WildFly 15.0.1 + JDBC; simple configuration
szymonk92 Aug 19, 2019 9:03 AMHi, I am trying a simple configuration to secure my application, but can't get through handling RealmCallbacks. Every time ManagementRealm is being invoked instead of my own realm.
defaultRealName is once exampleDbRealm and two lines below it become EMPTY and then ManagementRealm
I believe it should be Realm: exampleDbRealm all the time!
Since it took me quite a lot of time to test several configurations, I am posting the simplest one. Hope you can help me debug it
My server configuration:
module add --name=org.postgresql --resources=./postgresql-42.2.5.jar --dependencies=javax.api,javax.transaction.api
/subsystem=datasources/jdbc-driver=postgres:add( \
driver-name="postgres", \
driver-module-name="org.postgresql", \
driver-class-name="org.postgresql.Driver")
data-source add \
--name=XpDS \
--driver-name=postgres \
--connection-url=jdbc:postgresql://localhost:5432/xp_test \
--jndi-name=java:jboss/datasources/XpDS \
--use-java-context=true \
--user-name=postgres \
--password=postgres \
--max-pool-size=25 \
--blocking-timeout-wait-millis=5000 \
--idle-timeout-minutes=5 \
--enabled=true
/subsystem=elytron/jdbc-realm=exampleDbRealm:add( \
principal-query=[ \
{ data-source=XpDS, \
sql="select PASSWORD from T_USER WHERE username = ?", \
clear-password-mapper={password-index=1}}, \
{data-source=XpDS, \
sql="SELECT r.name AS name, 'Roles' as roles from A_ROLE r INNER JOIN A_JOIN_U_R j ON j.roles = r.umro_id INNER JOIN A_USER u ON j.users = u.umus_id WHERE u.username = ?", \
attribute-mapping=[{index=1, to=roles}]}])
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=roles)
/subsystem=ee/service=default-bindings:write-attribute(name="datasource", value="java:jboss/datasources/XpDS")
/subsystem=elytron/security-domain=exampleDbSD:add( \
realms=[{ realm=exampleDbRealm,role-decoder=from-roles-attribute}], \
default-realm=exampleDbRealm, \
permission-mapper=default-permission-mapper)
## my app domain: xp-domain
/subsystem=ejb3/application-security-domain=xp-domain:add(security-domain=exampleDbSD)
/subsystem=elytron/sasl-authentication-factory=my-sasl-authentication-factory:add( \
sasl-server-factory=configured, \
security-domain=exampleDbSD, \
mechanism-configurations=[{ \
mechanism-name=DIGEST-MD5, \
mechanism-realm-configurations=[{realm-name=exampleDbRealm}] \
}])
/subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=sasl-authentication-factory, value=my-sasl-authentication-factory)
/subsystem=remoting/http-connector=http-remoting-connector:undefine-attribute(name=security-realm)
## Remove ExampleDS & H2 driver
## some logs
Logs:
INFO [org.wildfly.extension.undertow] (MSC service thread 1-4) WFLYUT0018: Host default-host starting
INFO [org.jboss.as.server.deployment.scanner] (MSC service thread 1-3) WFLYDS0013: Started FileSystemDeploymentService for directory C:\Users\..\arquillian-wildfly\server\wildfly-dist_15.0.1.Final\wildfly-15.0.1.Final\standalone\deployments
TRACE [org.wildfly.security] (MSC service thread 1-4) Building security domain with defaultRealmName EMPTY.
TRACE [org.wildfly.security] (MSC service thread 1-4) The following additional realms were added: [LOCAL, DIGEST, EMPTY].
TRACE [org.wildfly.security] (MSC service thread 1-4) Role mapping: principal [anonymous] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []
INFO [org.wildfly.extension.undertow] (MSC service thread 1-8) WFLYUT0006: Undertow HTTP listener default listening on 127.0.0.1:47080
INFO [org.jboss.as.ejb3] (MSC service thread 1-3) WFLYEJB0493: EJB subsystem suspension complete
INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-7) WFLYJCA0001: Bound data source [java:jboss/datasources/XpDS]
TRACE [org.wildfly.security] (MSC service thread 1-3) Building security domain with defaultRealmName exampleDbRealm.
