Am trying to accomplish client certificate authentication using wildfly 8.2, I have changed logging level to ALL to enable me see errors from org.jboss.security
(NOTE:passwords used are for demonstration)
below is my configuration in wildfly 8.2 standalone.xml
<security-realm name="SSLRealm">
<server-identities>
<ssl protocol="TLSv1">
<keystore path="localhost.jks" relative-to="jboss.server.config.dir" keystore-password="localhost" alias="localhost"/>
</ssl>
</server-identities>
<authentication>
<truststore path="cacerts.jks" relative-to="jboss.server.config.dir" keystore-password="localhost"/>
</authentication>
</security-realm>
my security domain
<security-domain name="client-cert-policy" cache-type="default">
<authentication>
<login-module code="Certificate" flag="required">
<module-option name="securityDomain" value="client-cert-policy"/>
</login-module>
</authentication>
<jsse keystore-password="localhost" keystore-url="file:/${jboss.server.config.dir}/localhost.jks" truststore-password="localhost" truststore-url="file:/${jboss.server.config.dir}/cacerts.jks" client-auth="true"/>
</security-domain>
my https-listerner
<https-listener name="default-https" socket-binding="https" security-realm="SSLRealm" verify-client="REQUESTED"/>
in my web application web.xml
<security-constraint>
<display-name>allpages</display-name>
<web-resource-collection>
<web-resource-name>all-res</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>client-cert-policy</realm-name>
</login-config>
in jboss.xml
<context-root>/haven</context-root>
<security-domain>client-cert-policy</security-domain>
Despite all this my web application returns a 403 error page
Any help will be greatly be appreciated
Finally I got the client_auth to work the following are the modification are made
in standalone.xml security domain changed from Certificate to CertificateRoles, add a role property file
<security-domain name="client-cert-policy" cache-type="default">
<authentication>
<login-module code="CertificateRoles" flag="required">
<module-option name="securityDomain" value="client-cert-policy"/>
<module-option name="rolesProperties" value="file:${jboss.server.config.dir}/user_roles.properties"/>
<module-option name="defaultRolesProperties" value="file:${jboss.server.config.dir}/default_roles.properties"/>
</login-module>
</authentication>
<jsse keystore-password="localhost" keystore-url="file:/${jboss.server.config.dir}/localhost.jks" truststore-password="localhost" truststore-url="file:/${jboss.server.config.dir}/cacerts.jks" client-auth="true"/>
</security-domain>
modified web.xml to add the roles
<security-constraint>
<display-name>allpages</display-name>
<web-resource-collection>
<web-resource-name>all-res</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>sys_view</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>client-cert-policy</realm-name>
</login-config>
<security-role>
<description/>
<role-name>sys_view</role-name>
</security-role>
Related
I practise sip scenarios based on mobicents sip servlets. I have Restcomm-JBoss-AS7-8.2.0.1221 and my own sip application deployed on it (restcomm app is disabled). I encountered a problem with enabling jboss security. What I did:
1.Create sip-servlets-roles.properties
admin=caller
2.Create sip-servlets-users.properties (for user alice, domain 192.168.56.101, password 1234)
admin=6f8002e56ee173a3a39144ea90d18a39
3.Put above files to ../Restcomm-JBoss-AS7-8.2.0.1221/standalone/configuration
4.Deploy sip application with sip.xml
<security-constraint>
<display-name>REGISTER Method Security Constraint</display-name>
<resource-collection>
<resource-name>SipServletApp</resource-name>
<description>Require authenticated REGSITER requests</description>
<servlet-name>SipServletApp</servlet-name>
<sip-method>REGISTER</sip-method>
</resource-collection>
<auth-constraint>
<role-name>caller</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>192.168.56.101</realm-name>
</login-config>
5.standalone-sip.xml is unchanged
<security-domain name="sip-servlets">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/sip-servlets-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/sip-servlets-roles.properties"/>
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="RFC2617"/>
<module-option name="hashUserPassword" value="false"/>
<module-option name="hashStorePassword" value="true"/>
<module-option name="passwordIsA1Hash" value="true"/>
<module-option name="storeDigestCallback" value="org.jboss.security.auth.callback.RFC2617Digest"/>
</login-module>
</authentication>
</security-domain>
6.Try to register user alice with zoiper
wireshark trace
7.Enabling trace level and got Error in jboss logs
14:14:10,140 DEBUG [org.jboss.security] (Restcomm-SIP-Servlets-UDPMessageChannelThread-44) PBOX000206: Login failure: javax.security.auth.login.LoginException: java.lang.NullPointerException
at org.jboss.security.auth.spi.Util.createPasswordHash(Util.java:424)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:450)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:280)
...
