We Keep Coding

Wildfly - Problems with form based authentication after restart

We have what I believe to be a pretty standard form based authentication for a web application running on wildfly 8.2.
The authentication works well, except that when we stop&start the server some users are unable to log in again.
I have managed to reproduce one variant of this:
If I open the login page, /xxxx/app, before I restart, and then try to log in after the server is up again, I end up on a blank /xxxx/j_security_check page.
In my logs I can see that the actual authentication is run OK.
If I have understood this j_security_check mechanism properly, it goes something like this:
I access /xxxx/app
Wildfly sees that this url requires authentication. It remembers it and forwards me to login.jsp.
When I submit my login form to the magical j_security_check address it replaces it with the remembered /xxxx/app address.
If this is conceptually correct, I can see that a restart can be troublesome; The web server no longer remembers the /xxxx/app address and doesn't know where to redirect me to.
Does anyone have a workaround for this problem?
Any way to give wildfly a default page to go to after j_security_check?
Edit: I found this one: It is probably the same underlying cause:
Jboss Wildfly 8.1 session timeout on login page
jboss-web.xml:
<jboss-web>
<security-domain>ptsmc</security-domain>
<default-encoding>UTF-8</default-encoding>
</jboss-web>
web.xml:
<servlet-mapping>
<servlet-name>main</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
<!-- -->
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>ptsmc</display-name>
<web-resource-collection>
<web-resource-name>ptsmc</web-resource-name>
<url-pattern>/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>WEB</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Users must have this role to be granted access to Application</description>
<role-name>WEB</role-name>
</security-role>
login.jsp:
<form name="login_form" method="POST" action="<%=response.encodeURL(request.getContextPath() + "/j_security_check")%>">
<table>
<tr><td>User id:</td><td><input type=text name=j_username autofocus onblur="this.value = this.value.toUpperCase();"></td></tr>
<tr><td>Password:</td><td><input type=password name=j_password></td></tr>
<tr><td> </td><td><input type=submit value="Submit"></td></tr>
</table>
</form>

How to use HTTPS with Glassfish 4 and JSF 2.2?

Just for learning purposes, I want to use SSL in the application I have developed in my local environment.
So I want all my connections to go through ssl.
How can I implement this with Glassfish 4.0 ?

Here is an example of using JAAS Form authentication:
on web.xml this block of code defines what urls will be SSL enabled:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>userauth</realm-name>
<form-login-config>
<form-login-page>/login.jsf</form-login-page>
<form-error-page>/loginError.jsf</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<display-name>ConstraintSSL</display-name>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Now on your application server (glassfish) configure your authentication realm "userauth" in this example:
create-auth-realm --classname com.sun.enterprise.security.ee.auth.realm.jdbc.JDBCRealm
--property jaas-context=jdbcRealm:datasource-jndi=oracleXE10gJDBCResource:user-
table=TB_USER:user-name-column=ID_USER:password-column=PASSWORD:group-
table=TB_USER_GROUP_USER:group-name-column=ID_GROUP:group_table_user-name-
column=ID_GROUP:digest-algorithm=MD5 userauth
In this example I created a JDBC based realm with MD5 encrypted passwords on a User table called "TB_USER" along with the group table names. You might create your own authentication realm, it can be file, jdbc or other JAAS type (please see JAAS doc for each specific one).
Now any requests for your app shall be using SSL.
Glassfish will redirect to the SSL port (default 8181) and your browser will be displaying the default SSL Trust certificate alert window (in case you are using a self-signed certificate) asking if you trust the connection, and after accepting you should see the page rendered correctly in SSL mode - https

Navigate to Glassfish Admin Console and then Server Settings --> Network Listeners. There you can set the listeners to use SSL. By default there are three listeners, 4848 for admin console, 8080 for general http listening, and 8181 for secured http listening. There are several things you can do here
To enable SSL for listeners or edit Listener check Security option
To disable listeners uncheck
On SSL tab fill the SSL information

Weblogic 10.3.5.0 SAML2 SSO -> Error 403 / Error 401

i configured 2 weblogic domains with managed servers as seen in Biemond's blogpost
i used the
DemoIdentity & DemoTrust
i enabled SSL and
added to the web.xml of my deployed app:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<security-role>
<description>These are the roles who have access</description>
<role-name>admin</role-name>
</security-role>
and mapped this role to a principal (a user i added in both weblogic servers/domains) in my weblogic.xml file.
But it doesn't work.
Everytime i get
Error 403 -- Forbidden
and in my second sample app i get
Error 401--Unauthorized
anyone else with this problem? or maybe a solution?
Thanks for your help!

