I try to use elytron jdbc-realm to authenticate webapp client. I made a web.xml for auth /admin/* requests ower BASIC auth.
<security-constraint>
<web-resource-collection>
<web-resource-name>MyDomain admin users</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_ADMIN</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>ROLE_USER</role-name>
</security-role>
<security-role>
<role-name>ROLE_ADMIN</role-name>
</security-role>
<context-param>
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MyDomain</realm-name>
</login-config>
MyDomain realm looks like this in wildfly standalone.xml:
<subsystem xmlns="urn:wildfly:elytron:17.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<security-domains>
...
<security-domain name="MyDomain" default-realm="jdbc-realm" permission-mapper="default-permission-mapper">
<realm name="jdbc-realm" role-decoder="from-roles-attribute"/>
</security-domain>
...
</security-domains>
<security-realms>
...
<jdbc-realm name="jdbc-realm">
<principal-query sql="SELECT role, password FROM systemuser WHERE username = ?" data-source="elytronDS">
<attribute-mapping>
<attribute to="Roles" index="1"/>
</attribute-mapping>
<simple-digest-mapper algorithm="simple-digest-sha-256" password-index="2"/>
</principal-query>
</jdbc-realm>
...
</security-realms>
<mappers>
...
<simple-role-decoder name="from-roles-attribute" attribute="roles"/>
...
</mappers>
</subsystem>
The authentication failed but I don't know why. The database looks like this:
"id" "username" "password" "role"
1 "[email protected]" "jjXCzTv2ZBvbDiBQt2kyy7LmA0oN2swdm+qCprpX988=" "ROLE_ADMIN"
(password encoding is Base64/SHA-256 and clear text contains is 'q')
I try to convert well worked wildfly 9 application to wildfly 28. Origin wildfly 9 standalone.xml realm definition is this:
<security-domain name="forrashazRealm">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/forrasDS"/>
<module-option name="principalsQuery" value="select password from v_active_user where username=?"/>
<module-option name="rolesQuery" value="select group_name as userRoles,'Roles' from user_join_group where user_name=?"/>
<module-option name="unauthenticatedIdentity" value="anonymousUser"/>
<module-option name="hashAlgorithm" value="SHA-256"/>
<module-option name="hashEncoding" value="base64"/>
</login-module>
</authentication>
</security-domain>
And this worked with JavaEE7 webapp with jboss-web.xml content:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web><!-- java:/jaas/ -->
<security-domain>forrashazRealm</security-domain>
</jboss-web>
But it is deprecated in elytron auth. May I make a wildfly-config.xml? How can I use elytron?
Thans for all suggestions.
-
Project on github: github.com/pzoli/Homework4JSFPapp Zoltán– Papp Zoltán2024年07月07日 11:51:56 +00:00Commented Jul 7, 2024 at 11:51
-
I try use with form based authentication without success.Papp Zoltán– Papp Zoltán2024年07月09日 09:48:04 +00:00Commented Jul 9, 2024 at 9:48
2 Answers 2
have you figured out the solution for your problem? I'm currently migrating from legacy security to elytron with bcrypt. After configuring elytron the login also stopped working. I did the following to debug the problem:
Adapt log levels via
/subsystem=logging/logger=org.jboss.security:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.security:add(level=ALL)
/subsystem=logging/logger=org.picketbox:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.domain.management.security:add(level=ALL)
/subsystem=logging/logger=org.wildfly.security:add(level=ALL)
/subsystem=logging/logger=org.wildfly.elytron:add(level=ALL)
After adapting the log levels check the wildfly server.log for error messages. Maybe this helps you to trace your problem.
Maybe you have the same problem that we have (it seems that no query is fired towards the defined datasource). Here is the detailed description of our problem.
Kind regards Michael
Comments
I get logged the following:
2024年07月20日 19:52:05,807 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory1ドル@73f59f6a] for mechanism [FORM]
2024年07月20日 19:52:05,810 DEBUG [org.wildfly.security.http.password] (default task-1) Username authentication. Realm: [null], Username: [[email protected]].
2024年07月20日 19:52:05,810 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = [email protected]
2024年07月20日 19:52:05,810 TRACE [org.wildfly.security] (default task-1) Principal assigning: [[email protected]], pre-realm rewritten: [[email protected]], realm name: [ApplicationRealm], post-realm rewritten: [[email protected]], realm rewritten: [[email protected]]
2024年07月20日 19:52:05,812 TRACE [org.wildfly.security] (default task-1) PropertiesRealm: identity [[email protected]] does not exist
2024年07月20日 19:52:05,812 DEBUG [org.wildfly.security.http.form] (default task-1) User [[email protected]] authentication failed
2024年07月20日 19:52:05,812 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: fail
I think the "Realm: [null]" is a bug, but I don't know how to solve it.