10 Replies Latest reply on Oct 21, 2019 8:12 PM by Bernd Schatz

    Activating jaspic in wildfly

    Bernd Schatz Newbie

      We have written a authenticaion (oidc) module on top of jaspic

      for a seemless and transparent integration of applications

      in our authentication infrastructure of our company.

       

      With tomcat i have only to use a xml where i put the implementing class

      that has to be registered as the config provider.

       

       

      With wildfly i didnt find a simple way to get it work.

      As a workaround i deploy now a small jar that register our AuthProvider class from our jboss-module (jfoss-java-server-extension)

      with the help of CDI.

       

      public class Jaspic implements Extension

      {

          private static final Logger LOG = Logger.getLogger(Jaspic.class.getName());

          private boolean isInitialised = false;

       

          public void init(@Observes final AfterDeploymentValidation event)

          {

              LOG.log(Level.INFO, () -> "AfterDeploymentValidation event received: " + event.toString());

              if (isInitialised)

              {

                  LOG.log(Level.INFO, () -> "Already initialized ");

                  return;

              }

       

              LOG.log(Level.INFO, () -> "Registering Jaspic Config Provider ...");

              final String result = AuthConfigFactory.getFactory().registerConfigProvider(AuthProvider.class.getName();new HashMap<>(), "HttpServlet", null, null);

              isInitialised = true;

              LOG.log(Level.INFO, () -> "Registered Jaspic Config Provider: " + result + " with implementation " + AUTH_PROVIDER);

          }

       

      Our module is added as a global module that i activate with:

      ==================================================

      /subsystem=security/security-domain=daimler-jfoss:add(cache-type=default)
      /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi:add()
      /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi/login-module-stack=dummy:add()
      /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi/login-module-stack=dummy/login-module=dummy:add(code=Dummy, flag=optional)
      /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi/auth-module=jaspi:add(code=dummy, module=jfoss-java-server-extension, flag=required)
      /subsystem=undertow:write-attribute(name="default-security-domain", value="daimler-jfoss")
      reload

       

       

      What is the recommened way to do it ?

        • 1. Re: Activating jaspic in wildfly
          Vladimir Zhuravlevich Newbie

          Hi,

           

          Could you show a list of your global modules (Subsystem configuration - WildFly 10 - Project Documentation Editor )

          ./jboss-cli.sh

          [standalone@localhost:9990 subsystem=ee] pwd

          /subsystem=ee

           

           

          [standalone@localhost:9990 subsystem=ee] ls

          context-service                                                                                                                                               

          managed-executor-service                                                                                                                                      

          managed-scheduled-executor-service                                                                                                                            

          managed-thread-factory                                                                                                                                        

          service                                                                                                                                                       

          annotation-property-replacement=false                                                                                                                         

          ear-subdeployments-isolated=false                                                                                                                             

          global-modules=[{"name" => "org.jboss.logging","slot" => "main"},{"name" => "org.apache.log4j","annotations" => true,"meta-inf" => true,"services" => false}] 

          jboss-descriptor-property-replacement=true                                                                                                                    

          spec-descriptor-property-replacement=false   

           

          Thanks,

          Vlad

          • 2. Re: Activating jaspic in wildfly
            Bernd Schatz Newbie

            the ee-subsystem of my (working) work around looks like this:

             

             

            [standalone@localhost:9990 subsystem=ee] ls

            context-service                                                              annotation-property-replacement=false                                       

            managed-executor-service                                                     ear-subdeployments-isolated=false                                           

            managed-scheduled-executor-service                                           global-modules=[{"name" => "jfoss-java-server-extension","slot" => "main"}] 

            managed-thread-factory                                                       jboss-descriptor-property-replacement=true                                  

            service                                                                      spec-descriptor-property-replacement=false

            • 3. Re: Activating jaspic in wildfly
              Bernd Schatz Newbie

              Here the other configurations i use:   

               

               

              <subsystem xmlns="urn:jboss:domain:security:2.0">
                          <security-domains>
              [...]

