Programmatic Security with JAAS Database Login Module - UT010031: Login Failed
970 views
Skip to first unread message
Christof Luethi
Aug 18, 2018, 12:53:00 PM8/18/18
to Thorntail
Hi All
I'm trying to configure Login/Auth using Programmatic Security with the database login module and programmic request.login()
Here's what i have in my project-defaults.yml
environment: default
logger:
level: TRACE
swarm:
deployment:
myapp-api.war:
web:
login-config:
auth-method: BASIC
security-domain: my-security-domain
realm-name: my-security-domain
security-constraints:
- url-pattern: /*
methods: [GET, POST, PUT, DELETE]
roles: [admin, user]
security:
security-domains:
my-security-domain:
classic-authentication:
login-modules:
Database:
code: Database
flag: required
module-options:
dsJndiName: java:jboss/datasources/my-ds
principalsQuery: SELECT c_password FROM tb_user WHERE c_username=?
rolesQuery: SELECT c_role, 'Roles' FROM tb_user WHERE c_username=?
datasources:
data-sources:
my-ds:
connection-url: jdbc:postgresql://localhost:9011/postgres
driver-name: postgresql
user-name: user
password: password
jdbc-drivers:
postgresql:
driver-class-name: org.postgresql.Driver
xa-datasource-name: org.postgresql.xa.PGXADataSource
driver-module-name: org.postgresql
context:
path: /my-app
In my rest-resource i'm doing a request.login(username, password)
But i only get
2018-08-18 18:37:33,237 DEBUG [org.hibernate.SQL] (default task-2) select user0_.id as id1_4_, user0_.C_active as C_active2_4_, user0_.C_createDate as C_create3_4_, user0_.C_createUser as C_create4_4_, user0_.C_email as C_email5_4_, user0_.C_firstname as C_firstn6_4_, user0_.C_lastLogin as C_lastLo7_4_, user0_.C_lastname as C_lastna8_4_, user0_.C_modificationDate as C_modifi9_4_, user0_.C_modificationUser as C_modif10_4_, user0_.C_password as C_passw11_4_, user0_.C_role as C_role12_4_, user0_.C_username as C_usern13_4_ from TB_User user0_ where user0_.C_username=?
2018-08-18 18:37:33,238 INFO [stdout] (default task-2) Hibernate: select user0_.id as id1_4_, user0_.C_active as C_active2_4_, user0_.C_createDate as C_create3_4_, user0_.C_createUser as C_create4_4_, user0_.C_email as C_email5_4_, user0_.C_firstname as C_firstn6_4_, user0_.C_lastLogin as C_lastLo7_4_, user0_.C_lastname as C_lastna8_4_, user0_.C_modificationDate as C_modifi9_4_, user0_.C_modificationUser as C_modif10_4_, user0_.C_password as C_passw11_4_, user0_.C_role as C_role12_4_, user0_.C_username as C_usern13_4_ from TB_User user0_ where user0_.C_username=?
