3 Replies Latest reply on Aug 30, 2018 5:48 AM by Darran Lofthouse

    Programmatic SASL authentication

    Christian Schudt Newbie



      I want to serve a chat application in Wildfly.


      The chat protocol is XMPP, which uses SASL for authentication.


      Clients connect via WebSockets. All works well until XMPP's authentication step.


      At some point, the client sends an "initial response" to the server (as WebSocket message). something like this:

      <auth name="PLAIN">base64</auth>


      In my server's authentication logic, I want to create a SaslServer, which authenticates my clients:


      SaslServer saslServer = Sasl.createSaslServer("PLAIN", "xmpp", "", ...);

      It gives me a Wildfly implementation, but which Callback Handlers do I pass here?


      For simplicity, my first goal was to authenticate the users, which are in application-users.properties.


      How do I proceed here or set it up correctly?


      a) I don't know, which CallbackHandlers I have to pass to the createSaslServer method.

      b) I also tried Sasl.createSaslServer("JBOSS-LOCAL-USER", ...), but I don't know how to implement the corresponding SaslClient.

      c) I've read through the Elytron documentation, which seems really powerful and also provides different SASL configurations, but it's only all about XML configuration in the standalone.xml.


      Preferrably, I want to have a standardized and flexible way for authentication, so that I can deploy my application in other servers like Payara.

      I also want to be able to provide custom SaslServer implementations, which can be used, e.g. which authenticate against a legacy system.


      Can you point me in the right direction?

        • 1. Re: Programmatic SASL authentication
          Darran Lofthouse Master

          Which application server version are you running on?  Also how are you deploying the chat server?


          From WildFly 11 WildFly Elytron is available and has APIs available to create a SaslAuthenticationFactory - this may be a suitable starting point to get a SaslServer integrated with the application server's security.

          • 2. Re: Programmatic SASL authentication
            Christian Schudt Newbie

            I am currently testing on Wildfly 11. It is deployed as WAR or EAR.


            The idea is to have a "core" authentication class, which uses standard Java API, like Sasl.createSaslServer or javax.security.auth.message.module.ServerAuthModule and from there it loads available or configured specific authentication logic, e.g. one for Wildfly's application-users.properties, which can be pluggable. These specific "modules" then uses e.g. Elytron.


            My problem is rather that I don't see the "big picture", e.g. how to combine SASL with JASPIC. How to put the different technologies in place. I hope using Elytron API is straight foward eventually.

            • 3. Re: Programmatic SASL authentication
              Darran Lofthouse Master

              I don't currently have a complete example for you but maybe it would be good if we put together an example at some point showing how it is possible to integrate with WildFly Elytron using SASL authentication.


              The first step is you will require a reference to a WildFly Elytron SecurityDomain configured with an appropriate SecurityRealm, really there are two options for this: -

              1. Use the WildFly Elytron APIs to programatically assemble your own configuration.
              2. Obtain a reference to the SecurityDomain associated with the deployment.


              All of our Javadoc for WildFly Elytron is published here WildFly Elytron Javadoc  - for your example you should make use of the Public API Javadoc for 1.2.x


              To ensure your deployment is associated with a SecurityDomain you will need to ensure you have an application-security-domain resource defined in the Undertow subsystem mapping from the name of the security domain specified by the deployment to a pre-configured http-authentication-factory.  The http-authentication-factory in turn references a SecurityDomain and this is associated with the deployment.


              Within the deployment you can then use the following API to obtain a reference to the SecurityDomain: -


              SecurityDomain (WildFly Elytron 1.2.4.Final API)


              The following class has been implemented to meet the needs of our testsuite, however it does illustrate the steps to take from having a reference to a SecurityDomain to having an instance of a SaslServer which is integrated with that SecurityDomain: -


              wildfly-elytron/SaslServerBuilder.java at 1.2.x · wildfly-security/wildfly-elytron · GitHub


              Generally these are the steps you would need to follow.


              FYI from WildFly 14 it is possible to just reference the SecurityDomain directly from the application-security-domain resource where a custom http-authentication-factory definition is not needed.