                          <security-domain name="jaspitest" cache-type="default">
                                  <authentication-jaspi>
                                      <login-module-stack name="dummy">
                                          <login-module code="Dummy" flag="optional"/>
                                      </login-module-stack>
                                      <auth-module code="Dummy"/>
                                  </authentication-jaspi>
                              </security-domain>

               

              [...]

               

              <security-domain name="daimler-pai" cache-type="default">
                                  <authentication-jaspi>
                                      <login-module-stack name="dummy">
                                          <login-module name="dummy" code="Dummy" flag="optional"/>
                                      </login-module-stack>
                                      <auth-module name="jaspi" code="dummy" flag="required" module="jfoss-java-server-extension"/>
                                  </authentication-jaspi>
                              </security-domain>

               

               

               

              The configuration is added with:

               

              module add \ --name=jfoss-java-server-extension \ --resources=jfoss-oidc/build/libs/jfoss-oidc.jar:jfoss-common/build/libs/jfoss-common.jar: \ --dependencies=javax.api,javaee.api

              /subsystem=ee:write-attribute(name="global-modules",value=[{"name" => "jfoss-java-server-extension","slot" => "main"}])

              /subsystem=security/security-domain=daimler-jfoss:add(cache-type=default) /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi:add() /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi/login-module-stack=dummy:add() /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi/login-module-stack=dummy/login-module=dummy:add(code=Dummy, flag=optional) /subsystem=security/security-domain=daimler-jfoss/authentication=jaspi/auth-module=jaspi:add(code=dummy, module=jfoss-java-server-extension, flag=required) /subsystem=undertow:write-attribute(name="default-security-domain", value="daimler-jfoss") reload

              What i miss, is to add the implementing class also to the configuration,
              instead of activating it with my workaround with CDI.
              Any ideas ?

              • 4. Re: Activating jaspic in wildfly
                Vladimir Zhuravlevich Newbie

                Hi,

                 

                Could you share your module.xml, full path to the folder that contains your new module with jars and module.xml?

                Something like this:

                 

                /opt/jboss-eap-7.2/modules/system/layers/base/org/javassist/main$ ls -l

                 

                total 760

                -rw-rw-r-- 1 zhurlik zhurlik 771181 Jan  7  2019 javassist-3.23.1.GA-redhat-00001.jar

                -rw-rw-r-- 1 zhurlik zhurlik   1421 Jan  7  2019 module.xml

                 

                /opt/jboss-eap-7.2/modules/system/layers/base/org/javassist/main$ cat module.xml

                <?xml version="1.0" encoding="UTF-8"?>

                <!--

                  ~ JBoss, Home of Professional Open Source.

                  ~ Copyright 2010, Red Hat, Inc., and individual contributors

                  ~ as indicated by the @author tags. See the copyright.txt file in the

                  ~ distribution for a full listing of individual contributors.

                  ~

                  ~ This is free software; you can redistribute it and/or modify it

                  ~ under the terms of the GNU Lesser General Public License as

                  ~ published by the Free Software Foundation; either version 2.1 of

                  ~ the License, or (at your option) any later version.

                  ~

                  ~ This software is distributed in the hope that it will be useful,

                  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of

                  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

                  ~ Lesser General Public License for more details.

                  ~

                  ~ You should have received a copy of the GNU Lesser General Public

                  ~ License along with this software; if not, write to the Free

                  ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA

                  ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.

                  -->

                <module name="org.javassist" xmlns="urn:jboss:module:1.5">

                    <properties>

                        <property name="jboss.api" value="private"/>

                    </properties>

                    <resources>

                        <resource-root path="javassist-3.23.1.GA-redhat-00001.jar"/>

                    </resources>

                    <dependencies>

                        <module name="sun.jdk"/>

                    </dependencies>

                </module>

                 

                 

                 