8.DAR is set to my sip app
So the question is what is wrong with this configuration?
Your storePassword, ie. admin=6f8002e56ee173a3a39144ea90d18a39 is already hashed. module-option name="hashStorePassword" value="true", should be value="false"
For an integration test EAR I need my Wildfly to be able to log in different users with a specific role.
org.jboss.security.auth.spi.SimpleServerLoginModule doesn't allow me to specify a role
org.jboss.security.auth.spi.IdentityLoginModule doesn't allow different users
So evidently I need to use something different. I tried to use a temporary database like this:
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="required">
<module-option name="dsJndiName" value="java:/AcmeDS" />
<module-option name="principalsQuery" value="SELECT ?" />
<module-option name="rolesQuery" value="SELECT 'my_role', 'Roles'" />
<module-option name="password-stacking" value="useFirstPass" />
</login-module>
...aaand:
<datasources>
<datasource jndi-name="java:/AcmeDS" pool-name="AcmeDS" enabled="true">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url>
<driver>h2</driver>
<pool>
<min-pool-size>10</min-pool-size>
<max-pool-size>20</max-pool-size>
<prefill>true</prefill>
</pool>
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
</datasource>
<drivers>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
As suggested in the JBoss tutorial. Still I get the following exception for the clients:
java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: the server presented no authentication mechanisms
at org.jboss.ejb.client.remoting.IoFutureHelper.get(IoFutureHelper.java:92)
at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:77)
at org.jboss.ejb.client.remoting.RemotingConnectionManager.getConnection(RemotingConnectionManager.java:51)
at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.setupEJBReceivers(ConfigBasedEJBClientContextSelector.java:155)
at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.getCurrent(ConfigBasedEJBClientContextSelector.java:115)
5 minutes later I got (I'm not aware of any changes): all available authentication mechanisms failed
(It worked right until the point where I needed a role, so I guess the setup for the client side is okay.)
What did I do I wrong? How can I get the Wildfly to at least show exceptions or something so I can debug the problem? Is there a better way to get the Wilfly to acknowledge different users with a specific role?
Have a look at the Java Security Quickstart Archetype. It has Java EE Security worked out, at least at the level I think you are trying to do.
In short, you need to have a security-domain, more like so:
<security-domain name="jboss-security-quickstart" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/ExampleDS"/>
<module-option name="principalsQuery" value="SELECT PASSWORD FROM USER WHERE EMAIL=?"/>
<module-option name="rolesQuery" value="SELECT R.ROLE, 'Roles' FROM ROLE R INNER JOIN USER_ROLE UR ON UR.ROLES_ID = R.ID INNER JOIN USER U ON U.ID = UR.USER_ID WHERE U.EMAIL=?"/>
<module-option name="hashAlgorithm" value="SHA-256"/>
<module-option name="hashEncoding" value="base64"/>
<module-option name="hashCharset" value="utf-8"/>
</login-module>
</authentication>
</security-domain>
You need to have a jboss-web.xml in your WEB-INF directory that points to it:
<!DOCTYPE jboss-web>
<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.org/schema/jbossas
http://www.jboss.org/schema/jbossas/jboss-web_7_2.xsd">
<!-- Configure usage of the security domain "javaee-security-quickstart" -->
<security-domain>javaee-security-quickstart</security-domain>
<disable-audit>true</disable-audit>
</jboss-web>
And a web.xml that uses it:
<security-constraint>
<web-resource-collection>
<web-resource-name>User Views</web-resource-name>
<url-pattern>/views/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
<role-name>USER</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/views/login.xhtml</form-login-page>
<form-error-page>/views/login.xhtml?Retry=True</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>ADMIN</role-name>
</security-role>
<security-role>
<role-name>USER</role-name>
</security-role>
These are the basics, but it's a little easier to see it in action.
