How to build custom CallbackHandler on top of WildFly's Elytron subsystem, custom authentication mechanism
723 views
Skip to first unread message
Ashok Ilapavluri
Sep 5, 2023, 11:07:56 AM9/5/23
to WildFly
Hi Team,
I am following below project to implement Wildfly elytron custom authentication
Here I want to do the authentication via my identify providers for that I need to build my custom CallbackHandler.
Please provide any sample code to build custom CallbackHandler on top of above WildFly's Elytron subsystem, custom authentication mechanism and what are the changes I need to make in the standalone.xml file
Thanks
Ashok.
Ashok Ilapavluri
Sep 6, 2023, 1:07:13 PM9/6/23
to WildFly
With default
CallbackHandler it is working fine, but If I implement custom
CallbackHandler getting below error:
java.lang.IllegalArgumentException: Parameter 'securityIdentity' may not be null
at org.wildf...@1.6.0.Final//org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:71)
at org.wildf...@1.6.0.Final//org.wildfly.common.Assert.checkNotNullParam(Assert.java:49)
at org.wildfly.security.ely...@3.0.1.Final//org.wildfly.elytron.web.undertow.server.ElytronAccount.<init>(ElytronAccount.java:50)
at org.wildfly.security.ely...@3.0.1.Final//org.wildfly.elytron.web.undertow.server.ElytronHttpExchange.authenticationComplete(ElytronHttpExchange.java:157)
at org.wildfly.secu...@2.1.0.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticationComplete(HttpAuthenticator.java:422)
at org.wildfly.secu...@2.1.0.Final//org.wildfly.security.http.HttpServerRequest.authenticationComplete(HttpServerRequest.java:129)
at org.wildf...@1.6.0.Final//org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:71)
at org.wildf...@1.6.0.Final//org.wildfly.common.Assert.checkNotNullParam(Assert.java:49)
at org.wildfly.security.ely...@3.0.1.Final//org.wildfly.elytron.web.undertow.server.ElytronAccount.<init>(ElytronAccount.java:50)
at org.wildfly.security.ely...@3.0.1.Final//org.wildfly.elytron.web.undertow.server.ElytronHttpExchange.authenticationComplete(ElytronHttpExchange.java:157)
at org.wildfly.secu...@2.1.0.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticationComplete(HttpAuthenticator.java:422)
at org.wildfly.secu...@2.1.0.Final//org.wildfly.security.http.HttpServerRequest.authenticationComplete(HttpServerRequest.java:129)
My custom CallbackHandler looks like this:
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
NameCallback nameCallback = (NameCallback) callback;
username = nameCallback.getName();
} else if (callback instanceof EvidenceVerifyCallback) {
EvidenceVerifyCallback evidenceVerifyCallback = (EvidenceVerifyCallback) callback;
PasswordGuessEvidence evidence = (PasswordGuessEvidence) evidenceVerifyCallback.getEvidence();
boolean verified = verifyEvidence(username,evidence);
evidenceVerifyCallback.setVerified(verified);
} else if (callback instanceof AuthorizeCallback) {
handleAuthorizeCallback((AuthorizeCallback) callback);
}
else {
throw new UnsupportedCallbackException(callback, "Unsupported callback type");
}
}
}
private void handleAuthorizeCallback(AuthorizeCallback callback) {
callback.setAuthorizedID(authenticationID);
callback.setAuthorized(true);
}
private boolean verifyEvidence(String username,PasswordGuessEvidence evidence) {
return true;
}
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
NameCallback nameCallback = (NameCallback) callback;
username = nameCallback.getName();
} else if (callback instanceof EvidenceVerifyCallback) {
EvidenceVerifyCallback evidenceVerifyCallback = (EvidenceVerifyCallback) callback;
PasswordGuessEvidence evidence = (PasswordGuessEvidence) evidenceVerifyCallback.getEvidence();
boolean verified = verifyEvidence(username,evidence);
evidenceVerifyCallback.setVerified(verified);
} else if (callback instanceof AuthorizeCallback) {
handleAuthorizeCallback((AuthorizeCallback) callback);
}
else {
throw new UnsupportedCallbackException(callback, "Unsupported callback type");
}
}
}
private void handleAuthorizeCallback(AuthorizeCallback callback) {
callback.setAuthorizedID(authenticationID);
callback.setAuthorized(true);
}
private boolean verifyEvidence(String username,PasswordGuessEvidence evidence) {
return true;
}
Please let me know if I missed anything.
Ashok Ilapavluri
Sep 8, 2023, 1:52:21 AM9/8/23
to WildFly
Hi Team,
Can someone look into the below and share your thoughts?