2018-08-18 18:37:33,259 TRACE [org.hibernate.type.descriptor.sql.BasicBinder] (default task-2) binding parameter [1] as [VARCHAR] - [admin]
2018-08-18 18:37:33,262 TRACE [org.hibernate.type.descriptor.sql.BasicExtractor] (default task-2) extracted value ([id1_4_] : [VARCHAR]) - [119293a6-1b1b-4f0b-b8a1-bf83dee1c959]
2018-08-18 18:37:33,266 TRACE [org.hibernate.type.descriptor.sql.BasicExtractor] (default task-2) extracted value ([C_active2_4_] : [BOOLEAN]) - [true]
2018-08-18 18:37:33,266 TRACE [org.hibernate.type.descriptor.sql.BasicExtractor] (default task-2) extracted value ([C_create3_4_] : [TIMESTAMP]) - [2018-08-15 22:01:34.371]
2018-08-18 18:37:33,266 TRACE [org.hibernate.type.descriptor.sql.BasicExtractor] (default task-2) extracted value ([C_create4_4_] : [VARCHAR]) - [system]
2018-08-18 18:37:33,266 TRACE [org.hibernate.type.descriptor.sql.BasicExtractor] (default task-2) extracted value ([C_email5_4_] : [VARCHAR]) - [example@example.com]
2018-08-18 18:37:33,267 TRACE [org.hibernate.type.descriptor.sql.BasicExtractor] (default task-2) extracted value ([C_firstn6_4_] : [VARCHAR]) - [System]
2018-08-18 18:37:33,267 TRACE [org.hibernate.type.descriptor.sql.BasicExtractor] (default task-2) extracted value ([C_lastLo7_4_] : [TIMESTAMP]) - [null]
2018-08-18 18:37:33,267 TRACE [org.hibernate.type.descriptor.sql.BasicExtractor] (default task-2) extracted value ([C_lastna8_4_] : [VARCHAR]) - [Administrator]
2018-08-18 18:37:33,267 TRACE [org.hibernate.type.descriptor.sql.BasicExtractor] (default task-2) extracted value ([C_modifi9_4_] : [TIMESTAMP]) - [2018-08-15 22:01:34.371]
2018-08-18 18:37:33,267 TRACE [org.hibernate.type.descriptor.sql.BasicExtractor] (default task-2) extracted value ([C_modif10_4_] : [VARCHAR]) - [system]
2018-08-18 18:37:33,267 TRACE [org.hibernate.type.descriptor.sql.BasicExtractor] (default task-2) extracted value ([C_passw11_4_] : [VARCHAR]) - [password]
2018-08-18 18:37:33,267 TRACE [org.hibernate.type.EnumType] (default task-2) Returning [ADMIN] as column [C_role12_4_]
2018-08-18 18:37:33,267 TRACE [org.hibernate.type.descriptor.sql.BasicExtractor] (default task-2) extracted value ([C_usern13_4_] : [VARCHAR]) - [admin]
2018-08-18 18:37:33,271 INFO [com.example.myapp.server.app.system.AccountRestEndpoint] (default task-2) LoginCredentials: admin/password
2018-08-18 18:37:33,278 INFO [com.example.myapp.server.app.system.AccountRestEndpoint] (default task-2) Exception: javax.servlet.ServletException: UT010031: Login failed
at io.undertow.servlet.spec.HttpServletRequestImpl.login(HttpServletRequestImpl.java:450)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.ContextParameterInjector$GenericDelegatingProxy.invoke(ContextParameterInjector.java:64)
at com.sun.proxy.$Proxy115.login(Unknown Source)
at com.example.myapp.server.app.system.AccountRestEndpoint.login(AccountRestEndpoint.java:97)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:437)
at org.jboss.as.weld.ejb.DelegatingInterceptorInvocationContext.proceed(DelegatingInterceptorInvocationContext.java:87)
at org.jboss.weld.interceptor.proxy.WeldInvocationContext.interceptorChainCompleted(WeldInvocationContext.java:98)
at org.jboss.weld.interceptor.proxy.WeldInvocationContext.proceed(WeldInvocationContext.java:117)
at org.hibernate.validator.internal.cdi.interceptor.ValidationInterceptor.validateMethodInvocation(ValidationInterceptor.java:78)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:74)
at org.jboss.weld.interceptor.proxy.WeldInvocationContext.invokeNext(WeldInvocationContext.java:83)
at org.jboss.weld.interceptor.proxy.WeldInvocationContext.proceed(WeldInvocationContext.java:115)
at org.jboss.weld.bean.InterceptorImpl.intercept(InterceptorImpl.java:108)
at org.jboss.as.weld.ejb.DelegatingInterceptorInvocationContext.proceed(DelegatingInterceptorInvocationContext.java:77)
at org.jboss.as.weld.ejb.Jsr299BindingsInterceptor.delegateInterception(Jsr299BindingsInterceptor.java:68)
at org.jboss.as.weld.ejb.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:80)
at org.jboss.as.weld.ejb.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:93)
at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:437)
at org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:64)
at org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:83)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:45)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:52)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ejb3.component.interceptors.NonPooledEJBComponentInstanceAssociatingInterceptor.processInvocation(NonPooledEJBComponentInstanceAssociatingInterceptor.java:59)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:275)
at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:327)
at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:239)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:138)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:356)
at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:636)
at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:356)
at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:73)
at com.example.myapp.server.app.system.AccountRestEndpoint$$$view1.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:402)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:209)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at com.example.myapp.server.ws.CsrfTokenFilter.doFilter(CsrfTokenFilter.java:35)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.swarm.generated.FaviconErrorHandler.handleRequest(FaviconErrorHandler.java:62)
at io.undertow.server.handlers.PathHandler.handleRequest(PathHandler.java:94)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)Database contains a record with username=admin and password=password and role=ADMIN.
