Unable to setup BASIC auth in 21.0.0
242 views
Skip to first unread message
Mike Douglass
Nov 24, 2020, 11:48:44 AM11/24/20
to WildFly
I wonder is fomebody can tell me what I have wrong...
I'm deploying a ear containing multiple wars - some of which (e.g CalDAV) require BASIC auth and others FORM. This works fine in Wildfly 17.
Trying to set up 21.0.0 I've followed a bunch of examples but BASIC auth is not available. The error message I see on startup is
"jboss.deployment.subunit.\"bw-cal-3.13.3-SNAPSHOT.ear\".\"bw-calendar-engine-userws-3.13.3-SNAPSHOT.war\".undertow-deployment" => "java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'BASIC' is not available in mechanisms [FORM] from the HttpAuthenticationFactory.
My config contains:
<ldap-realm name="bedeworkRealm" dir-context="bedeworkLdapConnection">
<identity-mapping rdn-identifier="uid" search-base-dn="ou=accounts,dc=bedework,dc=org">
<attribute-mapping>
<attribute from="uid" to="Roles" filter="(uniqueMember={1})" filter-base-dn="ou=groups,dc=bedework,dc=org"/>
</attribute-mapping>
</identity-mapping>
</ldap-realm>
<identity-mapping rdn-identifier="uid" search-base-dn="ou=accounts,dc=bedework,dc=org">
<attribute-mapping>
<attribute from="uid" to="Roles" filter="(uniqueMember={1})" filter-base-dn="ou=groups,dc=bedework,dc=org"/>
</attribute-mapping>
</identity-mapping>
</ldap-realm>
...
<http-authentication-factory name="bedeworkAuth" security-domain="bedeworkSD" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="BASIC">
<mechanism-realm realm-name="bedework"/>
</mechanism>
<mechanism mechanism-name="FORM"/>
</mechanism-configuration>
</http-authentication-factory>
<mechanism-configuration>
<mechanism mechanism-name="BASIC">
<mechanism-realm realm-name="bedework"/>
</mechanism>
<mechanism mechanism-name="FORM"/>
</mechanism-configuration>
</http-authentication-factory>
<provider-http-server-mechanism-factory name="global"/>
</http>
</http>
...
<subsystem xmlns="urn:jboss:domain:undertow:11.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
...
<application-security-domains>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
<application-security-domain name="bedework" http-authentication-factory="bedeworkAuth"/>
</application-security-domains>
</subsystem>
<application-security-domain name="other" security-domain="ApplicationDomain"/>
<application-security-domain name="bedework" http-authentication-factory="bedeworkAuth"/>
</application-security-domains>
</subsystem>
If I look at this with the cli I get this:
ls subsystem=elytron/http-authentication-factory=bedeworkAuth
available-mechanisms=["FORM"]
http-server-mechanism-factory=global
mechanism-configurations=[{"mechanism-name" => "BASIC","mechanism-realm-configurations" => [{"realm-name" => "bedework"}]},{"mechanism-name" => "FORM"}]
security-domain=bedeworkSD
http-server-mechanism-factory=global
mechanism-configurations=[{"mechanism-name" => "BASIC","mechanism-realm-configurations" => [{"realm-name" => "bedework"}]},{"mechanism-name" => "FORM"}]
security-domain=bedeworkSD
Sure enough - FORM is there but no BASIC
I tried configuring a new one with just BASIC with the following result:
/subsystem=elytron/http-authentication-factory=bedeworkAuthentication:add(\
> http-server-mechanism-factory=global,\
> security-domain=bedeworkSD,\
> mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=bedework}]}])
{"outcome" => "success"}
ls subsystem=elytron/http-authentication-factory=bedeworkAuthentication
> security-domain=bedeworkSD,\
> mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=bedework}]}])
{"outcome" => "success"}
ls subsystem=elytron/http-authentication-factory=bedeworkAuthentication
available-mechanisms=undefined
http-server-mechanism-factory=global
mechanism-configurations=[{"mechanism-name" => "BASIC","mechanism-realm-configurations" => [{"realm-name" => "bedework"}]}]
security-domain=bedeworkSD
http-server-mechanism-factory=global
mechanism-configurations=[{"mechanism-name" => "BASIC","mechanism-realm-configurations" => [{"realm-name" => "bedework"}]}]
security-domain=bedeworkSD
There are apparently no server mechanisms
James Perkins
Nov 25, 2020, 5:29:09 PM11/25/20
to WildFly
Have a look at http://www.mastertheboss.com/jboss-server/jboss-security/configuring-http-basic-authentication-with-wildfly. I just happened to be doing some testing on this recently and it worked for me.
Mike Douglass
Nov 27, 2020, 1:47:22 PM11/27/20
to WildFly
Thanks for that pointer. Looking over that article it looked pretty much identical to what i had - I copied and pasted the entire setup into my deployment and BASIC certainly shows up as an available mechanism.
The only real difference I could see is that the example used a filesystem-realm and I have an ldap-realm.
