stvaDefaultRealm'.

       

      I use the standalone-full configuration attached to this post. It has been modified using the following CLI commands :

      CLI Commands

      batch

      /subsystem=elytron/dir-context=stvaDomainConnection:add(url="ldap://this_is_a_valid_ldap_host",principal="ou=People,ou=challenge3test,dc=stva,dc=com",credential-reference={clear-text="-----"})

       

      /subsystem=elytron/ldap-realm=StvaLdapRealm:add(dir-context=stvaDomainConnection,identity-mapping={search-base-dn="ou=People,ou=challenge3test,dc=stva,dc=com",rdn-identifier="uid",user-password-mapper={from="userPassword"},attribute-mapping=[{filter-base-dn="ou=Roles,ou=challenge3test,dc=stva,dc=com",filter="(&(objectClass=groupOfNames)(member={1}))",from="cn",to="Roles"}]})

      /subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)

      /subsystem=elytron/security-domain=stvaLdapSecurityDomain:add(realms=[{realm=StvaLdapRealm,role-decoder=from-roles-attribute}],default-realm=StvaLdapRealm,permission-mapper=default-permission-mapper)

      /subsystem=elytron/http-authentication-factory=stva-ldap-http-auth:add(http-server-mechanism-factory=global,security-domain=stvaLdapSecurityDomain,mechanism-configurations=[{mechanism-name=FORM,mechanism-realm-configurations=[{realm-name=stvaDefaultRealm}]}])

       

       

      /subsystem=undertow/application-security-domain=stvaDefaultRealm:add(http-authentication-factory=stva-ldap-http-auth)

       

      run-batch

       

      The result is the same regardless of the version of Wildfly used ( 11 or 12 ).

      I've seen many tutorials explaining how to setup this, and they all look the same, so I'm guessing there is a very obvious mistake on my side. Can someone help to spot what I am doing wrong ?

       

      I use a proxy to see if the LDAP server is requested at some point and it turns out its is not : no LDAP request is ever made.

       

      thanks

        • 1. Re: HTTP/Form with LDAP Authentication gives 'Internal Error'
          Martin Choma Master

          First of all Elytron is not backed by JAAS by default. So instead of <security-domain>java:/jaas/stvaDefaultRealm</security-domain>, which you are probably used to use from earlier version, you can use just <security-domain>stvaDefaultRealm</security-domain>.

           

           

          • 2. Re: HTTP/Form with LDAP Authentication gives 'Internal Error'
            stv acom Newbie

            Hello,

             

               yes you are right. I tried the was you suggested ( amongst other wrong ways : 'java:/jaas/stvaDefaultRealm' ).

            I figured out my problem was the ldap request : I was using a request with a filter to an non-existent objectClass in our LDAP tree and a wrong attribute.

             

            i.e. here :

            /subsystem=elytron/ldap-realm=StvaLdapRealm:add(dir-context=stvaDomainConnection,identity-mapping={search-base-dn="ou=People,ou=challenge3test,dc=stva,dc=com",rdn-identifier="uid",user-password-mapper={from="userPassword"},attribute-mapping=[{filter-base-dn="ou=Roles,ou=challenge3test,dc=stva,dc=com",filter="(&(objectClass=WRONG_CLASS)(WRONG_ATTRIBUTE={1}))",from="cn",to="Roles"}]})

             

            After this part was fixed, authentication started to work as expected.

             

            thanks for your answer