Bug in WildFly http-remoting - wildfly

When I access remote EJB, the login credentials are passed into the custom security domain that is set for all EJBs. Here password is received in my custom login module as org.jboss.as.security.remoting.RemotingConnectionCredential#35ddbd0f.
But when login from browser, password is received as entered. What's wrong with remote calls?
Here is my jndi.properties
java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory
java.naming.provider.url=http-remoting://localhost:8080
java.naming.security.principal=xxxx
java.naming.security.credentials=xxxx
jboss.naming.client.ejb.context=true
I checked with latest stable version 8.2.0.

Related

Configuration Of EAP 7.4.7 With Web Application Using Spring Security

We are moving to JDK 17 and it is now supported by Redhat in EAP 7.4.7. In EAP 7.4.7, Redhat has disabled the legacy security approach to utilize Elytron. I have migrated my configurations to 7.4.7 with the supplied elytron migration scripts and the server starts without problems.
Access to parts of the web application and managed by spring security and http basic authentication. If I disable spring security, the application can be accessed and works as expected. However, when I enable spring security I see the browser dialog for user id and password. The validation of the userid and password appears to be intercepted by elytron because I see this in the logs and my breakpoint in our password validation does not get called.
2022-11-09 09:10:47,202 DEBUG [org.wildfly.security.http.password] (default task-2) Username authentication. Realm: [null], Username: [admin].
2022-11-09 09:10:47,202 DEBUG [org.wildfly.security.http.basic] (default task-2) User admin authentication failed.
The identical war file deploys and works as expected with Wildfly 26.12. I have tried making the configuration as much as possible with no differences. So there must be some differences between EAP 7.4.7 configuration that is causing the problem.
Any suggestions ?

Authentication of REST services not working with jBPM (KIE Server and Business Central) and Keycloak

I am studying jBPM (KIE Server and Business Central) and Keycloak. In isolation, I managed to run all this software with success. However, when I try to integrate between them, the authentication of users on the website works (Keycloak login page to access the Business Central site), however it seems that the authentication of the REST services call, both from the KIE Server and from the Business Central, stops working (unauthorized) and the KIE Server is unable to synchronize with its Controller (Business Central).
Below are more details on the subject.
I have been searching for a few days for a solution to the problem but without success.
Although I have already consulted this excellent site, this is my first question and I do not have much reference on which file is recommended to attach to the question. If you see a specific file, please sign that I will attach it.
I appreciate any help.
Notes (useful information) about the environment and problems encountered:
Only 1 Wildfly 20.0.1 environment (server) hosting KIE Server 7.43.1.Final, Business Central 7.43.1.Final and Keycloak 11.0.2, with the Keycloak adapter installed, on Windows 10.
In Keycloak, Realm was created with the name VHLLEmpresaRealm and 2 clients (applications):
VHLLEmpresaKIEServer: with public access.
VHLLEmpresaBusinessCentral: with confidential access.
In the Keycloak, the user kieserver with password kieserver1! was created and assigned to various roles (both Realm and Clients), among them: admin, rest-all, kie-server, kiemgmt and user.
Authentication with kieserver User and your Password on the Business Central website working properly integrated with Keycloak (Keycloak login page). Authentication with Google (social login) working properly.
Business Central configured to show and manage the users registered in the Keycloak.
Problems observed:
When starting the Wildfly server, the KIE Server is unable to synchronize with the Controller Business Central (see the Startup Log - Doc 06). The attempt below is repeated at startup several times without success, followed by NullPointerException with lines copied below:
17:13:30,057 INFO [org.kie.server.controller.websocket.client.WebSocketKieServerControllerImpl] (KieServer-ControllerConnect) Kie Server points to non Web Socket controller 'http://localhost:8080/business-central/rest/controller', using default REST mechanism
17:13:30,214 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-6) Uncaught server error: java.lang.NullPointerException
at org.keycloak.storage.StorageId.isLocalStorage(StorageId.java:77)
at org.keycloak.credential.UserCredentialStoreManager.getStoreForUser(UserCredentialStoreManager.java:54)
...
17:13:30,214 WARN [org.kie.server.services.impl.controller.DefaultRestControllerImpl] (KieServer-ControllerConnect) Exception encountered while syncing with controller at http://localhost:8080/business-central/rest/controller/server/wildfly-kieserver error Error while sending PUT request to http://localhost:8080/business-central/rest/controller/server/wildfly-kieserver response code 401
Link to complete file:
https://drive.google.com/file/d/1kr47ap9frsCQB8oyQE2dEm2gfl7__s0G/view?usp=sharing
On the Business Central website, on the Deployments page (which shows the Servers too), the KIE Server server does not appear as available (see Doc 07).
Link to complete file:
https://drive.google.com/file/d/1lKiCZdOp7yRvHibfgJ8ZOE_dZIAnkE6U/view?usp=sharing
In the CURL command to access the Business Central REST services, even if the kieserver user and password are passed, the answer is NOT authorized (see Doc 08).
COMMAND: curl -X GET http://kieserver:kieserver1!#localhost:8080/business-central/rest/repositories -v
RESPONSE: ErrorUnauthorized
Link to complete file:
https://drive.google.com/file/d/1V_CH_hiTkhLh-AtgRvP0YkZ3afwBc4tZ/view?usp=sharing
Other Files:
Wildfly Settings - STANDALONE-FULL.XML
https://drive.google.com/file/d/1f0xvRDPiId1RymZkMGIUaIMB_EuGpbud/view?usp=sharing
I'm not sure if this is the correct way to solve the problem, but after continuing my studies and research for a few more days, using the CURL command to call a Business Central service (below), I obtained the Access Token and through the website jwt.io, I noticed in the content of this Token that the audience (aud) field was not filled in with the Keycloak Client ID that requested the Token.
curl -d "grant_type=password" -d "client_id=VHLLEmpresaBusinessCentral" -d "client_secret=020c8841-50ee-437e-af16-XXXXXXXX" -d "username=kieserver" -d "password=kieserverXXXXX" -d "scope=VHLLEmpresaEscopo" http://localhost:8180/auth/realms/VHLLEmpresaRealm/protocol/openid-connect/token
So, I created a Client Scope, I created a Mapper for the Audience to add the Client's own ID and associated this Client Scope to the corresponding Client.
The second change that was necessary was to override the Direct Grant Flow with the "direct grant" value for each Client involved.
With the two changes above, the synchronization between KIE Server and Business Central has returned to work.