I'm on Wildfly-Swarm 2017.11.0 and have included the follwing org.wildfly.swarm dependencyies logging, ejb, jpa, cdi, jaxrs, security
any ideas what is missing or why the error appears?CheersChristof
Sergey Beryozkin
Aug 19, 2018, 6:48:12 AM8/19/18
to Christof Luethi, Thorntail
This is probably because the login action has already been done. If you restrict the security constraints to a more specific URL pattern, say /a, and then try to access a '/b' address then 401 should be returned...
If you completely remove the security constraints then the programmatic login might work...
If you do need a fine grained control over the JAAS login process then consider avoiding the declarative JAAS setup in the YAML config and instead load the module from a custom (JAX-RS) interceptor and set up the security context there
Cheers, Sergey
--
You received this message because you are subscribed to the Google Groups "Thorntail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to thorntail+unsubscribe@googlegroups.com.
To post to this group, send email to thor...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/thorntail/9196e8e6-5675-48f4-a66e-73e52f5079f4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Diyan Segs
Aug 19, 2018, 7:26:50 AM8/19/18
to Thorntail
@sergey: your setup sounds very interesting. Do you have a sample project with such implementations you could share?
To unsubscribe from this group and stop receiving emails from it, send an email to thorntail+...@googlegroups.com.
Sergey Beryozkin
Aug 19, 2018, 1:48:09 PM8/19/18
to Diyan Segs, Thorntail
I did a bit of generic work around it in the other project, one would use LoginContext to login, providing the callback handler which can be linked for ex to the name/password extracted from the Basic Auth header, and then once the login is good, get Subject, and set up a (JAX-RS) SecurityContext.
There has to be a good reason for going this route, for example, in OSGI setting up the configuration declaratively was tricky enough in our case.
If Thorntail can do it for you, why do you need to do it manually ?
Thanks, Sergey
To unsubscribe from this group and stop receiving emails from it, send an email to thorntail+unsubscribe@googlegroups.com.
To post to this group, send email to thor...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/thorntail/a8dbbb9c-b376-4b31-96b3-8e4f4fa70f37%40googlegroups.com.
Christof Luethi
Aug 19, 2018, 3:32:35 PM8/19/18
to Thorntail
hmm. changing the url-pattern so /b* and even removing the complete security-contraint block did not affect the error..