So I switched my bedeworkRealm to be a filesystem-realm and here's the result:
Before the switch:
ls /subsystem=elytron/http-authentication-factory=bedeworkAuth
available-mechanisms=["FORM"]
http-server-mechanism-factory=global
mechanism-configurations=[{"mechanism-name" => "BASIC","mechanism-realm-configurations" => [{"realm-name" => "bedework"}]},{"mechanism-name" => "FORM"}]
security-domain=bedeworkSD
after the switch - no other change:
ls /subsystem=elytron/http-authentication-factory=bedeworkAuth
available-mechanisms=["BASIC","FORM"]
available-mechanisms=["BASIC","FORM"]
http-server-mechanism-factory=global
mechanism-configurations=[{"mechanism-name" => "BASIC","mechanism-realm-configurations" => [{"realm-name" => "bedework"}]},{"mechanism-name" => "FORM"}]
security-domain=bedeworkSD
So it appears wildfly doesn't like my ldap-realm.
I'm not seeing any startup errors. I have org.wildfly.security and org.wildfly.elytron both set to TRACE.
This is my config
ls /subsystem=elytron/ldap-realm=bedeworkRealm
allow-blank-password=false
dir-context=bedeworkLdapConnection
direct-verification=false
identity-mapping={"rdn-identifier" => "uid","search-base-dn" => "ou=accounts,dc=bedework,dc=org","attribute-mapping" => [{"from" =>
"uid","to" => "Roles","filter" => "(uniqueMember={1})","filter-base-dn" => "ou=groups,dc=bedework,dc=org"}]}
allow-blank-password=false
dir-context=bedeworkLdapConnection
direct-verification=false
identity-mapping={"rdn-identifier" => "uid","search-base-dn" => "ou=accounts,dc=bedework,dc=org","attribute-mapping" => [{"from" =>
"uid","to" => "Roles","filter" => "(uniqueMember={1})","filter-base-dn" => "ou=groups,dc=bedework,dc=org"}]}
ls /subsystem=elytron/security-domain=bedeworkSD
default-realm=bedeworkRealm
evidence-decoder=undefined
outflow-anonymous=false
outflow-security-domains=undefined
permission-mapper=default-permission-mapper
post-realm-principal-transformer=undefined
pre-realm-principal-transformer=undefined
principal-decoder=undefined
realm-mapper=undefined
realms=[{"realm" => "bedeworkRealm","role-decoder" => "from-roles-attribute"}]
role-decoder=undefined
role-mapper=undefined
security-event-listener=undefined
trusted-security-domains=undefined
default-realm=bedeworkRealm
evidence-decoder=undefined
outflow-anonymous=false
outflow-security-domains=undefined
permission-mapper=default-permission-mapper
post-realm-principal-transformer=undefined
pre-realm-principal-transformer=undefined
principal-decoder=undefined
realm-mapper=undefined
realms=[{"realm" => "bedeworkRealm","role-decoder" => "from-roles-attribute"}]
role-decoder=undefined
role-mapper=undefined
security-event-listener=undefined
trusted-security-domains=undefined
which becomes:
...
<security-domain name="bedeworkSD" default-realm="bedeworkRealm" permission-mapper="default-permission-mapper">
<realm name="bedeworkRealm" role-decoder="from-roles-attribute"/>
</security-domain>
<realm name="bedeworkRealm" role-decoder="from-roles-attribute"/>
</security-domain>
...
<ldap-realm name="bedeworkRealm" dir-context="bedeworkLdapConnection">
<identity-mapping rdn-identifier="uid" search-base-dn="ou=accounts,dc=bedework,dc=org">
<attribute-mapping>
<attribute from="uid" to="Roles" filter="(uniqueMember={1})" filter-base-dn="ou=groups,dc=bedework,dc=org"/>
</attribute-mapping>
</identity-mapping>
</ldap-realm>
<identity-mapping rdn-identifier="uid" search-base-dn="ou=accounts,dc=bedework,dc=org">
<attribute-mapping>
<attribute from="uid" to="Roles" filter="(uniqueMember={1})" filter-base-dn="ou=groups,dc=bedework,dc=org"/>
</attribute-mapping>
</identity-mapping>
</ldap-realm>
...
<dir-contexts>
<dir-context name="bedeworkLdapConnection" url="ldap://localhost:10389" principal="uid=admin,ou=system">
<credential-reference clear-text="secret"/>
</dir-context>
</dir-contexts>
<dir-context name="bedeworkLdapConnection" url="ldap://localhost:10389" principal="uid=admin,ou=system">
<credential-reference clear-text="secret"/>
</dir-context>
</dir-contexts>
(connecting to a test apache directory server).
Any ideas on why this ldap-realm is a problem?
Sonia Zaldana Calles
Nov 27, 2020, 3:16:49 PM11/27/20
to WildFly
Hi,
This blog post might be useful: http://www.mastertheboss.com/jboss-server/jboss-security/configuring-ldap-based-authentication-with-elytron-on-wildfly
I just tested it out myself and I can see BASIC in the list of available mechanisms using the LDAP realm as follows:
ls subsystem=elytron/http-authentication-factory=example-ldap-http-auth
available-mechanisms=["BASIC"]
http-server-mechanism-factory=global
mechanism-configurations=[{"mechanism-name" => "BASIC","mechanism-realm-configuration
s" => [{"realm-name" => "myApplicationDomain"}]}]
security-domain=exampleLdapSD
Hope it helps!
Mike Douglass
Nov 27, 2020, 9:40:33 PM11/27/20
to WildFly
That did it. The only change I made was to add this
<user-password-mapper from="userPassword" />
to the ldap-realm. I'm not sure how I lost that - copy/paste error I guess - but there were no error messages to suggest what might be at fault.
Thank you all for the help.
Reply all
Reply to author
Forward
0 new messages