Tomcat 7 container managed security and SSL dont work together + jsf 2.1

I'm using JDBCRealm for Tomcat 7 user auth and SSL for https but I can not figure out how to combine them. My goal is to make all the page secure by SSL and possible to view only by a certain role. I'm using JSF 2.1. Here is my code in web.xml
<security-role>
<description/>
<role-name>employee</role-name>
</security-role>
<security-role>
<description/>
<role-name>administrator</role-name>
</security-role>
<security-role>
<description/>
<role-name>boss</role-name>
</security-role>
<security-constraint>
<display-name>ConstraintPrac</display-name>
<web-resource-collection>
<web-resource-name>panelprac</web-resource-name>
<url-pattern>panele/pracownik/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>employee</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
They seem to work separately but what i need is a combined way. Now Tomcat is not redirecting to the port 8443 (https) and You can access any page just by typing it in the browser. I used this page for SSL http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html and this one for JDBCRealm http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html. I want my program to allow access certain pages only to certain roles and at the same time do everything on HTTPS. Please help me with this one. I don't know where I've made the mistake. I don't receive any errors.
RESOLVED
The problem was deeper than I thought. Tomcat 7 doesn't support custom form user authentication therefore security roles presented above didn't work. To solve this I had to create a Filter class to protect unauthorized entry's to pages.
I will leave this topic in case someone has the same problem (if the admin finds this topic irrelevant feel free to delete it)

Authentication without authorization on Tomcat 7

I have an annoying error which I can't solve for quite a while. I recently was introduced to container-based security and try to implement it. I have configure the realm as following:
<Realm className="org.apache.catalina.realm.JDBCRealm"
debug="99"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://127.0.0.1:3306/identify"
connectionName="adm" connectionPassword="pw"
userTable="users" userNameCol="login"
userCredCol="password"
allRolesMode="authOnly" />
</Realm>
Unfortunately I can't login with this. The log error messages are:
SEVERE: Exception performing authentication
java.sql.SQLException: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version
for the right syntax to use near 'null WHERE login = 'user1'' at line 1
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:2928)
at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1571)
at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:1666)
at com.mysql.jdbc.Connection.execSQL(Connection.java:2994)
at com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:936)
at com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:1030)
at org.apache.catalina.realm.JDBCRealm.getRoles(JDBCRealm.java:640)
at org.apache.catalina.realm.JDBCRealm.authenticate(JDBCRealm.java:430)
at org.apache.catalina.realm.JDBCRealm.authenticate(JDBCRealm.java:355)
at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146)
at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180)
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:282)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:440)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:851)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:278)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:300)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:636)
Please notice the '' around the user name... Is this correct?
As you see I also use allRolesMode="authOnly", because I don't need this functionality and moreover the database doesn't have and won't ever have an additional column for user roles (it is quite pointless if won't use it than every user will have the same value in this column - big waste of recourses.).
The server is Tomcat 7.0.19

You have to set the userRoleTable and roleNameCol properties in case of allRolesMode="authOnly" too. Without them the SQL query will contain the String null (as you can see in the message of the exception). The value of userRoleTable could be the same as the value of userTable, and roleNameCol also could be same as userNameCol.
A simple workaround is creating an SQL view which emulates the roles table:
CREATE VIEW roles (username, role)
AS SELECT username, 'user' FROM users;
And a solution:
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://127.0.0.1:3306/test"
connectionName="..." connectionPassword="..."
userTable="users" userNameCol="username" userCredCol="password"
userRoleTable="users" roleNameCol="username"
/>
(Surprisingly it works without any allRolesMode.)
The required web.xml snippets:
<security-constraint>
<web-resource-collection>
<web-resource-name>protected zone</web-resource-name>
<url-pattern>/prot/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>*</role-name>
</security-role>
(Note: Lets say you have 1 million users, a new attribute in the users table with one million user\0 string would cost only around 5 megabytes. I agree with that this is not a beautiful solution but it's not intolerable big nowadays.)

I have Tomcat 7.0.27.0 with JDK 1.6
I am using tomcat only for Authentication and not for authorization
Following is the setup
context.xml
<Realm className="org.apache.catalina.realm.JDBCRealm"
connectionName="login"
connectionPassword="password"
connectionURL="jdbc:oracle:thin:#127.0.0.1:1521:authdb"
driverName="oracle.jdbc.OracleDriver"
userTable="appusers"
userNameCol="username"
userCredCol="password"
allRolesMode="authOnly"/>
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/modules/*</url-pattern>
<url-pattern>/index.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<!--
security-role>
<role-name>user</role-name>
security-role>
-->
I got it working by removing <security-role> block from web.xml &
putting auth-contraint with role-name as *
If you remove auth-contraint block from security-contraint then web context authentication itself will not be invoked !!