I am trying to configure authentication in my Vaadin/Spring application deployed in JBoss AS 7, but I cannot find any documentation on this. I've managed to configure the application so that only authenticated user can use it. Here is a part of my web.xml:
<security-constraint>
<display-name>SecureApplicationConstraint</display-name>
<web-resource-collection>
<web-resource-name>Vaadin application</web-resource-name>
<description>The entire Vaadin application is protected</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Only valid users are allowed</description>
<role-name>ROLE_ADMIN</role-name>
<role-name>ROLE_DOCTOR</role-name>
<role-name>ROLE_PATIENT</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description/>
<role-name>ROLE_ADMIN</role-name>
</security-role>
<security-role>
<description/>
<role-name>ROLE_DOCTOR</role-name>
</security-role>
<security-role>
<description/>
<role-name>ROLE_PATIENT</role-name>
</security-role>
Now the application won't be displayed until the user is authenticated. What I expected was, that the user would be automatically redirected to the login form. I still have to configure the JBoss app server, but cannot find how. I used to work with JBoss 5, where this configuration was done in a login-config.xml file. Does anybody know hoe to configure the authentication REALM in JBoss 7 and make the Vaadin application redirect the user to the login form if he is not authenticated yet? Thanks for your help,
Bye,
Filip
First, a couple of questions -
(1)what is happening when you try to access a resource,
and (2)the security constraint covers/protects anything in the domain.
But your login page is there too.
Would you try limiting the url-pattern to something that wouldn't include the login page, like /myprotectedfolder/* instead?
I've found that FORM-based login is tricky in Vaadin, as Vaadin servlet is by default mapped to /*, which means that your login.jsp will also be handled by it. I implemented my login programmatically with the LoginForm, which seems like a nicer integration. However, it's not really what your question is about...
In JBoss AS 7 the configs moved to {jboss}/standalone/configuration/standalone.xml or {jboss}/standalone/configuration/domain.xml, depending on your setup. In most common cases it's standalone.xml. Here's the sample of my database-driven security domain:
<subsystem xmlns="urn:jboss:domain:security:1.0">
<security-domains>
<security-domain name="MySecurityDomain">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/MyDS"/>
<module-option name="principalsQuery" value="SELECT PASSWORD FROM PRINCIPAL WHERE USERNAME=?"/>
<module-option name="rolesQuery" value="SELECT r.name, 'Roles' FROM role r, principal_role pr, principal p WHERE p.username=? AND p.user_id=pr.user_id AND pr.role_id=r.role_id"/>
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="hex"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
I hope this helps.
Related
We have what I believe to be a pretty standard form based authentication for a web application running on wildfly 8.2.
The authentication works well, except that when we stop&start the server some users are unable to log in again.
I have managed to reproduce one variant of this:
If I open the login page, /xxxx/app, before I restart, and then try to log in after the server is up again, I end up on a blank /xxxx/j_security_check page.
In my logs I can see that the actual authentication is run OK.
If I have understood this j_security_check mechanism properly, it goes something like this:
I access /xxxx/app
Wildfly sees that this url requires authentication. It remembers it and forwards me to login.jsp.
When I submit my login form to the magical j_security_check address it replaces it with the remembered /xxxx/app address.
If this is conceptually correct, I can see that a restart can be troublesome; The web server no longer remembers the /xxxx/app address and doesn't know where to redirect me to.
Does anyone have a workaround for this problem?
Any way to give wildfly a default page to go to after j_security_check?
Edit: I found this one: It is probably the same underlying cause:
Jboss Wildfly 8.1 session timeout on login page
jboss-web.xml:
<jboss-web>
<security-domain>ptsmc</security-domain>
<default-encoding>UTF-8</default-encoding>
</jboss-web>
web.xml:
<servlet-mapping>
<servlet-name>main</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
<!-- -->
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>ptsmc</display-name>
<web-resource-collection>
<web-resource-name>ptsmc</web-resource-name>
<url-pattern>/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>WEB</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Users must have this role to be granted access to Application</description>
<role-name>WEB</role-name>
</security-role>
login.jsp:
<form name="login_form" method="POST" action="<%=response.encodeURL(request.getContextPath() + "/j_security_check")%>">
<table>
<tr><td>User id:</td><td><input type=text name=j_username autofocus onblur="this.value = this.value.toUpperCase();"></td></tr>
<tr><td>Password:</td><td><input type=password name=j_password></td></tr>
<tr><td> </td><td><input type=submit value="Submit"></td></tr>
</table>
</form>
I have been attempting to get a simple Basic Authentication example working with WildFly 8.1.0, immutant, and friend. I'm willing to post any code desired, but I'm not sure what would be needed at this point. For now, I'll assume my standalone.xml, web.xml, and jboss-web.xml all contain the correct data -- that may not be the case, but for now I'll just dive in to the problem.
I have an application with a simple /test resource. I've deployed it on WildFly and use Basic Authentication to attempt to access it. Also, I've checked my application-roles.properties and application-users.properties files and they seem fine.
When I attempt to log in, I see the following trace from WildFly:
14:30:36,681 TRACE [org.jboss.security] (default task-1) PBOX000210:
defaultLogin, login context:
javax.security.auth.login.LoginContext#4c89fc2c, subject:
Subject(1313538088).principals=org.jboss.security.SimplePrincipal#99148614(tester-na)org.jboss.security.SimpleGroup#83654093(Roles(members:elm-nss-admin))org.jboss.security.SimpleGroup#83654093(CallerPrincipal(members:tester-na))
The user is tester-na and you can see that it is a member of elm-nss-admin.
