10 Replies Latest reply on Oct 21, 2019 8:12 PM by bschatz

    Activating jaspic in wildfly


      We have written a authenticaion (oidc) module on top of jaspic

      for a seemless and transparent integration of applications

      in our authentication infrastructure of our company.


      With tomcat i have only to use a xml where i put the implementing class

      that has to be registered as the config provider.



      With wildfly i didnt find a simple way to get it work.

      As a workaround i deploy now a small jar that register our AuthProvider class from our jboss-module (jfoss-java-server-extension)

      with the help of CDI.


      public class Jaspic implements Extension


          private static final Logger LOG = Logger.getLogger(Jaspic.class.getName());

          private boolean isInitialised = false;


          public void init(@Observes final AfterDeploymentValidation event)


              LOG.log(Level.INFO, () -> "AfterDeploymentValidation event received: " + event.toString());

              if (isInitialised)


                  LOG.log(Level.INFO, () -> "Already initialized ");




              LOG.log(Level.INFO, () -> "Registering Jaspic Config Provider ...");

              final String result = AuthConfigFactory.getFactory().registerConfigProvider(AuthProvider.class.getName();new HashMap<>(), "HttpServlet", null, null);

              isInitialised = true;

              LOG.log(Level.INFO, () -> "Registered Jaspic Config Provider: " + result + " with implementation " + AUTH_PROVIDER);



      Our module is added as a global module that i activate with:


      /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi/login-module-stack=dummy/login-module=dummy:add(code=Dummy, flag=optional)
      /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi/auth-module=jaspi:add(code=dummy, module=jfoss-java-server-extension, flag=required)
      /subsystem=undertow:write-attribute(name="default-security-domain", value="daimler-jfoss")



      What is the recommened way to do it ?

        • 1. Re: Activating jaspic in wildfly



          Could you show a list of your global modules (Subsystem configuration - WildFly 10 - Project Documentation Editor )


          [standalone@localhost:9990 subsystem=ee] pwd




          [standalone@localhost:9990 subsystem=ee] ls








          global-modules=[{"name" => "org.jboss.logging","slot" => "main"},{"name" => "org.apache.log4j","annotations" => true,"meta-inf" => true,"services" => false}] 






          • 2. Re: Activating jaspic in wildfly

            the ee-subsystem of my (working) work around looks like this:



            [standalone@localhost:9990 subsystem=ee] ls

            context-service                                                              annotation-property-replacement=false                                       

            managed-executor-service                                                     ear-subdeployments-isolated=false                                           

            managed-scheduled-executor-service                                           global-modules=[{"name" => "jfoss-java-server-extension","slot" => "main"}] 

            managed-thread-factory                                                       jboss-descriptor-property-replacement=true                                  

            service                                                                      spec-descriptor-property-replacement=false

            • 3. Re: Activating jaspic in wildfly

              Here the other configurations i use:   



              <subsystem xmlns="urn:jboss:domain:security:2.0">

                          <security-domain name="jaspitest" cache-type="default">
                                      <login-module-stack name="dummy">
                                          <login-module code="Dummy" flag="optional"/>
                                      <auth-module code="Dummy"/>




              <security-domain name="daimler-pai" cache-type="default">
                                      <login-module-stack name="dummy">
                                          <login-module name="dummy" code="Dummy" flag="optional"/>
                                      <auth-module name="jaspi" code="dummy" flag="required" module="jfoss-java-server-extension"/>




              The configuration is added with:


              module add \ --name=jfoss-java-server-extension \ --resources=jfoss-oidc/build/libs/jfoss-oidc.jar:jfoss-common/build/libs/jfoss-common.jar: \ --dependencies=javax.api,javaee.api

              /subsystem=ee:write-attribute(name="global-modules",value=[{"name" => "jfoss-java-server-extension","slot" => "main"}])

              /subsystem=security/security-domain=daimler-jfoss:add(cache-type=default) /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi:add() /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi/login-module-stack=dummy:add() /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi/login-module-stack=dummy/login-module=dummy:add(code=Dummy, flag=optional) /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi/auth-module=jaspi:add(code=dummy, module=jfoss-java-server-extension, flag=required) /subsystem=undertow:write-attribute(name="default-security-domain", value="daimler-jfoss") reload

              What i miss, is to add the implementing class also to the configuration,
              instead of activating it with my workaround with CDI.
              Any ideas ?

              • 4. Re: Activating jaspic in wildfly



                Could you share your module.xml, full path to the folder that contains your new module with jars and module.xml?

                Something like this:


                /opt/jboss-eap-7.2/modules/system/layers/base/org/javassist/main$ ls -l


                total 760

                -rw-rw-r-- 1 zhurlik zhurlik 771181 Jan  7  2019 javassist-3.23.1.GA-redhat-00001.jar

                -rw-rw-r-- 1 zhurlik zhurlik   1421 Jan  7  2019 module.xml


                /opt/jboss-eap-7.2/modules/system/layers/base/org/javassist/main$ cat module.xml

                <?xml version="1.0" encoding="UTF-8"?>


                  ~ JBoss, Home of Professional Open Source.