Diana Krepinska
Sep 8, 2023, 9:16:00 AM9/8/23
to WildFly
Hello, if you want to authenticate users with your custom code, maybe you want to look into implementing a custom security realm and not custom callback handler? https://www.mastertheboss.com/jbossas/jboss-security/how-to-create-a-custom-elytron-realm/
Ashok Ilapavluri
Sep 8, 2023, 10:07:35 AM9/8/23
to Diana Krepinska, WildFly
Hi Diana,
Thank you for your quick response, currently we are in Wildfly 24 and using "io.undertow.servlet.handlers.security.ServletFormAuthenticationMechanism" for custom form based authentication and it is working fine.
<jboss-web>
<context-root>/api</context-root>
<security-domain>java:/jaas/IdentityProvider</security-domain>
</jboss-web>
And we configured our IdentityProvider in the security domain like this:
<security-domain name="IdentityProvider" cache-type="default">
<authentication>
<login-module .........
</login-module>
</authentication>
</security-domain>
Now we are migrating to Wildfly 28 and planning to use latest elytron security apis like HttpServerAuthenticationMechanism or UsernamePasswordAuthenticationMechanism by following the below :
But here I didn't see how to integrate with the 3rd party application(IdentifyProvider) for authentication rather than depending on Elytron default authentication.
Please help me with the steps I need to follow to integrate my custom implementation of HttpServerAuthenticationMechanism/UsernamePasswordAuthenticationMechanism with the IdentifyProvider I am using which actually takes care of my authentication. Do I need to use the jaas-realm mentioned in the below ?
If so, how to integrate that with HttpServerAuthenticationMechanism/UsernamePasswordAuthenticationMechanism ?
Hope I didn't confuse you, Really appreciate your help.
Thanks
Ashok.
--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/eaeec175-89c9-49b5-85fb-1feeba4c66adn%40googlegroups.com.
Ashok Ilapavluri
Sep 13, 2023, 5:01:10 AM9/13/23
to Diana Krepinska, WildFly
Hi Team,
Any help on the below?
WildFly
Sep 19, 2023, 8:23:24 AM9/19/23
to WildFly
Hi, the custom authentication code with the 3rd party can be provided via the custom security realm as I linked above.
And if your existing login-module is custom LoginModule that has no dependency on legacy picketbox security, then you can use jaas-realm.
Ashok Ilapavluri
Sep 19, 2023, 11:45:09 AM9/19/23
to WildFly, WildFly
Hi Dvilkola,
Thank you for your response,
I made it work by doing the below, please let me know whether this is the right way to do it or not?
in the standalone.xml:
under wildfly elytron subsystem:
added new security domain:
<security-domain name="mySD" default-realm="myRealm" permission-mapper="default-permission-mapper">
<realm name="myRealm"/>
</security-domain>
added new jaas-realm:
<jaas-realm name="myRealm" entry="test" module="com.broadcom.itpam.customauth.custom-auth" callback-handler="com.broadcom.itpam.custommodule.CustomCallbackHandler">
<file path="C:\ITPAM_WildFly_POC\customAuth\JAAS-login-modules.conf"/>
</jaas-realm>
Added new http-authentication-factory & corresponding service-loader-http-server-mechanism-factory:
<http-authentication-factory name="custom-mechanism" security-domain="mySD" http-server-mechanism-factory="custom-factory">
<mechanism-configuration>
<mechanism mechanism-name="CUSTOM_MECHANISM">
<mechanism-realm realm-name="myRealm"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
<service-loader-http-server-mechanism-factory name="custom-factory" module="com.broadcom.itpam.customauth.custom-http-mechanism"/>
in the undertow subsystem:
replaced
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain" />
</application-security-domains>
With
<application-security-domains>
<application-security-domain name="other" http-authentication-factory="custom-mechanism" override-deployment-config="true"/>
</application-security-domains>
And implemented two separate modules one for the JAAS-login-modules other for the custom-http-mechanism,
In a nutshell I combined both custom `HttpServerAuthenticationMechanism` and a custom `LoginModule` by following below two:
Please let me know whether it is the right way to do it or not?
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/3e14beb6-6662-4b93-ade7-d7988d09b634n%40googlegroups.com.
Diana Krepinska
Sep 25, 2023, 1:22:39 PM9/25/23
to WildFly
your solution looks good to me
Ashok Ilapavluri
Sep 26, 2023, 12:20:34 AM9/26/23
to WildFly
Thank you Diana, for the confirmation.
Reply all
Reply to author
Forward
0 new messages