Problems with migration from legacy security to Elytron

frank.l...@outlook.de

unread,

Sep 16, 2021, 3:23:31 PM9/16/21

to WildFly

Until now we still have been using the deprecated legacy security system with this security domain definition:

<security-domain name="mbisso" cache-type="default">

<login-module code="DatabaseUsers" flag="required">

<module-option name="password-stacking" value="useFirstPass"/>

<module-option name="dsJndiName" value="java:jboss/datasources/DefaultDS"/>

<module-option name="principalsQuery" value="SELECT password FROM mbi_juser WHERE username=? AND is_activ=1"/>

<module-option name="rolesQuery" value="SELECT role, role_group FROM mbi_jrole WHERE username=?"/>

<module-option name="hashAlgorithm" value="MD5"/>

<module-option name="hashEncoding" value="base64"/>

</login-module>

</authentication>

</security-domain>

Referenced in web.xml:

<login-config>

<auth-method>FORM</auth-method>

<realm-name>mbisso</realm-name>

<form-login-config>

<form-login-page>/Login.xhtml?nocid=true&faces-redirect=true</form-login-page>

<form-error-page>/LoginError.xhtml?nocid=true&faces-redirect=true</form-error-page>

</form-login-config>

</login-config>

and jboss-web.xml:

<security-domain>mbisso</security-domain>

To migrate to Elytron we

added

<application-security-domain name="mbisso" http-authentication-factory="mbisso"/>

to the undertow subsystem.

To the Elytron subsystem we added

<http-authentication-factory name="mbisso" security-domain="mbisso" http-server-mechanism-factory="global">

<mechanism-configuration>

</mechanism-configuration>

</http-authentication-factory>

<security-domain name="mbisso" default-realm="mbisso" permission-mapper="default-permission-mapper">

</security-domain>

<jdbc-realm name="mbisso">

<principal-query sql="SELECT password FROM mbi_juser WHERE username = ? AND is_activ = 1" data-source="DefaultDS">

<clear-password-mapper password-index="1"/>

</principal-query>

<principal-query sql="SELECT role FROM mbi_jrole WHERE username = ?" data-source="DefaultDS">

<attribute-mapping>

</attribute-mapping>

</principal-query>

</jdbc-realm>

But we still get a login failure:

16.09. 20:07:59,736 ERROR [stderr#write] javax.servlet.ServletException: UT010031: Login failed

16.09. 20:07:59,739 ERROR [stderr#write] at io.undertow.servlet.spec.HttpServletRequestImpl.login(HttpServletRequestImpl.java:511)

16.09. 20:07:59,846 ERROR [stderr#write] at biz.mbisoftware.web.controller.common.UserSession.login(UserSession.java:260)

Database tables for users and roles are defined as (one user can have multiple roles):

create table mbi_juser

(

username varchar(20) not null ,

password varchar(128) not null ,

is_activ integer

);

create table mbi_jrole

(

username varchar(20) not null ,

role varchar(64) not null ,

role_group varchar(64) default 'Roles' not null

);

create unique index mbi_juser1 on mbi_juser (username) ;

create unique index mbi_jrole1 on mbi_jrole (username, role) ;

Content added for default user mbi:

insert into mbi_juser ( username, password, is_activ )

values ( 'mbi', 'X1Fj9CvEnUhYLovebU/10A==', 1 );

insert into mbi_jrole ( username, role, role_group )

values ( 'mbi', 'admin', 'Roles');

We cannot figure out why login fails.

What's missing ?

Is really the login failing or the role assignment?

Ho to find more details about what's going on during the login process ?

The last statement the Oracle database session shows is

SELECT role FROM mbi_jrole WHERE username = :1

Darran Lofthouse

unread,

Sep 16, 2021, 3:33:45 PM9/16/21

to WildFly

The best starting point for all security logging is to enable TRACE logging for org.wildfly.security - the logs contain a lot of detail of the process.

frank.l...@outlook.de

unread,

Sep 16, 2021, 4:55:15 PM9/16/21

to WildFly

Trace logging shows that the principal queries against the user and role table are executed, but where they successful or not ? Seems not.

The [clear] means, that the password in the database is expected in clear text. Checked this by updating the password in the database from MD5 / BASE64 encrypted valued to clear text password.