digging a bit further it fails on identityManager.verify() in io.undertow.security.impl.SecurityContextImpl@login()
@POST
@Path("/login")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@PermitAll
public Response login(@Context final HttpServletRequest request, @Valid CredentialsDto credentials) {
User user = securityContext.getUser(credentials.getUsername().toLowerCase());
logger.info("LoginCredentials: "+credentials.getUsername()+"/"+credentials.getPassword());
if (user == null) {
return Response.status(HttpUtil.STATUS_FORBIDDEN)
.entity(ServerMessageBuilder.create().message(ValidationUtil.MESSAGE_LOGIN_FAILED).build()).build();
}
if (!user.getActive()) {
return Response.status(HttpUtil.STATUS_FORBIDDEN).entity(new ServerMessageDto(ValidationUtil.MESSAGE_LOGIN_INACTIVE))
.build();
}
// login
try {
request.logout();
request.login(credentials.getUsername().toLowerCase(), credentials.getPassword());
} catch (ServletException e) {
logger.info("Exception: ", e);
logger.warn("Login for user '" + credentials.getUsername() + "' failed: " + e.getMessage());
ServerMessageDto messageDto = ServerMessageBuilder.create().message(ValidationUtil.MESSAGE_LOGIN_FAILED).build();
return Response.status(HttpUtil.STATUS_FORBIDDEN).entity(messageDto).build();
}
return getCurrentAccount();
}
@Override
public boolean login(final String username, final String password) {
UndertowLogger.SECURITY_LOGGER.debugf("Attempting programatic login for user %s for request %s", username, exchange);
final Account account;
if(System.getSecurityManager() == null) {
account = identityManager.verify(username, new PasswordCredential(password.toCharArray()));
} else {
account = AccessController.doPrivileged(new PrivilegedAction<Account>() {
@Override
public Account run() {
return identityManager.verify(username, new PasswordCredential(password.toCharArray()));
}
});
}
if (account == null) {
return false;
}
authenticationComplete(account, programaticMechName, true);
this.authenticationState = AuthenticationState.AUTHENTICATED;
return true;
}
To unsubscribe from this group and stop receiving emails from it, send an email to thorntail+...@googlegroups.com.
Sergey Beryozkin
Aug 20, 2018, 11:48:10 AM8/20/18
to Christof Luethi, Thorntail
Sorry, might've misled you, it looks like that the security-constraints is what activates the login manager after all.
As I said earlier the reason you are seeing the failure is possibly to do with the fact that the login has already been done.
In fact I'm looking at your code above and it confirms it.
Then in the middle of the service call a logout followed by a new login is done which is where it all fails. I don't know if such a sequence is supposed to work, may be after the logout the manager loses all the context info...
Thanks, Sergey
To unsubscribe from this group and stop receiving emails from it, send an email to thorntail+unsubscribe@googlegroups.com.
To post to this group, send email to thor...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/thorntail/2b31f7e4-0062-4f5f-90f3-f9eefa657f40%40googlegroups.com.
Christof Luethi
Aug 20, 2018, 12:48:26 PM8/20/18
to Thorntail
Ok. I've re-enabled the security-constraint with /* - I'm receiving null from request.getUserPrincipal() so I assume the login has not taken place... also removing the logout before login has no effect. the code is from an old project using wildfly 9 or 10... there logout before login seems to work. to be clear: securityContext.getUser() simply returns the user object from the database to check further parameters like active state, failedlogincount, ... .
generally my feeling is that the security-constraint doesn't have much influence... what about the login-method? i submit user/pw as CredentialsDto (json) and i'm not using classical BASIC auth with Authorization header... is basic therefore correct?
Sergey Beryozkin
Aug 20, 2018, 4:30:24 PM8/20/18
to Christof Luethi, Thorntail
That will explain why your current configuration is not effective as it expects that the name/password is in the HTTP header.
So, are you saying that the name/password are encapsulated somewhere in the HTTP message payload (not in a header) ?
In that case you'd need to create either 1) custom login method - please ask at the wildfly list on how to do it or 2) try the method I referred to earlier, load the LoginContext, provide a callback linked to the custom payload, get Subject and use it to set a SecurityContext, the roles based access can be enforced later on, may be with the RestEasy filter, but the first step is to get the SecurityContext populated with the Principal/roles...
Sergey
To unsubscribe from this group and stop receiving emails from it, send an email to thorntail+unsubscribe@googlegroups.com.
To post to this group, send email to thor...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/thorntail/3fdbcae6-2cec-4925-9735-3ab3a596a833%40googlegroups.com.
