Need help understanding: The required mechanism 'SSO' is not available
62 views
Skip to first unread message
matt e (aldiyen)
May 28, 2024, 7:24:04 AM5/28/24
to WildFly
Hello,
I'm running Wildfly 20.0.1 and in preparation for upgrading to a newer version I'm trying to migrate from a configuration using the legacy <management><security-realm> type configuration to using the elytron subsystem for managing security realms etc., and when I try to deploy my webapps I get this error in my logs:
2024-05-22 14:32:04,355 [ServerService Thread Pool -- 88] ERROR org.jboss.msc.service.fail - MSC000001: Failed to start service jboss.deployment.unit."paytronix.server.webapp.legacy-web-24.21-develop-SNAPSHOT.war".undertow-deployment: org.jboss.msc.service.StartException in service jboss.deployment.unit."paytronix.server.webapp.legacy-web-24.21-develop-SNAPSHOT.war".undertow-deployment: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'SSO' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.
My undertow subsystem looks like this:
<subsystem xmlns="urn:jboss:domain:undertow:11.0">
<buffer-cache name="default"/>
<application-security-domains>
<application-security-domain name="merchant-web" security-domain="merchant-web">
</application-security-domain>
</application-security-domains>
<server name="default-server">
<http-listener name="http" tcp-keep-alive="true" read-timeout="60000" write-timeout="60000" socket-binding="http" max-post-size="10485760" max-parameters="1000" record-request-start-time="true" no-request-timeout="60000" request-parse-timeout="2000" redirect-socket="https-443" enable-http2="true"/>
<https-listener name="https" tcp-keep-alive="true" read-timeout="3600000" write-timeout="3600000" socket-binding="https" max-post-size="209715200" max-parameters="5000" record-request-start-time="true" no-request-timeout="60000" request-parse-timeout="2000" ssl-context="webserverSSC" enable-http2="true"/>
<host name="default-host" alias="localhost">
<access-log pattern="%h,%{i,PX-LB-Connecting-IP},%{i,CF-Connecting-IP} %{i,CF-Ray} %l %u %t %{i,Host} "%r" %s %b "%{i,Referer}" "%{i,User-Agent}" %D %S %{c,SESSIONIDSSO}" prefix="localhost_access_log."/>
<single-sign-on path="/" http-only="true" secure="true" cookie-name="SESSIONIDSSO"/>
</host>
</server>
<servlet-container name="default" eager-filter-initialization="true">
<jsp-config/>
<session-cookie name="SESSIONID" http-only="true" secure="true"/>
<websockets/>
</servlet-container>
</subsystem>
<buffer-cache name="default"/>
<application-security-domains>
<application-security-domain name="merchant-web" security-domain="merchant-web">
</application-security-domain>
</application-security-domains>
<server name="default-server">
<http-listener name="http" tcp-keep-alive="true" read-timeout="60000" write-timeout="60000" socket-binding="http" max-post-size="10485760" max-parameters="1000" record-request-start-time="true" no-request-timeout="60000" request-parse-timeout="2000" redirect-socket="https-443" enable-http2="true"/>
<https-listener name="https" tcp-keep-alive="true" read-timeout="3600000" write-timeout="3600000" socket-binding="https" max-post-size="209715200" max-parameters="5000" record-request-start-time="true" no-request-timeout="60000" request-parse-timeout="2000" ssl-context="webserverSSC" enable-http2="true"/>
<host name="default-host" alias="localhost">
<access-log pattern="%h,%{i,PX-LB-Connecting-IP},%{i,CF-Connecting-IP} %{i,CF-Ray} %l %u %t %{i,Host} "%r" %s %b "%{i,Referer}" "%{i,User-Agent}" %D %S %{c,SESSIONIDSSO}" prefix="localhost_access_log."/>
<single-sign-on path="/" http-only="true" secure="true" cookie-name="SESSIONIDSSO"/>
</host>
</server>
<servlet-container name="default" eager-filter-initialization="true">
<jsp-config/>
<session-cookie name="SESSIONID" http-only="true" secure="true"/>
<websockets/>
</servlet-container>
</subsystem>
I've looked at the documentation and the only information there seems to relate to SSO between multiple Wildfly instances, which I do not need -- I only need SSO between WARs. I've also spent a fair amount of time looking at the Wildfly/Wildfly Elytron/Undertow source code but I don't understand how I'm supposed to cause it to be registered.
I've tried configuring <single-sign-on> within my <application-security-domain> even though that seems to relate to the multi-application SSO, but that didn't get rid of the error message either.
I'm sort of at a loss here regarding how this is supposed to be configured, so hopefully someone here will have some insight.
Thanks very much!
-Matt
Prarthona Paul
Jun 4, 2024, 10:28:47 AM6/4/24
to WildFly
Hello there,
Could you please share the http-authentication-factory configuration inside your elytron subsystem?
It seems like you are using a mechanism that is not supported.
Here is more information about how to set up SSO using WildFly: https://docs.wildfly.org/20/WildFly_Elytron_Security.html#Web_Single_Sign_On
Could you please share the http-authentication-factory configuration inside your elytron subsystem?
It seems like you are using a mechanism that is not supported.
Here is more information about how to set up SSO using WildFly: https://docs.wildfly.org/20/WildFly_Elytron_Security.html#Web_Single_Sign_On
Please feel free to follow up with any questions you may have
Best,
Prarthona
matt e (aldiyen)
Jun 4, 2024, 11:12:47 AM6/4/24
to WildFly
It seems that the single-sign-on in the <host> element is deprecated and does not work when using the Elytron subsystem for authentication. It looks like if I remove that part entirely it may work, though I'm having other troubles with my authentication mechanisms so haven't been able to test. I guess I am all set on this for now.
Thanks!
-Matt
Reply all
Reply to author
Forward
0 new messages