Will replace

<clear-password-mapper password-index="1"/>

with

<simple-digest-mapper algorithm="simple-digest-md5" password-index="1"/>

and try again.

16.09. 22:19:10,255 TRACE [org.wildfly.security.http.servlet#<init>] Created ServletSecurityContextImpl enableJapi=true, integratedJaspi=true, applicationContext=default-host /web-cor2l-dev

16.09. 22:19:10,258 TRACE [org.wildfly.security.http.servlet#authenticate] No AuthConfigProvider for layer=HttpServlet, appContext=default-host /web-cor2l-dev

16.09. 22:19:10,258 TRACE [org.wildfly.security.http.servlet#authenticate] JASPIC Unavailable, using HTTP authentication.

16.09. 22:19:10,259 TRACE [org.wildfly.security#restoreIdentity] No CachedIdentity to restore.

16.09. 22:19:10,260 TRACE [org.wildfly.security#doCreate] Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1@42b1ad96] for mechanism [FORM]

16.09. 22:19:10,261 TRACE [org.wildfly.security#handleOne] Handling SocketAddressCallback

16.09. 22:19:10,263 TRACE [org.wildfly.security#handleOne] Handling MechanismInformationCallback type='HTTP' name='FORM' host-name='sb2000' protocol='http'

16.09. 22:19:10,264 TRACE [org.wildfly.security.http.form#attemptReAuthentication] Trying to re-authenticate session qJKV2XVG1OsAKDDrvkphHZnHToG2t8We8vVpoZ2F. Request URI: [http://sb2000:8080/web-cor2l-dev/Login.xhtml;jsessionid=qJKV2XVG1OsAKDDrvkphHZnHToG2t8We8vVpoZ2F.sb2000], Context path: [/web-cor2l-dev]

16.09. 22:19:10,265 TRACE [org.wildfly.security#handleOne] Handling CachedIdentityAuthorizeCallback: principal = null authorizedIdentity = null

16.09. 22:19:10,460 TRACE [org.wildfly.security#assignName] Principal assigning: [mbi], pre-realm rewritten: [mbi], realm name: [mbisso], post-realm rewritten: [mbi], realm rewritten: [mbi]

16.09. 22:19:10,486 TRACE [org.wildfly.security#getIdentity] Executing principalQuery SELECT password FROM mbi_juser WHERE username = ? AND is_activ = 1 with value mbi

16.09. 22:19:10,563 TRACE [org.wildfly.security#map] Key Mapper: Password credential created using algorithm column value [clear]

16.09. 22:19:10,570 TRACE [org.wildfly.security#getIdentity] Executing principalQuery SELECT role FROM mbi_jrole WHERE username = ? with value mbi

16.09. 22:19:10,676 TRACE [org.wildfly.security.http.servlet#<init>] Created ServletSecurityContextImpl enableJapi=true, integratedJaspi=true, applicationContext=default-host /web-cor2l-dev

16.09. 22:19:10,678 TRACE [org.wildfly.security.http.servlet#authenticate] No AuthConfigProvider for layer=HttpServlet, appContext=default-host /web-cor2l-dev

16.09. 22:19:10,678 TRACE [org.wildfly.security.http.servlet#authenticate] JASPIC Unavailable, using HTTP authentication.

16.09. 22:19:10,679 TRACE [org.wildfly.security#restoreIdentity] No CachedIdentity to restore.

16.09. 22:19:10,680 TRACE [org.wildfly.security#doCreate] Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1@46a9d77f] for mechanism [FORM]

16.09. 22:19:10,681 TRACE [org.wildfly.security#handleOne] Handling SocketAddressCallback

16.09. 22:19:10,682 TRACE [org.wildfly.security#handleOne] Handling MechanismInformationCallback type='HTTP' name='FORM' host-name='sb2000' protocol='http'

16.09. 22:19:10,683 TRACE [org.wildfly.security.http.form#attemptReAuthentication] Trying to re-authenticate session qJKV2XVG1OsAKDDrvkphHZnHToG2t8We8vVpoZ2F. Request URI: [http://sb2000:8080/web-cor2l-dev/LoginError.xhtml], Context path: [/web-cor2l-dev]

16.09. 22:19:10,684 TRACE [org.wildfly.security#handleOne] Handling CachedIdentityAuthorizeCallback: principal = null authorizedIdentity = null

Reply all

Reply to author

Forward