Wildfly 26.1.0 -- UT010062: No SecurityContext available

1,441 views

Skip to first unread message

Yoan Ganne

unread,

May 10, 2022, 6:06:31 PM5/10/22

to WildFly

Hi, I'm working on updating our environment to wildfly 26.1.0 but I'm having some problems with the porting of a custom login-module from legacy security subsystem to Elytron.
The server seems to run as expected but then when we try to log in the deployed app we get a "UT010062: No SecurityContext available" error.
If someone would have any clue on how this context can be added or what we are doing wrong, we would appreciate it.
We are new to this and we are not sure of the proper way to configure the new security in Elytron using custom module based on legacy subsystem.

Thank you in advance for taking the time,

Yoan

* For more details on what we have (log, modules, standalone, etc.), I've put some below and can provide more if needed.

********************************************************************************************

Here is the trace we get at login:
2022-05-10 17:10:08,509 SEVE (default task-1) com.logibec.ai.webapp.rest.LoginServlet.doGet javax.servlet.ServletException: UT010062: No SecurityContext available
at io.undert...@2.2.16.Final//io.undertow.servlet.spec.HttpServletRequestImpl.login(HttpServletRequestImpl.java:497)
at deployment.QuarantineWebAppEAR.ear.QuarantineWebApp.war//com.logibec.ai.webapp.rest.LoginServlet.doGet(LoginServlet.java:81)
at deployment.QuarantineWebAppEAR.ear.QuarantineWebApp.war//com.logibec.ai.webapp.rest.LoginServlet.doPost(LoginServlet.java:98)
at javax.se...@2.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:523)
at javax.se...@2.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
at io.undert...@2.2.16.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at io.undert...@2.2.16.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at deployment.QuarantineWebAppEAR.ear.QuarantineWebApp.war//com.logibec.ai.webapp.filter.LoginFilter.doFilter(LoginFilter.java:105)
at io.undert...@2.2.16.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undert...@2.2.16.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undert...@2.2.16.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undert...@2.2.16.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at io.undert...@2.2.16.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at io.undert...@2.2.16.Final//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
at org.wildfly.ext...@26.1.0.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undert...@2.2.16.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
at io.under...@2.2.16.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undert...@2.2.16.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275)
at io.undert...@2.2.16.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79)
at io.undert...@2.2.16.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)
at io.undert...@2.2.16.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)
at io.undert...@2.2.16.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undert...@2.2.16.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.ext...@26.1.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
at org.wildfly.ext...@26.1.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
at org.wildfly.ext...@26.1.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
at org.wildfly.ext...@26.1.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
at org.wildfly.ext...@26.1.0.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)
at io.undert...@2.2.16.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)
at io.undert...@2.2.16.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79)
at io.undert...@2.2.16.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100)
at io.under...@2.2.16.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
at io.under...@2.2.16.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852)
at org.jbos...@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at org.jbo...@3.8.6.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
at java.base/java.lang.Thread.run(Thread.java:832)

********************************************************************************************

Our current working version uses WildFly Full 22.0.1.Final (WildFly Core 14.0.1.Final) with theses subsystems in standalone.xml:

<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="com.logibec.xds.security.CustomSecurityModuleWIthHashedPwdDB" flag="sufficient" module="resources.logibec"/>
</authentication>
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>

<subsystem xmlns="urn:jboss:domain:security-manager:1.0">
<deployment-permissions>
<maximum-set>
<permission class="java.security.AllPermission"/>
</maximum-set>
</deployment-permissions>
</subsystem>

<subsystem xmlns="urn:jboss:domain:undertow:11.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ssl-realm" verify-client="REQUIRED" enable-http2="true"/>
<host name="default-host" alias="localhost">
<filter-ref name="Content-Security-Policy"/>
<filter-ref name="X-Content-Type-Options"/>
<filter-ref name="X-Frame-Options"/>
<filter-ref name="Strict-Transport-Security"/>
<single-sign-on path="/" http-only="true" secure="true"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<session-cookie http-only="true" secure="true"/>
<websockets/>
</servlet-container>
<filters>
<response-header name="Content-Security-Policy" header-name="Content-Security-Policy" header-value="default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'"/>
<response-header name="X-Content-Type-Options" header-name="X-Content-Type-Options" header-value="nosniff"/>
<response-header name="X-Frame-Options" header-name="X-Frame-Options" header-value="DENY"/>
<response-header name="Strict-Transport-Security" header-name="Strict-Transport-Security" header-value="max-age=31536000 ; includeSubDomains"/>
</filters>
</subsystem>

And security realms:

<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="modules/system/layers/base/resources/logibec/parameters/main/certificates/keystoreXDSDevServer.jks" relative-to="jboss.home.dir" keystore-password="jDSt4thgkfghg" alias="xdsdevserver" key-password="jDSt4thgkfghg"/>
</ssl>
</server-identities>
<authentication>
<truststore path="modules/system/layers/base/resources/logibec/parameters/main/certificates/truststore.jks" relative-to="jboss.home.dir" keystore-password="dr6uMUJjr65fgn84"/>
</authentication>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<jaas name="other"/>
</authentication>
</security-realm>
</security-realms>