When I use a bad password, WildFly catches it and my application never does any check. However, when I sent the correct password the above trace is logged and it calls my authentication handler.
The problem is that my authentication handler fails because a call to getUserPrincipal() returns NULL. The resource is protected, here are my security constraints:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
When I use LDAP, this isn't a problem. I think it's because LDAP supplied a certificate and WildFly passes up the cookie.
But with Basic Auth, I'm not getting a cookie, I won't barf the debug output unless requested, it's quite verbose, but the relevant bits are: :cookies {}, :context , :session nil
I'm guessing that getUserPrincipal() fails because I'm still in the act of authenticating?
So, any ideas on how I can get the user data/permissions from WildFly so friend can be passed the proper data to authenticate/authorize with?
#
Update: I was able to create a simple application with the same XML files I'm using for the production app and it isn't failing. For interest, and those who use stackoverflow for answers as much as I do, here are the relevant parts:
From standalone.xml in security-realms:
<security-realm name="ApplicationRealm">
<authentication>
<local default-user="$local" allowed-users="*"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
and in <subsystem xmlns="urn:jboss:domain:security:1.2"> I have:
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
In my web.xml file (in the war-resources/WEB-INF folder):
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ApplicationRealm</realm-name>
</login-config>
The jboss.xml file, in the same directory is:
<jboss-web>
<context-root></context-root>
<security-domain>other</security-domain>
</jboss-web>
Since these settings are working with my simple application, I'll start looking for something project specific as to why WildFly isn't giving me the user in my production code.
Any helpful suggestions would be greatly appreciated. Even just a suggestion as to where to start looking.
#
Problem solved. Turns out the user was being logged out before I was attempting to authorize access to a specific resource. :P
Steven solved the problem himself:
Problem solved. Turns out the user was being logged out before I was
attempting to authorize access to a specific resource. :P
I keep getting this error whenever I try to login with two different users in two different sessions.
13:27:28,444 ERROR [com.commit.steam.rest.RestLoginService] (http-localhost-127.0.0.1-8080-2) Error on login: javax.servlet.ServletException: No authenticator available for programmatic login
at org.apache.catalina.connector.Request.login(Request.java:3254) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.connector.RequestFacade.login(RequestFacade.java:1082) [jbossweb-7.0.13.Final.jar:]
at com.commit.steam.rest.RestLoginService.login(RestLoginService.java:128) [steam-rest-api-0.1.6-SNAPSHOT.jar:]
from standalone.xml:
<security-domain name="steam" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/STEAMDS"/>
<module-option name="principalsQuery" value="select U.PASSWORD from USERS U where U.EMAIL=?"/>
<module-option name="rolesQuery" value="select R.NAME, 'Roles' from USERS U join USER_ROLES UR on U.ID = UR.USER_ID join ROLES R on UR.ROLE_ID = R.ID where U.EMAIL=?"/>
<module-option name="hashAlgorithm" value="SHA-256"/>
<module-option name="hashEncoding" value="base64"/>
</login-module>
</authentication>
</security-domain>
jboss-web.xml:
<?xml version="1.0"?>
<jboss-web>
<security-domain>steam</security-domain>
</jboss-web>
I use JBoss-as 7.1.1.Final
While debugging I can see that the first request (HttpServletRequest.context.authenticator) has the NonLoginAuthenticator and the login with the second session doesn't have any authenticator attached to it (i.e. HttpServletRequest.context.authenticator is null).
Every following request in the first session has the same Authenticator on the request (when I test business flows for one user).
The HttpServletRequest is injected in the class level
#Context
private HttpServletRequest request;
protected HttpServletRequest request() {
return this.request;
}
(I tried to move the injection to method level and it didn't help). My rest class is annotated as #Stateless bean (to allow injections).
I tried switching the sessions (I use Chrome and FireFox to ensure different sessions) but it didn't change anything.
Does anyone have any idea or lead on where I need to look for this issue?
Thanks a lot
Avi
Add a <security-constraint> element to your web.xml. Something like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Permit all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
The problem
A tomcat manager page can not be accessed by a user granted a manager role.
The things I tryed to do
I added a user with a manager role into tomcat-users.xml:
<role rolename="manager"/>
<user username="emanemos" password="password" roles="manager"/>
I also looked up the $CATALINA_HOME/webapps/manager/WEB-INF/web.xml to be sure that manager role is really used to access the application:
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>manager</role-name>
</auth-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the Manager Application
</description>
<role-name>manager</role-name>
</security-role>
However, the manager application still asks for a login-password pair in an endless loop ignoring my input.
Does anybody have any ideas?
Did you restart Tomcat after making the changes to tomcat-users.xml?
I'm working with a developer here who just inherited an existing site. It is a Weblogic 8.1 website with j_security_check authentication behind an apache reverse proxy. We're getting some issues with the logins, and are not sure about j_security_check config. It seems very black boxy and magicky. How do we get information on how it's configured, specifically how to change the target page after successful login.
Thank you.
weblogic will automaticly redirect to the requested page. In the web.xml is defined with resources are protected by the form-login (as it is called). So just request the first page and you will be presented with the login. After an successfull login you will be redirected to the original requested page.
You'll see something similar to this in your web.xml (the "myRoleName" will be replaced by the sercurity role as defined in your Webloggic Server Console under Security > Realms > myreal > Groups). If you have multiple roles, this will differ slightly.
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/flows/*</url-pattern>
<url-pattern>Controller.jpf</url-pattern>
<http-method>GET</http-method>
<http-method>Post</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>myRoleName</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>login.jsp</form-login-page>
<form-error-page>fail_login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>
Only role for the Application
</description>
<role-name>myRoleName</role-name>
</security-role>