1 Reply Latest reply on May 11, 2018 9:26 AM by Martin Choma

    Wildfly 12: Elytron-Configuration - LDAP-Issue

    Werner Greßhoff Newbie

      Hello,

       

      for the presentation of a prototype I'm trying to implement following scenario.

      The authentication should happen by an Active Directory Server. Because the roles used in my prototype are not available in the ADS I want to add role information statically. So I started by adding a dir-context to the elytron -subsystem:

       

                  <dir-contexts>

                      <dir-context name="zivadDC" url="ldap://aaa.bbb.cc:389" principal="cn=xxx,dc=yyy,dc=bbb,dc=cc">

                          <credential-reference clear-text="password"/>

                      </dir-context>

                  </dir-contexts>

       

      Next I added a role mapper:

       

                      <constant-role-mapper name="rdm-mapper">

                          <role name="rdmadmin"/>

                          <role name="rdmuser"/>

                      </constant-role-mapper>

       

      Then the security-realm:

       

                      <ldap-realm name="zivadLR" dir-context="zivadDC">

                          <identity-mapping rdn-identifier="cn" search-base-dn="dc=yyy,dc=bbb,dc=cc"/>

                      </ldap-realm>

       

      The security-domain:

       

                      <security-domain name="zivadSD" default-realm="zivadLR" permission-mapper="default-permission-mapper">

                          <realm name="zivadLR" role-mapper="rdm-mapper"/>

                      </security-domain>

       

      And the http-authentication-factory:

       

                      <http-authentication-factory name="zivad-authentication" security-domain="zivadSD" http-server-mechanism-factory="global">

                          <mechanism-configuration>

                              <mechanism mechanism-name="BASIC">

                                  <mechanism-realm realm-name="ZivADRealm"/>

                              </mechanism>

                              <mechanism mechanism-name="FORM"/>

                          </mechanism-configuration>

                      </http-authentication-factory>

       

      At last I added an application-security-domain to the undertow-subsystem:

       

                  <application-security-domains>

                      <application-security-domain name="ZivADRealm" http-authentication-factory="zivad-authentication"/>

                  </application-security-domains>

       

      Which I also added to the jboss-web.xml:

       

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web>

        <context-root>/rdm</context-root>

        <security-domain>ZivADRealm</security-domain>

      </jboss-web>

       

      ... and to web.xml

       

      <login-config>

        <auth-method>FORM</auth-method>

        <realm-name>ZivADRealm</realm-name>

        <form-login-config>

         <form-login-page>/login.xhtml</form-login-page>

         <form-error-page>/error.html</form-error-page>

        </form-login-config>

      </login-config>

       

      In the log this leads to:

       

      09:44:03,010 DEBUG [io.undertow.request] (default I/O-14) Matched prefix path /rdm for path /rdm/j_security_check                                                
      09:44:03,011 DEBUG [io.undertow.request.security] (default task-1) Security constraints for request /rdm/j_security_check are [SingleConstraintMatch{emptyRoleSema
      ntic=PERMIT, requiredRoles=[]}]                                                                                                                                  
      09:44:03,011 DEBUG [io.undertow.request.security] (default task-1) Setting authentication required for exchange HttpServerExchange{ POST /rdm/j_security_check req
      uest {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8], Accept-Language=[de,de-DE;q=0.8,en;q=0.5,en-US;q=0.3], Accept-Encoding=[gzip, defl
      ate, br], User-Agent=[Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0], Connection=[keep-alive], Content-Type=[application/x-www-form
      -urlencoded], Content-Length=[122], Cookie=[JSESSIONID=-Nj-svihYJ-p0dFy51lFi2Uoqghf55ZN-4hDY744.ubdd033; __utma=111872281.339145959.1522313935.1522313935.15223139
      35.1; __utmz=111872281.1522313935.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)], Referer=[https://localhost:8443/rdm/], Upgrade-Insecure-Requests=[1], Host=[
      localhost:8443]} response {X-Powered-By=[Undertow/1], Server=[WildFly/12]}}                                                                                      
      09:44:03,016 DEBUG [org.wildfly.security.http.password] (default task-1) Username authentication. Realm: [null], Username: [gressho].                            
      09:44:03,017 DEBUG [org.wildfly.security] (default task-1) Obtaining lock for identity [gressho]...                                                              
      09:44:03,017 DEBUG [org.wildfly.security] (default task-1) Obtained lock for identity [gressho].                                                                 
      09:44:03,023 DEBUG [org.wildfly.security.http.form] (default task-1) User [gressho] authentication failed                                                        
      09:44:03,024 DEBUG [io.undertow.request.security] (default task-1) Authentication failed with message ELY06006: An authorization check for user 'gressho' failed.
      and mechanism FORM for HttpServerExchange{ POST /rdm/j_security_check request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8], Accept-La
      nguage=[de,de-DE;q=0.8,en;q=0.5,en-US;q=0.3], Accept-Encoding=[gzip, deflate, br], User-Agent=[Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Fir
      efox/59.0], Connection=[keep-alive], Content-Type=[application/x-www-form-urlencoded], Content-Length=[122], Cookie=[JSESSIONID=-Nj-svihYJ-p0dFy51lFi2Uoqghf55ZN-4
      hDY744.ubdd033; __utma=111872281.339145959.1522313935.1522313935.1522313935.1; __utmz=111872281.1522313935.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)], Ref
      erer=[https://localhost:8443/rdm/], Upgrade-Insecure-Requests=[1], Host=[localhost:8443]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidat
      e], X-Powered-By=[Undertow/1], Server=[WildFly/12], Pragma=[no-cache]}}                                                                                          
      09:44:04,835 DEBUG [io.undertow.request] (default I/O-14) Matched prefix path /rdm for path /rdm/xhtml/index.xhtml                                               
      09:44:04,836 DEBUG [io.undertow.request.security] (default task-1) Security constraints for request /rdm/xhtml/index.xhtml are [SingleConstraintMatch{emptyRoleSem
      antic=PERMIT, requiredRoles=[rdmuser, rdmadmin]}]                                                       

       

      I'm especially puzzled about the line "Username authentication. Realm: [null], Username" with realm = null!

       

      The login page keep popping up forever!

       

      Has anyone some ideas how to fix this?

       

      Best regards

      Werner