Need help on "org.wildfly.security.mechanism.http.UsernamePasswordAuthenticationMechanism" usage for WildFly 24 to 26 upgrade

[Madhava Alampally]

<security-domain name="EEM" default-realm="EiamCustomRealm" permission-mapper="default-permission-mapper">
            <realm name="EiamCustomRealm"/>
</security-domain>

---

<jaas-realm name="EiamCustomRealm" entry="EiamAuth" module="com.pam.login" callback-handler="com.login.ITPAMEiamCallbackHandler">
            <file path="${jboss.server.base.dir}/../modules/system/layers/base/com/pam/login/main/JAAS-login-modules.conf"/>
</jaas-realm>

----

public class ITPAMEiamCallbackHandler implements CallbackHandler {

..}

And our form authentication is extending the UsernamePasswordAuthenticationMechanism

public class FormAuthenticationMechanism extends UsernamePasswordAuthenticationMechanism {

}

-------------------------------------------------------------------

So, we are facing a few issues with custom authentication.

Can I request someone to provide the sample application for UsernamePasswordAuthenticationMechanism?

And What's the the parameters to be passed for the "authenticate" method of "UsernamePasswordAuthenticationMechanism".

When we are passing the security realm name and username and password we are getting the following error. 

if (authenticate("EiamCustomRealm", username, password.toCharArray()))

ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /itpam/Web.jsp: java.lang.IllegalArgumentException: ELY01092: Invalid mechanism realm selection "EiamCustomRealm"
at org.wildfly.security.auth.server.ServerAuthenticationContext$InitialState.setMechanismRealmName(ServerAuthenticationContext.java:1808)
at org.wildfly.security.auth.server.ServerAuthenticationContext.setMechanismRealmName(ServerAuthenticationContext.java:835)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1089)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:868)
at org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:126)
at org.wildfly.security.mechanism.http.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:78)
at com.broadcom.pam.auth.C2OFormAuthenticationMechanism.evaluateRequest(C2OFormAuthenticationMechanism.java:175)

Thanks & Regards

Madhava

+91 995 996 3 997

[Diana Krepinska]

The mechanism realm name that should be provided to the `authenticate` method is the realm name configured for the mechanism, not the realm name of the security realm (jaas-realm). It expects the realm name that can be configured in the mechanism-configuration attribute of the http-authentication-factory and in the web.xml descriptor file. Null can be passed as realm name to `authenticate` method if not applicable.

[Madhava Alampally]

Thank you so much Diana for the prompt response. 

Curious to know why to call authenticate method of "UsernamePasswordAuthenticationMechanism" incase of Customer authentication. 

I mean, we are using separate 3rd party application for authentication and authorization so we need to pass username and password to that application to authenticate and authorize. 

Can you please share the sample implementation for UsernamePasswordAuthenticatiomechanism and the corresponding configuration (standalone*.xml and Web.xml) or some GIT urls with samples for reference. I searched for example for "UsernamePasswordAuthenticatiomechanism" but I wasn't able to find in examples.

Thanks & Regards,

Madhava

--
You received this message because you are subscribed to a topic in the Google Groups "WildFly" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wildfly/4GtStzu6r1w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/d3eb5490-b1bf-4adf-9fca-cc09e4d60346n%40googlegroups.com.

This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.

[Madhava Alampally]

Hi Diana, 

Can you please provide the reference document or samples to implement custom form authentication? Probably using the UsernamePasswordAuthenticationMechanism.

Your help in this regard is greatly appreciated as it's a blocker for us to adopt elytron security implementation for custom authentication and authorization.

Thanks & Regards,

Madhava

[Diana Krepinska]

Hi Madhava,

you can check out this blog about implementation of the custom authentication mechanisms https://darranl.blogspot.com/2018/02/wildfly-elytron-implementing-custom.html and an example can be found here https://github.com/wildfly/quickstart/tree/main/http-custom-mechanism .

You did not mention why the custom mechanism is being implemented instead of using the provided FORM authentication mechanism, which also extends UsernamePasswordAuthenticationMechanism and can be used as an example . You mentioned that the authorization is being done by the 3rd party application. Without having any additional information it sounds that this logic should be implemented in the custom LoginModule that is configured in your jaas-realm rather than in the custom mechanism.