                Thanks,

                Vlad

                • 5. Re: Activating jaspic in wildfly
                  Bernd Schatz Newbie

                  20191021_090922] $ cd /usr/local/wildfly/modules/jfoss-java-server-extension/main/
                  beschat@CSTRD0027405045:/usr/local/wildfly/modules/jfoss-java-server-extension/main (#jobs: 0) (exit 0) 747 
                  20191021_104216] $ ls  -l
                  insgesamt 1796
                  -rw-r--r-- 1 beschat beschat    4956 Okt 17 13:40 jfoss-common.jar
                  -rw-r--r-- 1 beschat beschat 1824135 Okt 17 13:40 jfoss-oidc.jar
                  -rw-r--r-- 1 beschat beschat     363 Okt 17 13:40 module.xml
                  beschat@CSTRD0027405045:/usr/local/wildfly/modules/jfoss-java-server-extension/main (#jobs: 0) (exit 0) 748 
                  20191021_104218] $ cat module.xml
                  <?xml version='1.0' encoding='UTF-8'?>

                  <module xmlns="urn:jboss:module:1.1" name="jfoss-java-server-extension">

                      <resources>
                          <resource-root path="jfoss-oidc.jar"/>
                          <resource-root path="jfoss-common.jar"/>
                      </resources>

                      <dependencies>
                          <module name="javax.api"/>
                          <module name="javaee.api"/>
                      </dependencies>
                  </module>

                  • 6. Re: Activating jaspic in wildfly
                    Vladimir Zhuravlevich Newbie

                    I guess that your problem is related with the folder where your module is located. At least in should be under: /usr/local/wildfly/modules/system/layers/base/jfoss-java-server-extension (you missed system/layers/base)

                    Also I am suggesting to add a package into your module name and the folder, for example as

                    name -> org.javassist

                    path -> opt/jboss-eap-7.2/modules/system/layers/base/org/javassist/main

                     

                    Thanks,

                    Vlad

                    • 7. Re: Activating jaspic in wildfly
                      Bernd Schatz Newbie

                      Without the cdi-workaround i get still the same error:

                       

                      17:06:33,652 ERROR [org.jboss.security] (default task-1) PBOX00374: Error getting ServerAuthContext for authContextId default-host /SimpleWebExample and security domain daimler-jfoss: javax.security.auth.message.AuthException
                              at org.jboss.security.auth.message.config.JBossServerAuthConfig.getAuthContext(JBossServerAuthConfig.java:187)
                              at org.jboss.security.plugins.auth.JASPIServerAuthenticationManager.isValid(JASPIServerAuthenticationManager.java:99)
                              at org.wildfly.extension.undertow.security.jaspi.JASPICAuthenticationMechanism.authenticate(JASPICAuthenticationMechanism.java:125)
                              at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
                              at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)
                              at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
                              at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
                              at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)

                       

                       

                      The question is, how does widlfly knows which class in the module is implementing the jaspic interface ?

                      Does he get this via reflection (searching which class implements the jaspic interfaces, what if there are more than one class ?)

                      If he does not automatically detect the class,

                      i still think that i have to add the implementing class (com.daimler.jfoss.oidc.jaspic.AuthProvider) somewhere to the standalone.xml ...

                       

                      but as of now, i only mention the JBoss-Module that contains that class ==>

                       

                      ==============

                      <security-domain name="daimler-jfoss" cache-type="default">
                                          <authentication-jaspi>
                                              <login-module-stack name="dummy">
                                                  <login-module name="dummy" code="Dummy" flag="optional"/>
                                              </login-module-stack>
                                              <auth-module name="jaspi" code="dummy" flag="required" module="system.layers.base.jfoss-java-server-extension"/>
                                          </authentication-jaspi>
                                      </security-domain>
                      =====================

                      • 8. Re: Activating jaspic in wildfly
                        Bernd Schatz Newbie

                        e.g. for tomcat i have to add the implementing class into a file called jaspic-providers-xml ==>

                        <provider className="com.daimler.jfoss.oidc.jaspic.AuthProvider" layer="HttpServlet">

                        • 9. Re: Activating jaspic in wildfly
                          Vladimir Zhuravlevich Newbie

                          My understand is that you can add this jaspic-providers.xml file as a resource in the module folder and insert into module.xml.

                          It means that this resource will be available in the classpath.

                          • 10. Re: Activating jaspic in wildfly
                            Bernd Schatz Newbie

                            The jaspic-providers.xml is a **tomcat** specific configuration file.