I'm writing an administration webapp to be deployed on Wildfly.
It's gonna be used by the same users that have access to the Administration Console (http://localhost:9990/).
It would be great if I could just declare that my app should use HTTP Basic auth in the ManagementRealm, just like the Console does.
The naive, optimistic try did not work:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Panel</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ManagementRealm</realm-name>
</login-config>
</web-app>
This does not trigger the HTTP Basic login dialog at all.
Is there any simple way to plug my app into the ManagementRealm?
I found that I need to create a security domain that's linked with the ManagementRealm. The configuration is spread over three places:
1) A new security domain needs to be added that delegates to ManagementRealm using RealmDirect login module:
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
....
<security-domain name="management" cache-type="default">
<authentication>
<login-module code="RealmDirect" flag="required">
<module-option name="realm" value="ManagementRealm"/>
</login-module>
</authentication>
</security-domain>
This can be done via jboss-cli:
/subsystem=security/security-domain=management:add(cache-type=default)
/subsystem=security/security-domain=management/authentication=classic:add(\
login-modules=[{\
"code"=>"RealmDirect", "flag"=>"required", \
"module-options"=>[("realm"=>"ManagementRealm")]\
}])
2) The app need to reference this security domain using WEB-INF/jboss-web.xml:
<jboss-web>
<security-domain>management</security-domain>
</jboss-web>
3) Than a straightforward web.xml to turn on HTTP Basic login dialog:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-role>
<role-name>*</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Panel</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>[message show in login dialog]</realm-name>
</login-config>
</web-app>
Wildfly won't follow the security-constraint unless you bind it to a security role:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Panel</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ManagementRealm</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
</web-app>
This will make basic auth load but then you have the problem where ManagementRealm is only bound to the management ports in your standalone.xml, so you will have to change that. You may need to remove ApplicationRealm so it doesn't conflict.
<management-interfaces>
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
I have enabled https changing standalone.xml as follows:
<security-realms>
<security-realm name="UndertowRealm">
<server-identities>
<ssl>
<keystore path="./ed.keystore" relative-to="jboss.server.config.dir" keystore-password="secret" alias="ed" key-password="secret" />
</ssl>
</server-identities>
</security-realm>
...
and:
<subsystem xmlns="urn:jboss:domain:undertow:1.2">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" />
<https-listener name="https" socket-binding="https" security-realm="UndertowRealm" />
Both the following links work:
http://localhost:8080
https://localhost:8443
the second actually is a secure connection.
Unfortunately, the first link doesn't redirect to the https protocol.
What have I missed?
Thank you.
Make sure you add this in your web.xml
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This will allow the redirection for any URL.
I want to develop a simple java web application with JBoss 7 server to enable login from username/password entered by the user and authenticate with ldap.
So this is what i wrote in web.xml placed in WEB-INF/
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Enter user name and password</realm-name>
</login-config>
then added jboss-web.xml in same folder
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/website-domain</security-domain>
</jboss-web>
Then I added the website-domain realm in standalone.xml
<security-domain name="website-domain" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
<module-option name="bindDN" value="ou=people,dc=mycompany,dc=com" />
<module-option name="bindCredential" value="shad"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="Context.REFERRAL" value="follow"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="allowEmptyPasswords" value="true"/>
</login-module>
</authentication>
</security-domain>
So how the username and password entered will be sent to these modules ? Or do I have to write a custom JAAS realm ? Is their any working example you guys can share me??
I wrote a post in portuguese...
http://jbossdivers.wordpress.com/2012/02/12/utilizando-ldap-login-module-no-jboss-as-7-1/
Your webapp needs to point to your security domain website-domain by adding a line in WEB-INF/jboss-web.xml
<security-domain flushOnSessionInvalidation="true">java:/jaas/website-domain</security-domain>
I believe in Jboss 7 you need to only specify website-domain (no java:/jaas/ prefix)