WebSphere redirect on login drops the domain/host name. WASReqURL missing domain/host name

I am running a WebSphere 8.5.5.3 installation with WebSphere HTTP server in a cluster environment on AIX. I am having a problem of incorrect redirects upon login e.g.:
User is trying to access http://domain_name/app_name/resource_name
User is redirected to the login page at http://domain_name/Login.html
User enters valid credentials
User is redirected to the incorrect url at http:///app_name/resource_name
If the user logs in a second time then everything works fine
What am I doing wrong? Have I misconfigured something?
Thanks to https://www.ibm.com/developerworks/community/forums/html/topic?id=8deb461e-d3fe-41e5-9402-52be4ec4dba9 here is the answer:
http://www-01.ibm.com/support/docview.wss?rs=203&ca=portall2&uid=swg21259747
Summary:
Create a custom property for WebSphere Global Security:
Name: com.ibm.websphere.security.util.fullyQualifiedURL
Value: true
I was able to restart the WebSphere application server... but you may need to restart all of WebSphere if restarting just the app server app is not enough.

CQ Basic Authentication

i have a requirement to implement basic authentication at dispatcher side
I have below basic auth configuration in my virtual host(www.abc.com) configuration file.
<Location /content/abc/jp-JP >
AuthType basic
AuthName "private area"
AuthBasicProvider file
AuthUserFile /opt/cq/www/htdocs/password(this is name of file, contains uname and password)
Require valid-user
</Location>
when i try to access www.abc.com/jp-JP getting basic auth prompt and authenticated succefully from password file(username and password file ) located under /opt/cq/www/htdocs . after first prompt successfully validated username and password , second prompt displaying with requires username and password .The server Says (Sling development). if i disable basic authentication in apache sling authentication service of publish instance ..then it's redirecting me to correct page what i expected ..but unable to publish contents from author(blocked inside replication agent queue). so enabled back..but basic authentication blocked with The server Says (Sling development).
I am sure it is difficult to understand what i am trying to say here ..but any idea how to by pass prompt of "The server Says (Sling development)" from dispatcher level basic auth. Any help would be appreciated!!!
Let me paraphrase your description: you have setup HTTP Basic Auth on the Apache level and it works fine, but the credentials entered in the browser are sent not only to the Apache but also to the CQ. CQ treats credentials as its own username and password and returns error. Disabling HTTP Basic Authentication Handler authenticator is not an option, as it's used by the replication process.
In order to make Apache HTTP Basic and the CQ publish coexists, you can remove the Authorization header (used in the HTTP Basic Auth) on the Apache, using mod_headers module and its RequestHeader directive. Enable the mod_headers and place following line in your VirtualHost configuration:
RequestHeader unset Authorization
Apache will use the header to authenticate the request, but then it'll be removed and CQ won't get it.

WSO2IS with Kerberos/IWA/SPNEGO authentication

According to https://docs.wso2.org/display/IS460/Enabling+IWA+in+WSO2+Identity+Server IS seems to be configured to use WAFFLE which can be used only on Windows.
Did anyone have a chance to successfully install using http://spnego.sourceforge.net/ framework?
It would be appreciated to not limit the environment to Windows only.
If you use Tomcat, you can simply use my library: http://tomcatspnegoad.sourceforge.net/
We have managed to create a custom authenticator where
the authenticator redirects user to a page hosted in Tomcat (Custom logon page
the logon page doesn't display any logon form, but using the Tomcat SPNEGO user is authenticated with SPNEGO / Kerberos and a JWT ticket is posted back to the authenticator (commonAuthId) instead of username and password
the authenticator assumes identity of the user (set the username in the authentication context)
This is de facto a custom claim authentication, do not forget to sign / validate the posted ticket.