-
1. Re: Wildfly 13 and custom (legacy) login module
pmm Jun 6, 2018 7:30 AM (in response to djapal)We're in a similar situation. Here's what we understand so far:
- Find out why you need a custom login module and the default LDAP realm does not work in your case.
- If the default LDAP realm works for you, use that.
- If the default LDAP realm almost works for you, check if you can still use it which a custom class that does your custom things.
- If the default LDAP realm categorically does not work for you then you need to implement org.wildfly.security.auth.server.SecurityRealm
- Find out why you need a custom login module and the default LDAP realm does not work in your case.
-
2. Re: Wildfly 13 and custom (legacy) login module
djapal Jun 6, 2018 7:44 AM (in response to pmm)Hi Philippe.
Thank you for your answer.
Right now I'm trying to make it work at least with the default LDAP authentication mechanism but I still have problems.
I have downloaded the wildfly-elytron source and I'm debugging the code, in order to find the error.
As we found out yesterday, legacy security-domain can also be used in Wildfly 13. I had the impression that this was not supported anymore beginning with version 12.
But still, this is sth that we need to find out if we can fix.
I'll keep this post updated with any new findings.
-
3. Re: Wildfly 13 and custom (legacy) login module
djapal Jun 7, 2018 10:24 AM (in response to pmm)Ok so what I have managed so far is that I had to use the Directory Manager credentials (not what we want, but let's bypass this step for the moment) because
this was the only way of reading the userPassword property of the ldap user.
This works.
User is authenticated and authorized. Roles are retrieved successfully.
When I login though and call SessionContext.getCallerPrincipal() "anonymous" is returned though request.getUserPrincipal().toString() returns the correct name.
What needs to be changed? Why anonymous is returned since i have disabled it through the equivalent mapper?
<permission-mapping>
<principal name="anonymous"/>
</permission-mapping>
<permission-mapping match-all="true">
<permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
<permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
<permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
<permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
</permission-mapping>
-
4. Re: Wildfly 13 and custom (legacy) login module
pmm Jun 7, 2018 10:56 AM (in response to djapal)Is that with the legacy or the Elytron configuration?
-
5. Re: Wildfly 13 and custom (legacy) login module
djapal Jun 7, 2018 3:59 PM (in response to pmm)With the Elytron.
Same application deployed as is on Wildfly 10.1 with picketbox and no such weird stuff.
Also I didnt have to declare the Directory Manager and his password in order to use the ldap authentication login module.
-
6. Re: Wildfly 13 and custom (legacy) login module
mchoma Jun 8, 2018 8:06 AM (in response to djapal)What is the package of SessionContext? Can you describe your solution. E.g. you are using BASIC http authentication to servlet and then servlet is calling EJB? And in EJB there is called SessionContext.getCallerPrincipal()?
-
7. Re: Wildfly 13 and custom (legacy) login module
djapal Jun 8, 2018 8:38 AM (in response to mchoma)Hi Martin.
It is a FORM authentication.
It is the normal javax.ejb.SessionContext class.
I have the following class with the following snippet.
import javax.annotation.Resource;
import javax.ejb.SessionContext;
import javax.ejb.Stateless;
@Stateless
public class UtilityService {@Resource
private SessionContext securityContext;public boolean isInAnyOfRoles(List<String> roles) {
System.out.println(securityContext.getCallerPrincipal().getName());
return roles.stream().anyMatch(securityContext::isCallerInRole);
}
I inject this service in some places where I want to hide/show some links/menus.
In picketbox this works fine. principal name is correct and of course roles are found.
In Elytron this does not work. it displays anonymous.
-
8. Re: Wildfly 13 and custom (legacy) login module
mchoma Jun 8, 2018 9:07 AM (in response to djapal)In general that should work We test that.
There must be some difference in your case. Can you show us logs. With FORM do you use programmatic login? Can you show us how you call EJB from servlet? What application domain do you use in case of Undertow and EJB subsystems.
-
9. Re: Wildfly 13 and custom (legacy) login module
djapal Jun 8, 2018 9:45 AM (in response to mchoma)I have jsf pages where i use the rendered attribute in order to show/hide elements.
e.g. <ui:fragment rendered="#{utils.isInAnyOfRoles(['it'])}">
utils is an ApplicationScoped bean which injects the Utility service that i posted in my previous reply.
