4 Replies Latest reply on Jun 22, 2018 2:55 AM by Martin Choma

    WildFly 13 web-app not showing authentication form when using BASIC authentication

    Sergiu Pienar Expert

      I'm currently migrating an app from JBoss 5 to WildFly 13.

      The app consists of an EAR that packs a series of ejbs into a jar and several WAR files holding web apps.

       

      One of the web apps' web.xml looks like this:

       

      <?xml version="1.0" encoding="UTF-8"?>

      <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

      <web-app>

      <display-name>My App</display-name>

      <!-- RESTful web services support -->

      <servlet>

      <servlet-name>MyServlet</servlet-name>

      <servlet-class>com.test.Dispatcher</servlet-class>

      </servlet>

      <servlet-mapping>

      <servlet-name>MyServlet</servlet-name>

      <url-pattern>/*</url-pattern>

      </servlet-mapping>    

      <!-- order of security-constraint in web.xml is very important!!! -->

      <security-constraint>

      <web-resource-collection>

      <web-resource-name>Secure Content</web-resource-name>

      <url-pattern>*</url-pattern>

      </web-resource-collection>

      <auth-constraint>

      <role-name>LOGON</role-name>

      </auth-constraint>

      <user-data-constraint>

      <transport-guarantee>NONE</transport-guarantee>

      </user-data-constraint>

      </security-constraint>

      <login-config>

      <auth-method>BASIC</auth-method>

      </login-config>

      <security-role>

      <description>automatic generated role</description>

      <role-name>LOGON</role-name>

      </security-role>

      </web-app>

       

      The jboss-web only defines the security realm that I have configured:

       

      <jboss-web><security-domain>myRealm</security-domain></jboss-web>

       

      For all it's worth, due to the I would have expected that the BASIC auth method would prompt the browser login form to show up when I'm calling any resource.

      The security subsystem defines a custom security domain, named myRealm, that uses jdbc queries:

       

      <subsystem xmlns="urn:jboss:domain:security:2.0">

      <security-domains>

      <security-domain name="myRealm" cache-type="default">

      <authentication>

      <login-module code="com.login.LoginModule" flag="required" module="org.jboss.login">

      <module-option name="dsJndiName" value="java:jboss/datasources/datasourceDSXA"/>

      <module-option name="hashAlgorithm" value="SHA"/>

      <module-option name="hashEncoding" value="BASE64"/>

      <module-option name="principalsQuery" value="SELECT ...."/>

      <module-option name="rolesQuery" value="SELECT ...."/>

      <module-option name="unauthenticatedIdentity" value="guest"/>

      </login-module>

      <login-module code="Remoting" flag="optional">

      <module-option name="password-stacking" value="useFirstPass"/>

      </login-module>

      </authentication>

      </security-domain>

      </subsystem>

       

      Ideas on what I might be doing wrong ?