Christof Luethi
Aug 21, 2018, 3:12:37 PM8/21/18
to Thorntail
i got it working with the following changes:
seems there was the default Security Domain missing. login-config.auth-method is still set to BASIC.
1. created a class with a custom main() method
2. added the following code in the main
SecurityFraction securityFraction = new SecurityFraction();
securityFraction.applyDefaults().securityDomain("my-security-domain");
swarm.fraction(securityFraction);
deployment.setSecurityDomain("my-security-domain");
seems there was the default Security Domain missing. login-config.auth-method is still set to BASIC.
Do you know how to set this up using the yaml? i'd like to get rid of the custom main() again.
Sergey Beryozkin
Aug 21, 2018, 5:03:44 PM8/21/18
to Christof Luethi, Thorntail
I have to admit I don't understand what is going on, or why it even works given you said it was not the basic auth header that was used.
But I'm glad it is working for you in the end :-).
Sergey
To unsubscribe from this group and stop receiving emails from it, send an email to thorntail+unsubscribe@googlegroups.com.
To post to this group, send email to thor...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/thorntail/7f5bbbd0-c2a7-473e-ade1-5b15937209ec%40googlegroups.com.
Christof Luethi
Aug 21, 2018, 5:29:17 PM8/21/18
to Thorntail
well all what's needed is just the line in the custom main()
deployment.setSecurityDomain("my-security-domain");
the login-config with BASIC auth-method has no effect. maybe now its a bit less confusing.
thanks for your support!
Christof
Ladislav Thon
Aug 22, 2018, 3:43:06 AM8/22/18
to thor...@googlegroups.com
I believe you can set the security domain for the deployment either in project-defaults.yml, such as [1], or in jboss-web.xml, such as [2].
LT
To view this discussion on the web visit https://groups.google.com/d/msgid/thorntail/89ec46a8-105e-4565-952f-6817a616717a%40googlegroups.com.
Sergey Beryozkin
Aug 22, 2018, 5:59:50 AM8/22/18
to Christof Luethi, Thorntail
Hi Christof
You are welcome, even though I did not really help.
As Ladislav explianed, you can set the domain in the yaml easily...
In fact this is what you do in your config...I wonder if the name of your web application is actually different which might explain why the login method setup is not effective...
Sergey
To unsubscribe from this group and stop receiving emails from it, send an email to thorntail+unsubscribe@googlegroups.com.
To post to this group, send email to thor...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/thorntail/89ec46a8-105e-4565-952f-6817a616717a%40googlegroups.com.
Sergey Beryozkin
Aug 22, 2018, 6:08:46 AM8/22/18
to Christof Luethi, Thorntail
This demo (and its IT test) works:
Sergey
Christof Luethi
Aug 22, 2018, 9:06:56 AM8/22/18
to Thorntail
actually thats also what i thought. but it matches the name which is shown at startup .. something like "Starting deployment of "xy.war" (runtime-name: "xy.war")" so i assume its correct. i had the security domain as Ladislav said in [1] which also had no effect. but that also points to a wrong *.war name and would make sense. will give it another try when i'm back (also with [2]).
running on ubuntu 16.04 openjdk-8 and tried with openjdk-9. haven't really found useful information about this.
A little offtopic: What exactly is needed to run the thorntail examples? it complains about
In order to use HTTP/2 in JBoss EAP, you must have the OpenSSL provider with ALPN capability from JBoss Core Services installed and configured. This is due to the fact that HTTP/2 requires a TLS stack that supports ALPN, which is not provided by the default installation of Java 8. HTTP/2 will only work with browsers that also support the HTTP/2 standard. OpenSSL usage with JBoss EAP on HP-UX is NOT supported.
running on ubuntu 16.04 openjdk-8 and tried with openjdk-9. haven't really found useful information about this.
Reply all
Reply to author
Forward
0 new messages