Wildfly 26 Elytron > Setting role on JSF Login

[David Baddeley]

Hi All,

I am trying to configure a simple login for a JSF 2.3 App deployed to Wildfly 26 (Jakarta EE 8) using the @CustomFormAuthenticationMechanismDefinition method and my own IdentityStore implementation

Following the example posted here: https://www.baeldung.com/java-ee-8-security

The login works fine and Principal is set in the application however I am still getting 403 Forbidden response when forwarded to the restricted page because it seems that Wildfly is not setting the security roles...

11:47:16,055 TRACE [org.wildfly.security] (default task-4) Handling CallerPrincipalCallback 11:47:16,055 TRACE [org.wildfly.security] (default task-4) Original Principal = 'javax.security.enterprise.CallerPrincipal@317242d5', Caller Name = 'null', Resulting Principal = 'javax.security.enterprise.CallerPrincipal@317242d5' 11:47:16,056 TRACE [org.wildfly.security] (default task-4) Role mapping: principal [javax.security.enterprise.CallerPrincipal@317242d5] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles [] 11:47:16,057 INFO [io.undertow.accesslog] (default task-4) [14/Apr/2022:11:47:16 +0100] "POST /user-login.xhtml HTTP/1.1" 302 - - https HTTP/1.1 11:47:16,057 TRACE [org.wildfly.security.http.servlet] (default task-4) ServerAuthContext.validateRequest returned AuthStatus=AuthStatus.SEND_CONTINUE 11:47:16,065 TRACE [org.wildfly.security.http.servlet] (default task-4) Created ServletSecurityContextImpl enableJapi=true, integratedJaspi=false, applicationContext=my-webapp 11:47:16,065 TRACE [org.wildfly.security] (default task-4) Handling CallerPrincipalCallback 11:47:16,065 TRACE [org.wildfly.security] (default task-4) Original Principal = 'javax.security.enterprise.CallerPrincipal@317242d5', Caller Name = 'null', Resulting Principal = 'javax.security.enterprise.CallerPrincipal@317242d5' 11:47:16,066 TRACE [org.wildfly.security] (default task-4) Role mapping: principal [javax.security.enterprise.CallerPrincipal@317242d5] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles [] 11:47:16,066 TRACE [org.wildfly.security.http.servlet] (default task-4) ServerAuthContext.validateRequest returned AuthStatus=AuthStatus.SUCCESS 11:47:16,066 TRACE [org.wildfly.security] (default task-4) No roles request of CallbackHandler. 11:47:16,066 TRACE [org.wildfly.security.http.servlet] (default task-4) Storing SecurityIdentity in HttpSession 11:47:16,066 TRACE [org.wildfly.security] (default task-4) Role mapping: principal [javax.security.enterprise.CallerPrincipal@317242d5] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles [] 11:47:16,068 TRACE [org.wildfly.security] (default task-4) Role mapping: principal [javax.security.enterprise.CallerPrincipal@317242d5] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles [] 11:47:16,068 TRACE [org.wildfly.security] (default task-4) Permission mapping: identity [javax.security.enterprise.CallerPrincipal@317242d5] with roles [] implies ("javax.security.jacc.WebResourcePermission" "/user/home.xhtml" "GET") = false 11:47:16,069 INFO [io.undertow.accesslog] (default task-4) [14/Apr/2022:11:47:16 +0100] "GET /user/home.xhtml HTTP/1.1" 403 68 - https HTTP/1.1

I thought that when I called securityContext.authenticate(...) method from my app and I get a SUCCESS response that the container is notified and roles updated?

I am currently using the ApplicationDomain defined in standalone-full.xml and have tried various role-decoder settings but I can't get it working...do I need to programatically set the security roles from my App?

Question with more detail is posted on SO below....

https://stackoverflow.com/questions/71870956/jakarta-ee-8-security-wildfly-26-elytron-role-not-being-set

[David Baddeley]

Ok in case anyone is looking for the answer to this, if you are using @CustomFormAuthenticationMechanismDefinition with a Custom IdentityStore you need to implement two IdentityStore's one that overrides the validate method (like the one I have shown above) and another that assigns the roles/groups by overriding the getCallerGroups method and setting ValidationType.PROVIDE_GROUPS....then the roles are assigned to the principal and all is good