********************************************************************************************

What we have right now in wildfly 26.1.0 standalone.xml

<subsystem xmlns="urn:wildfly:elytron:15.1" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<providers>
<aggregate-providers name="combined-providers">
<providers name="elytron"/>
<providers name="openssl"/>
</aggregate-providers>
<provider-loader name="elytron" module="org.wildfly.security.elytron"/>
<provider-loader name="openssl" module="org.wildfly.openssl"/>
</providers>
<audit-logging>
<file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
</audit-logging>
<security-domains>
<security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
<realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
<realm name="local"/>
</security-domain>
<security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
<realm name="ManagementRealm" role-decoder="groups-to-roles"/>
<realm name="local" role-mapper="super-user-mapper"/>
</security-domain>
<security-domain name="mySD" default-realm="myRealm" permission-mapper="default-permission-mapper">
<realm name="myRealm"/>
</security-domain>
</security-domains>
<security-realms>
<identity-realm name="local" identity="$local"/>
<properties-realm name="ApplicationRealm">
<users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
<groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</properties-realm>
<properties-realm name="ManagementRealm">
<users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
<groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</properties-realm>
<jaas-realm name="myRealm" entry="testElytron" module="resources.logibec">
<file path="C:\Development\Quarantine_Servers\wildfly-26.0.1.Final-frontend\modules\system\layers\base\resources\logibec\main\JAAS-login-modules.conf"/>
</jaas-realm>
</security-realms>
<mappers>
<simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
<permission-mapping>
<principal name="anonymous"/>
<permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
<permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
<permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
</permission-mapping>
<permission-mapping match-all="true">
<permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
<permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
<permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
<permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
</permission-mapping>
</simple-permission-mapper>
<constant-realm-mapper name="local" realm-name="local"/>
<simple-role-decoder name="groups-to-roles" attribute="groups"/>
<constant-role-mapper name="super-user-mapper">
<role name="SuperUser"/>
</constant-role-mapper>
</mappers>
<http>
<http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="DIGEST">
<mechanism-realm realm-name="ManagementRealm"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
<http-authentication-factory name="application-http-authentication" security-domain="ApplicationDomain" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="BASIC">
<mechanism-realm realm-name="Application Realm"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
<http-authentication-factory name="example-loginconfig-http-auth" security-domain="mySD" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="FORM">
<mechanism-realm realm-name="TestMechanismRealm"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
<provider-http-server-mechanism-factory name="global"/>
</http>
<sasl>
<sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
<mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ManagementRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
<sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
<mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ApplicationRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
<configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
<properties>
<property name="wildfly.sasl.local-user.default-user" value="$local"/>
</properties>
</configurable-sasl-server-factory>
<mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
<filters>
<filter provider-name="WildFlyElytron"/>
</filters>
</mechanism-provider-filtering-sasl-server-factory>
<provider-sasl-server-factory name="global"/>
</sasl>
<tls>
<key-stores>
<key-store name="xdsdevserver">
<credential-reference clear-text="jDSt4thgkfghg"/>
<implementation type="JKS"/>
<file path="modules/system/layers/base/resources/logibec/parameters/main/certificates/keystoreXDSDevServer.jks" relative-to="jboss.home.dir"/>
</key-store>
<key-store name="truststore">
<credential-reference clear-text="dr6uMUJjr65fgn84"/>
<implementation type="JKS"/>
<file path="modules/system/layers/base/resources/logibec/parameters/main/certificates/truststore.jks" relative-to="jboss.home.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="LocalhostKeyManager" key-store="xdsdevserver" alias-filter="xdsdevserver">
<credential-reference clear-text="jDSt4thgkfghg"/>
</key-manager>
</key-managers>
<trust-managers>
<trust-manager name="TrustManager" key-store="truststore"/>
</trust-managers>
<server-ssl-contexts>
<server-ssl-context name="LocalhostSslContext" need-client-auth="true" key-manager="LocalhostKeyManager" trust-manager="TrustManager"/>
</server-ssl-contexts>
</tls>
</subsystem>

<subsystem xmlns="urn:jboss:domain:undertow:12.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" ssl-context="LocalhostSslContext" enable-http2="true"/>
<host name="default-host" alias="localhost">
<filter-ref name="Content-Security-Policy"/>
<filter-ref name="X-Content-Type-Options"/>
<filter-ref name="X-Frame-Options"/>
<filter-ref name="Strict-Transport-Security"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<session-cookie http-only="true" secure="true"/>
<websockets/>
</servlet-container>
<filters>
<response-header name="Content-Security-Policy" header-name="Content-Security-Policy" header-value="default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'"/>
<response-header name="X-Content-Type-Options" header-name="X-Content-Type-Options" header-value="nosniff"/>
<response-header name="X-Frame-Options" header-name="X-Frame-Options" header-value="DENY"/>
<response-header name="Strict-Transport-Security" header-name="Strict-Transport-Security" header-value="max-age=31536000 ; includeSubDomains"/>
</filters>
<application-security-domains>
<application-security-domain name="other" http-authentication-factory="example-loginconfig-http-auth" enable-jaspi="false" integrated-jaspi="false"/>
</application-security-domains>
</subsystem>

