0 Replies Latest reply on Nov 6, 2019 12:03 PM by work_registries

    How to programmatically authenticate and authorize against a security domain in wildfly-8.2.1.Final?


      for wildfly 8.2.1-Final


      security domain defined in standalone-full.xml

      <security-domain name="mySecDomain" cache-type="undefined">
              <login-module name="ldap">
              <provider-module name="audit-log" code="org.jboss.security.audit.providers.LogAuditProvider"/>
              <mapping-module name="dbRoles" code="DatabaseRoles" type="role">
              <mapping-module name="ldap-roles-to-app-roles" code="org.jboss.security.mapping.providers.DeploymentRoleToRolesMappingProvider" type="role"/>

      regular form based login works:

      authentication via ldap works, loading roles from db works, mapping roles from db names to app names works.


      now I have also some programmatic re-authentication

      I can't say where I got it from then, when still running on wildfly 4, but it looks like:

      import java.security.AccessController;
      import java.security.Principal;
      import java.security.PrivilegedActionException;
      import java.security.PrivilegedExceptionAction;
      import java.security.acl.Group;
      import java.util.Enumeration;
      import javax.security.auth.Subject;
      import javax.security.auth.callback.CallbackHandler;
      import javax.security.auth.login.LoginContext;
      import javax.security.auth.login.LoginException;
      import org.jboss.security.auth.callback.UsernamePasswordHandler;
          public Subject login(final String username, final Object credential, final String securityDomain) {
              final CallbackHandler handler = new UsernamePasswordHandler(username, credential);
              Subject result = null;
                      final Subject subject = new Subject();
                      final LoginContext lc = AccessController.doPrivileged(new PrivilegedExceptionAction() {
                              public LoginContext run() throws Exception {
                                  return new LoginContext(securityDomain, subject, handler);
                      result = subject;
                  catch(PrivilegedActionException e)
                      final Exception ex = e.getException();
                      if (ex instanceof LoginException)
                          throw (LoginException)ex;
                          throw (LoginException)new LoginException(ex.getMessage()).initCause(e);
              } catch (LoginException e) {
                  result = null;
              return result;


      code runs within the context of a thread processing a servlet request.


      i dont want to establish a new security context or anything.

      just authenticate with username+password, and getting a security subject with names, roles.


      login partially works. login modules are executed fine, so ldap authentication is done

      BUT mapping modules are not executed, so the resulting suject does not have all the roles provided by the mapping modules (db roles, mapped to app role name)


      when I look at the stack trace of a regular login, I see wildfly untertow IndentityManager involved:

      org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(String, Credential)


      when I look at the stack trace of my programmatic login, I only see javax.security classes

      they are probably aware of the standard javax.security.auth.spi.LoginModule modules configured for the security domain

      but they are not aware of the wildfly specific org.jboss.security.mapping.MappingProvider classes/modules in the security domain


      so my question:

      how can I programmatically authenticate + authorize fully against the configured security domain "mySecDomain" ?


      at best without any wildfly/undertow specific api/classes involved, as its (mostly) done now (apart from the jboss UsernamePasswordHandler)


      or how can I get my hands on the io.undertow.security.idm.IdentityManager configured for the webapp from within a servlet request processing thread?

      then I could call io.undertow.security.idm.IdentityManager.verify(String, Credential) and work with io.undertow.security.idm.Account principal+roles