SSO with STATEFUL_BASIC
274 views
Skip to first unread message
Imsand Li
Apr 19, 2022, 9:08:25 AM4/19/22
to WildFly
Hi,
my application (ear) contains two war files.
The first war is using FORM Login and the second war is using BASIC Auth.
With WildFly 11 and PicketBox, I was able to configure SSO between these two war application with (standalone.xml):
<subsystem xmlns="urn:jboss:domain:undertow:4.0">
<server name="default-server">
<server name="default-server">
<host name="default-host" alias="localhost">
<single-sign-on http-only="true"/>
I could login with BASIC Auth and was authenticated in the Form Auth Application as well (with a JSESSIONIDSSO Cookie on path "/").<single-sign-on http-only="true"/>
With WildFly 26.1 this does not work out of the box anymore. The sessions between BASIC and FORM auth aren't shared.
According to https://issues.redhat.com/browse/ELY-1934, this should be possible with STATEFUL_BASIC.
But I'm failing to set this up at all... (standalone.xml):
<http-authentication-factory name="example-fs-http-auth" security-domain="fsSD" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="STATEFUL_BASIC">
<mechanism-realm realm-name="RealmUsersRoles"/>
</mechanism>
<mechanism mechanism-name="BASIC">
<mechanism-realm realm-name="RealmUsersRoles"/>
</mechanism>
<mechanism mechanism-name="FORM">
<mechanism-realm realm-name="RealmUsersRoles"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
but activating the STATEFUL_BASIC in web.xml
<login-config>
<auth-method>STATEFUL_BASIC,BASIC,FORM</auth-method>
<realm-name>RealmUsersRoles</realm-name>
</login-config>
results in an exception:
WFLYCTL0186: Services which failed to start: service jboss.deployment.subunit."module-ear-1.0-SNAPSHOT.ear"."com.example-web-basic-1.0-SNAPSHOT.war".undertow-deployment: java.lang.RuntimeException: java.l
ang.IllegalStateException: The required mechanism 'STATEFUL_BASIC' is not available in mechanisms [BASIC, FORM] from the HttpAuthenticationFactory.
ang.IllegalStateException: The required mechanism 'STATEFUL_BASIC' is not available in mechanisms [BASIC, FORM] from the HttpAuthenticationFactory.
Is there some further documentation/example (besides the code on github)?
Has anyone a working setup like this?
Has anyone a working setup like this?
Best regards,
Li
Imsand Li
May 3, 2022, 11:17:06 AM5/3/22
to WildFly
Ok, the reason why it doesn't worked is the wrongly referenced Factory in
https://github.com/wildfly-security/wildfly-elytron/blob/1.x/http/stateful-basic/src/main/java/org/wildfly/security/http/sfbasic/WildFlyElytronHttpBasicProvider.java#L42
https://github.com/wildfly-security/wildfly-elytron/blob/1.x/http/stateful-basic/src/main/java/org/wildfly/security/http/sfbasic/WildFlyElytronHttpBasicProvider.java#L42
it should reference to org.wildfly.security.http.sfbasic.BasicMechanismFactory
Shall I create a pull request?
But I still can't use SSO between FORM and STATEFUL_BASIC because there is a check for an equal mechanismName
Is this really necessary?
Best regards,
Li
Paul Ferraro
May 5, 2022, 8:52:05 AM5/5/22
to WildFly
On Tuesday, May 3, 2022 at 11:17:06 AM UTC-4 imsa...@gmail.com wrote:
Ok, the reason why it doesn't worked is the wrongly referenced Factory in
https://github.com/wildfly-security/wildfly-elytron/blob/1.x/http/stateful-basic/src/main/java/org/wildfly/security/http/sfbasic/WildFlyElytronHttpBasicProvider.java#L42it should reference to org.wildfly.security.http.sfbasic.BasicMechanismFactoryShall I create a pull request?
Please do. Frankly, I would change this line to use BasicMechanismFactory.class.getName() do reduce the likelihood of a refactor causing a regression.
But I still can't use SSO between FORM and STATEFUL_BASIC because there is a check for an equal mechanismNameIs this really necessary?
I believe so, because callback handlers are specific to the authentication mechanism.
Darran Lofthouse
May 5, 2022, 8:56:55 AM5/5/22
to WildFly
Please do raise an ELY Jira issue and submit a PR but do stick with the String constant - the reason we use String constants instead of class.getName() is to prevent all of the implementation classes from being pro-actively loaded at the time the Provider is registered - we have a lot of implementation classes referenced across the providers so loading them all when WildFly starts was a big overhead when just a few were actually used at runtime.
Paul Ferraro
May 5, 2022, 9:00:34 AM5/5/22
to WildFly
Good point. Thanks Darran!
Alex Tran
Oct 30, 2023, 5:59:05 PM10/30/23
to WildFly
I came across this topic as we got into a similar situation, i.e. migrating Web applications working fine on WildFly 11 to WildFly 29 and up. The SSO mechanism was set up in the same way as Imsand's in WildFly 11. In WildFly 29, I have used Elytron realm and Undertow SSO. The token JSESSIONIDSSO is created after successful authentication via FORM auth at the Web UI but it's not used for the subsequent BASIC authentication (to the REST backend). I added the STATEFUL_BASIC as above and the relevant documentation but got the same error
```
.IllegalStateException: The required mechanism 'STATEFUL_BASIC' is not available in mechanisms [BASIC, FORM] from the HttpAuthenticationFactory.
Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'STATEFUL_BASIC' is not available in mechanisms [BASIC, FORM] from the HttpAuthenticationFactory.
Caused by: java.lang.IllegalStateException: The required mechanism 'STATEFUL_BASIC' is not available in mechanisms [BASIC, FORM] from the HttpAuthenticationFactory."}}
Caused by: java.lang.IllegalStateException: The required mechanism 'STATEFUL_BASIC' is not available in mechanisms [BASIC, FORM] from the HttpAuthenticationFactory."}}
```
Is this fixed in WildFly 29?
Alex
Reply all
Reply to author
Forward
0 new messages