And for the custom login module loaded from "JAAS-login-modules.conf":

testElytron {
loginmodules.CustomSecurityModuleWIthHashedPwdDB required;

};

-- module.xml --
<module xmlns="urn:jboss:module:1.1" name="resources.logibec">
<resources>
<resource-root path="com.logibec.security.jar"/>
<resource-root path="SDK.jar"/>
<resource-root path="Logger.jar"/>
<resource-root path="commons-lang-2.4.jar"/>
<resource-root path="passwordHashing-jar-with-dependencies.jar"/>
<resource-root path="jackson-all-1.9.11.jar"/>
<resource-root path="event-logging-1.2.0-jar-with-dependencies.jar"/>
</resources>
<dependencies>
<module name="org.picketbox"/>
<module name="javaee.api"/>
<module name="javax.api"/>
<module name="javax.mail.api"/>
<module name="org.wildfly.security.elytron"/>
</dependencies>
</module>

*"com.logibec.security.jar" contains the class "CustomSecurityModuleWIthHashedPwdDB.java" and is in the same folder as "JAAS-login-modules.conf" file.

Diana Krepinska

unread,

May 13, 2022, 2:30:02 PM5/13/22

to WildFly

It seems that the security is not applied. Maybe the application security domain is not configured for your deployed application? One of 2 ways should be used to configure app's security domain for the application, either the application has it specified in the jboss-web.xml or the default for applications should be configured: /subsystem=undertow:write-attribute(name=default-security-domain,value=other) . If this does not help, you can try enabling logging to have more information: /subsystem=logging/logger=org.wildfly.security:add(level=DEBUG)

Yoan Ganne

unread,

May 16, 2022, 10:34:03 AM5/16/22

to WildFly

Thank you for taking the time to answer. We will take a look like you said at the jboss-web.xml file for the application or define a default value in the standalone. We thought that the

<application-security-domains>
<application-security-domain name="other" http-authentication-factory="example-loginconfig-http-auth" enable-jaspi="false" integrated-jaspi="false"/>
</application-security-domains>

In undertow was enough to this purpose.

We should indeed put more logs to see what's happening.

Thank you

Yoan Ganne

unread,

May 18, 2022, 3:59:36 PM5/18/22

to WildFly

We tried adding a default security domain for undertow and also adjusting the jboss-web file, without success.
We still get the same undertow error about securityContext being unavailable.

Here are the values we tried:

-- standalone.xml --
<subsystem xmlns="urn:jboss:domain:logging:8.0">
[...]
<logger category="org.wildfly.security" use-parent-handlers="true">
<level name="DEBUG"/>
</logger>
[...]
</subsystem>

<subsystem xmlns="urn:jboss:domain:ejb3:9.0">
[...]
<application-security-domains>
<application-security-domain name="other" security-domain="mySD" enable-jacc="true"/>
</application-security-domains>
[...]
</subsystem>

[...[
<security-domains>
[...]

<security-domain name="mySD" default-realm="myRealm" permission-mapper="default-permission-mapper">
<realm name="myRealm"/>
</security-domain>
</security-domains>
<security-realms>
<identity-realm name="local" identity="$local"/>
<properties-realm name="ApplicationRealm">
<users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
<groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</properties-realm>

[...]

<jaas-realm name="myRealm" entry="testElytron" module="resources.logibec">
<file path="C:\Development\Quarantine_Servers\wildfly-26.0.1.Final-frontend\modules\system\layers\base\resources\logibec\main\JAAS-login-modules.conf"/>
</jaas-realm>
</security-realms>

[...]
<http>
[...]

<http-authentication-factory name="example-loginconfig-http-auth" security-domain="mySD" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="FORM">
<mechanism-realm realm-name="TestMechanismRealm"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
<provider-http-server-mechanism-factory name="global"/>
</http>

[...]

</subsystem>

<subsystem xmlns="urn:jboss:domain:undertow:12.0">

[...]

[...]
<single-sign-on path="/" http-only="true" secure="false"/>
</host>
</server>
[...]

<application-security-domains>
<application-security-domain name="other" http-authentication-factory="example-loginconfig-http-auth" enable-jaspi="false" integrated-jaspi="false">

<single-sign-on key-store="xdsdevserver" key-alias="xdsdevserver" client-ssl-context="LocalhostSslContext">
<credential-reference clear-text="jDSt4thgkfghg"/>
</single-sign-on>
</application-security-domain>
</application-security-domains>
</subsystem>

-- jboss-web.xml --
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web
xmlns="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-web_5_1.xsd">

<security-domain>mySD</security-domain>

<context-root>/</context-root>
</jboss-web>

Reply all

Reply to author

Forward

0 new messages