Failed authentication Wildfly 26

Gustavo Martins

unread,

Nov 7, 2023, 9:32:58 AM11/7/23

to WildFly

Hi, I am migrating from wildfly 18 to wildfly 26, but there have been several security changes and now my Tomcat 9 server cannot connect to wildfly, I receive the following error:
Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
JBOSS-LOCAL-USER: javax.security.sasl.SaslException: JBOSS-LOCAL-USER: Server rejected authentication
DIGEST-MD5: javax.security.sasl.SaslException: DIGEST-MD5: Server rejected authentication

At first, it was never necessary to configure users and access, it was always the default but now authentication always fails and I can't figure out why

Prarthona Paul

unread,

Nov 8, 2023, 11:00:25 AM11/8/23

to WildFly

Hi there,
Would you be able to check to see if the user and roles definition is configured correctly in the Standalone/Configuration/application-user.properties and Standalone/Configuration/application-roles.properties?
It would also be useful to check and ensure that the credentials you have set up for the client matches what the server expects.

Here are a few threads you may find useful:

https://access.redhat.com/solutions/3209281

https://developer.jboss.org/thread/195087

Please feel free to follow up if you have any other questions.

-- Prarthona

Gustavo Martins

unread,

Nov 10, 2023, 9:06:04 AM11/10/23

to WildFly

I took a look, but still no success. Until Wildfly 24 it was possible to perform authentication even without having configured users and roles, in my case the user and role files are empty and authentication is still being blocked.
I tried to perform a user configuration on Wildfly and the same on Tomcat, but even though the user credentials on both servers were the same, the authentication still failed.

Prarthona Paul

unread,

Nov 13, 2023, 10:37:11 AM11/13/23

to WildFly

Hello,
Are you using a custom realm security-domain or realm-mapper? In those cases, you may need to update the sasl-authentication-factory to use your custom realm, security domain, and realm-mapper.
This is what the default configuration would look like in standalone.xml:

                <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
                    <mechanism-configuration>
                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
                        <mechanism mechanism-name="DIGEST-MD5">
                            <mechanism-realm realm-name="ApplicationRealm"/>
                        </mechanism>
                    </mechanism-configuration>
                </sasl-authentication-factory>

Additionally, if you are configuring the remoting subsystem for remote authentication, then updating the following to reflect the correct realm name can help:
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
Please see here: https://stackoverflow.com/questions/42517454/jboss-local-user-javax-security-sasl-saslexception-failed-to-read-server-chall

This post may be useful as well: https://access.redhat.com/solutions/4775661
Hope it helps!

Gustavo Martins

unread,

Nov 13, 2023, 11:20:41 AM11/13/23

to WildFly

Thanks for the answer, but unfortunately I only have the default security-realm, the only things I changed were the datasource for connecting to the database and I removed the https configuration (as I only intend to use http). I didn't enter any user or role (when I did, it still didn't authenticate) and I still couldn't understand why it didn't authenticate. Debugging I saw that it fails when trying to perform the sasl.evaluateChallenge(challenge), something that in version 24 and below works normally.

Note: I am using standalone mode

Prarthona Paul

unread,

Nov 15, 2023, 11:04:03 AM11/15/23

to WildFly

Hello,
Could you please give us more details about how you connect to WildFly? Additionally, if you recently upgraded TomCat server or not.
Also, do you know which SASL mechanism was used previously when connecting to the server?
Did you previously have unsecured server access? Maybe that is why you were able to access it without roles and user configuration?
And lastly, you mentioned you changed the data source for connecting to the database. Could you let us know what that is used for and what the data source configuration is like?
Another good place to look would be the server logs. Maybe there are some useful log message that looks odd to you and would give you more information about what is wrong.

-- Prarthona

Gustavo Martins

unread,

Nov 15, 2023, 11:41:19 AM11/15/23

to WildFly

Hello, the Tomcat I use is 8.5 and I didn't make any changes to it and I also didn't make any changes to Wildfly's authentication method, so version 18 that I used and the standalone.xml worked like this:
<http>
<http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="DIGEST">
<mechanism-realm realm-name="ManagementRealm"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
<provider-http-server-mechanism-factory name="global"/>
</http>

<sasl>

<sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
<mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ApplicationRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>

<sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">

<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
<mechanism mechanism-name="DIGEST-MD5">

<mechanism-realm realm-name="ManagementRealm"/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>

<configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
<properties>
<property name="wildfly.sasl.local-user.default-user" value="$local"/>
</properties>
</configurable-sasl-server-factory>
<mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
<filters>
<filter provider-name="WildFlyElytron"/>
</filters>
</mechanism-provider-filtering-sasl-server-factory>
<provider-sasl-server-factory name="global"/>
</sasl>

http-authentication-factory does not have the BASIC mechanism for application-http-authentication, but wildfly 26 does.

I wouldn't know much about unsecured server access because no security mechanisms were actually configured, however they communicate via delegate in the code itself.

Regarding authentication and configuration with the database, I carried it out partially through the wildfly management interface, but I directly modified the standalone.xml to insert the mysql driver and the login and password information, this configuration I kept the same in both wildfly 18 as in 26.

As for the logs, I took a look but nothing much beyond what I sent in the conversation thread

Prarthona Paul

unread,

Nov 16, 2023, 4:03:35 PM11/16/23

to WildFly

Hello,
Thank you for sharing the http and sasl configurations. It seems to be the same as the default configurations, so I am not entirely sure what is going wrong.
If you are adding server configuration by editing the standalone.xml file, then please use the reload command on the management cli to apply these changes.
Additionally, for more detailed server log messages, you could try to enable TRACE logging for org.wildfly.security to see if that provides more details on what's going wrong.

-- Prarthona

Reply all

Reply to author

Forward