                  ~ Copyright 2010, Red Hat, Inc., and individual contributors

                  ~ as indicated by the @author tags. See the copyright.txt file in the

                  ~ distribution for a full listing of individual contributors.


                  ~ This is free software; you can redistribute it and/or modify it

                  ~ under the terms of the GNU Lesser General Public License as

                  ~ published by the Free Software Foundation; either version 2.1 of

                  ~ the License, or (at your option) any later version.


                  ~ This software is distributed in the hope that it will be useful,

                  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of


                  ~ Lesser General Public License for more details.


                  ~ You should have received a copy of the GNU Lesser General Public

                  ~ License along with this software; if not, write to the Free

                  ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA

                  ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.


                <module name="org.javassist" xmlns="urn:jboss:module:1.5">


                        <property name="jboss.api" value="private"/>



                        <resource-root path="javassist-3.23.1.GA-redhat-00001.jar"/>



                        <module name="sun.jdk"/>








                • 5. Re: Activating jaspic in wildfly

                  20191021_090922] $ cd /usr/local/wildfly/modules/jfoss-java-server-extension/main/
                  beschat@CSTRD0027405045:/usr/local/wildfly/modules/jfoss-java-server-extension/main (#jobs: 0) (exit 0) 747 
                  20191021_104216] $ ls  -l
                  insgesamt 1796
                  -rw-r--r-- 1 beschat beschat    4956 Okt 17 13:40 jfoss-common.jar
                  -rw-r--r-- 1 beschat beschat 1824135 Okt 17 13:40 jfoss-oidc.jar
                  -rw-r--r-- 1 beschat beschat     363 Okt 17 13:40 module.xml
                  beschat@CSTRD0027405045:/usr/local/wildfly/modules/jfoss-java-server-extension/main (#jobs: 0) (exit 0) 748 
                  20191021_104218] $ cat module.xml
                  <?xml version='1.0' encoding='UTF-8'?>

                  <module xmlns="urn:jboss:module:1.1" name="jfoss-java-server-extension">

                          <resource-root path="jfoss-oidc.jar"/>
                          <resource-root path="jfoss-common.jar"/>

                          <module name="javax.api"/>
                          <module name="javaee.api"/>

                  • 6. Re: Activating jaspic in wildfly

                    I guess that your problem is related with the folder where your module is located. At least in should be under: /usr/local/wildfly/modules/system/layers/base/jfoss-java-server-extension (you missed system/layers/base)

                    Also I am suggesting to add a package into your module name and the folder, for example as

                    name -> org.javassist

                    path -> opt/jboss-eap-7.2/modules/system/layers/base/org/javassist/main




                    • 7. Re: Activating jaspic in wildfly

                      Without the cdi-workaround i get still the same error:


                      17:06:33,652 ERROR [org.jboss.security] (default task-1) PBOX00374: Error getting ServerAuthContext for authContextId default-host /SimpleWebExample and security domain daimler-jfoss: javax.security.auth.message.AuthException
                              at org.jboss.security.auth.message.config.JBossServerAuthConfig.getAuthContext(JBossServerAuthConfig.java:187)
                              at org.jboss.security.plugins.auth.JASPIServerAuthenticationManager.isValid(JASPIServerAuthenticationManager.java:99)
                              at org.wildfly.extension.undertow.security.jaspi.JASPICAuthenticationMechanism.authenticate(JASPICAuthenticationMechanism.java:125)
                              at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
                              at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)
                              at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
                              at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
                              at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)



                      The question is, how does widlfly knows which class in the module is implementing the jaspic interface ?

                      Does he get this via reflection (searching which class implements the jaspic interfaces, what if there are more than one class ?)

                      If he does not automatically detect the class,

                      i still think that i have to add the implementing class (com.daimler.jfoss.oidc.jaspic.AuthProvider) somewhere to the standalone.xml ...


                      but as of now, i only mention the JBoss-Module that contains that class ==>



                      <security-domain name="daimler-jfoss" cache-type="default">
                                              <login-module-stack name="dummy">
                                                  <login-module name="dummy" code="Dummy" flag="optional"/>
                                              <auth-module name="jaspi" code="dummy" flag="required" module="system.layers.base.jfoss-java-server-extension"/>

                      • 8. Re: Activating jaspic in wildfly

                        e.g. for tomcat i have to add the implementing class into a file called jaspic-providers-xml ==>

                        <provider className="com.daimler.jfoss.oidc.jaspic.AuthProvider" layer="HttpServlet">

                        • 9. Re: Activating jaspic in wildfly

                          My understand is that you can add this jaspic-providers.xml file as a resource in the module folder and insert into module.xml.

                          It means that this resource will be available in the classpath.

                          • 10. Re: Activating jaspic in wildfly

                            The jaspic-providers.xml is a **tomcat** specific configuration file.