@Named(value = "utils")
@ApplicationScoped
public class UtilityBean extends GenericBean {private UtilityService utilityService;
@Inject
public UtilityBean(UtilityService utilityService) {this.utilityService = utilityService;
}
These work
value="#{request.getUserPrincipal().toString()}"
value="#{request.isUserInRole('it')}"
My snippet from standalone.xml
<subsystem xmlns="urn:jboss:domain:ejb3:5.0">
.
.
.
<default-security-domain value="lotusAD"/>
<application-security-domains>
<application-security-domain name="lotusAD" security-domain="lotusSD"/>
</application-security-domains>
<default-missing-method-permissions-deny-access value="true"/>
<log-system-exceptions value="true"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:undertow:6.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="lotusAD">
<application-security-domains>
<application-security-domain name="lotusAD" http-authentication-factory="lotus-ldap-http-auth"/>
</application-security-domains>
<http-authentication-factory name="lotus-ldap-http-auth" security-domain="lotusSD" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="FORM">
<mechanism-realm realm-name="lotusAD"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
<security-domain name="lotusSD" default-realm="lotusLR" permission-mapper="custom-permission-mapper">
<realm name="lotusLR" role-decoder="from-roles-attribute"/>
</security-domain>
<ldap-realm name="lotusLR" dir-context="lotusDC">
<identity-mapping rdn-identifier="uid" search-base-dn="cn=users,cn=accounts,dc=internal,dc=net">
<attribute-mapping>
<attribute from="cn" to="Roles" filter="(member={1})" filter-base-dn="cn=groups,cn=accounts,dc=internal,dc=net"/>
</attribute-mapping>
<user-password-mapper from="userPassword"/>
</identity-mapping>
</ldap-realm>
<simple-permission-mapper name="custom-permission-mapper">
<permission-mapping>
<principal name="anonymous"/>
</permission-mapping>
<permission-mapping match-all="true">
<permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
<permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
<permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
<permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
</permission-mapping>
</simple-permission-mapper>
web.xml
<login-config>
<auth-method>FORM</auth-method>
<realm-name>lotusAD</realm-name>
<form-login-config>
<form-login-page>/pages/login.jsf</form-login-page>
<form-error-page>/pages/login.jsf?failLogin=true</form-error-page>
</form-login-config>
</login-config>
jboss-ejb3.xml (not needed I guess since I have declared a default SD)
<?xml version="1.0"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:s="urn:security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee
http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd
http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"
version="3.1"
impl-version="2.0"><assembly-descriptor>
<s:security>
<ejb-name>*</ejb-name>
<s:security-domain>lotusAD</s:security-domain>
</s:security>
</assembly-descriptor>
</jboss:ejb-jar>
-
10. Re: Wildfly 13 and custom (legacy) login module
mchoma Jun 8, 2018 9:57 AM (in response to djapal)Any logs?
Are you calling request.login yourself in login.jsf ? Or are you relying on j_security_check?
-
11. Re: Wildfly 13 and custom (legacy) login module
djapal Jun 8, 2018 10:05 AM (in response to mchoma)I;m reyling on j_security_check.
I need to filter the log and post it here.
I'm also trying to create a simple senario with a demo app to see If I can reproduce it.
-
12. Re: Wildfly 13 and custom (legacy) login module
djapal Jun 8, 2018 11:13 AM (in response to djapal)Martin, I just reproduced the issue with a test project.
What i did is that i created a demo local ldap with the info from this section
I followed the steps and made the required changes also to web.xml, jboss-web and jboss-ejb3.
Finally i had to add the new <application-security-domain> for ejb3 subsystem.
If i leave the security domain in jboss-ejb3, anonymous user is shown.
If I annotate my EJB3 bean, execution of method is not permitted and exceptions are thrown.
Please find the demo project here.
https://www.dropbox.com/s/zcoei4j2xzpjih2/ldapwildfly13test.zip?dl=0
-
13. Re: Wildfly 13 and custom (legacy) login module
mchoma Jun 8, 2018 12:32 PM (in response to djapal)Can you try to use EJBContext instead of SessionContext? I found similar discussion in case of EJBContext [1]
What is the exception when you secure EJB?
-
14. Re: Wildfly 13 and custom (legacy) login module
djapal Jun 8, 2018 4:43 PM (in response to mchoma)EJBContext didn;t work.
I'll try again on Monday and I will post the logs. Thank you