TRACE [org.wildfly.security] (MSC service thread 1-3) Role mapping: principal [anonymous] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []
TRACE [org.wildfly.security] (MSC service thread 1-6) Building security domain with defaultRealmName EMPTY.
TRACE [org.wildfly.security] (MSC service thread 1-6) The following additional realms were added: [LOCAL, DIGEST, EMPTY].
TRACE [org.wildfly.security] (MSC service thread 1-6) Role mapping: principal [anonymous] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []
INFO [org.wildfly.extension.undertow] (MSC service thread 1-6) WFLYUT0006: Undertow HTTPS listener https listening on 127.0.0.1:47443
INFO [org.jboss.ws.common.management] (MSC service thread 1-5) JBWS022052: Starting JBossWS 5.2.4.Final (Apache CXF 3.2.5.jbossorg-1)
INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server
INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:48990/management
INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:48990
INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: WildFly Full 15.0.1.Final (WildFly Core 7.0.0.Final) started in 6124ms - Started 314 of 536 services (323 services are lazy, passive or on-demand)
TRACE [org.wildfly.security] (management I/O-2) Handling MechanismInformationCallback type='SASL' name='DIGEST-MD5' host-name='vmware-localhost' protocol='remote'
TRACE [org.wildfly.security] (management I/O-2) Handling AvailableRealmsCallback: realms = [ManagementRealm]
TRACE [org.wildfly.security] (management I/O-2) Creating SaslServer [org.wildfly.security.sasl.digest.DigestSaslServer@1bf1a0fb] for mechanism [DIGEST-MD5] and protocol [remote]
TRACE [org.wildfly.security] (management I/O-2) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1@34b016e7->org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer@a7e3bdf->org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1@5101899e->org.wildfly.security.sasl.digest.DigestSaslServer@1bf1a0fb] for mechanism [DIGEST-MD5]
TRACE [org.wildfly.security] (management task-1) Handling RealmCallback: selected = [ManagementRealm]
TRACE [org.wildfly.security] (management task-1) Handling NameCallback: authenticationName = test
TRACE [org.wildfly.security] (management task-1) Principal assigning: [test], pre-realm rewritten: [test@ManagementRealm], realm name: [DIGEST], post-realm rewritten: [test@ManagementRealm], realm rewritten: [test@ManagementRealm]
TRACE [org.wildfly.security] (management task-1) Handling CredentialCallback: failed to obtain credential
TRACE [org.wildfly.security] (management task-1) Handling RealmCallback: selected = [ManagementRealm]
TRACE [org.wildfly.security] (management task-1) Handling NameCallback: authenticationName = test
TRACE [org.wildfly.security] (management task-1) Handling CredentialCallback: failed to obtain credential
TRACE [org.wildfly.security] (management task-1) Handling RealmCallback: selected = [ManagementRealm]
TRACE [org.wildfly.security] (management task-1) Handling NameCallback: authenticationName = test
TRACE [org.wildfly.security] (management task-1) Handling PasswordCallback: failed to obtain PasswordCredential
TRACE [org.wildfly.security] (management task-1) Handling AuthenticationCompleteCallback: fail
DEBUG [client] Client received authentication rejected for mechanism DIGEST-MD5
DEBUG [connection] JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
DIGEST-MD5: javax.security.sasl.SaslException: DIGEST-MD5: Server rejected authentication
My client configuration:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<authentication-client xmlns="urn:elytron:1.0">
<authentication-rules>
<rule use-configuration="arq-login"/>
</authentication-rules>
<authentication-configurations>
<configuration name="arq-login">
<set-user-name name="test"/>
<sasl-mechanism-selector selector="DIGEST-MD5"/>
<credentials>
<clear-password password="myPassword"/>
</credentials>
</configuration>
</authentication-configurations>
</authentication-client>
<jboss-ejb-client xmlns="urn:jboss:wildfly-client-ejb:3.0">
<connections>
<connection uri="remote+http://localhost:8080"/>
</connections>
</jboss-ejb-client>
</configuration>
Since I do not use HTTP-authentication I didn't change undertow configuration.
exampleDbRealm