Geek Answers Handbook

How to configure SAM level at the application level in WildFly

I previously had some code working on Glassfish, but I want to put it in WildFly.

However, I cannot force the module to be called by WildFly. ServletContextListener initializes the module as follows:

  AuthConfigFactory.getFactory ()
             .registerConfigProvider (new OpenIdConnectModuleConfigProvider (options, null),
              "HttpServlet", getAppContext (sce), null);

"HttpServlet" not specific to Glassfish and appears to refer to https://github.com/wildfly/wildfly/blob/master/undertow/src/main/java/org/wildfly/extension/undertow/security/jaspi /JASPIAuthenticationMechanism.java?source=cc

Glassfish does not require a <logon-config> block on web.xml and puts any option in WildFly not working (as expected)

In another place that I suspect, I compute the application context identifier. For Glassfish, I had

 private String getAppContext(final ServletContextEvent sce) { return sce.getServletContext() .getVirtualServerName() + " " + sce.getServletContext() .getContextPath(); }

Could it be different in WildFly? Although I saw similar code in https://github.com/rdebusscher/secSpikeWeb/blob/master/src/main/java/org/omnifaces/security/jaspic/core/Jaspic.java#L300 as well

I also tried adding this block to standalone.xml

 <security-domain name="jaspi" cache-type="default"> <authentication-jaspi> <login-module-stack name="dummy"> <login-module code="Dummy" flag="optional"/> </login-module-stack> <auth-module code="org.wildfly.extension.undertow.security.jaspi.modules.HTTPSchemeServerAuthModule" flag="required"/> </authentication-jaspi> </security-domain>

And set <default-security-domain value="jaspi"/>

However, this did not affect, and setting a breakpoint in the module did not show that it also hits.

Also, I could not find a way to do the following in WildFly, like in glassfish-web.xml , but this might be another question

 <security-role-mapping> <role-name>users</role-name> <group-name>https://helloworld</group-name> </security-role-mapping>

The code is quite large, but its essence can be found in

https://github.com/trajano/openid-connect/tree/openid-connect-1.0.1/openid-connect-jaspic-module

and

https://github.com/trajano/openid-connect/tree/openid-connect-1.0.1/openid-connect-jaspic-sample

Note. I am looking for it at the application level and do not install a global JASPI server.

+4
source share
1 answer

"HttpServlet" is not specific to Glassfish

That's right, AFAIK is the standard identifier to say for which subsystem in Java EE the authorization module will be registered. But there is only one other acceptable value and something with a “soap” in it (not sure).

Could it be different in WildFly?

No, this is the standard way .

And set <default-security-domain value="jaspi"/>

recommended , this should be in standalone.xml :

 <security-domain name="jaspitest" cache-type="default"> <authentication-jaspi> <login-module-stack name="dummy"> <login-module code="Dummy" flag="optional"/> </login-module-stack> <auth-module code="Dummy"/> </authentication-jaspi> </security-domain>

And then adding to WEB-INF/jboss-web.xml :

 <jboss-web> <security-domain>jaspitest</security-domain> </jboss-web>

That should be enough. This is what I use in WildFly 8.2 and 9.0, and this is what the Java EE project uses. But setting a default domain should also work just like you, and the activation code is also close enough, so I'm not sure if this will affect your case.

Alternatively, there is a JBoss specific programmatic way to activate JASPIC:

  String securityDomain = "other"; IdentityManager identityManager = deploymentInfo.getIdentityManager(); if (identityManager instanceof JAASIdentityManagerImpl) { try { Field securityDomainContextField = JAASIdentityManagerImpl.class.getDeclaredField("securityDomainContext"); securityDomainContextField.setAccessible(true); SecurityDomainContext securityDomainContext = (SecurityDomainContext) securityDomainContextField.get(identityManager); securityDomain = securityDomainContext.getAuthenticationManager().getSecurityDomain(); } catch (NoSuchFieldException | SecurityException | IllegalArgumentException | IllegalAccessException e) { throw new RuntimeException(e); } } ApplicationPolicy applicationPolicy = new ApplicationPolicy(securityDomain); JASPIAuthenticationInfo authenticationInfo = new JASPIAuthenticationInfo(securityDomain); applicationPolicy.setAuthenticationInfo(authenticationInfo); SecurityConfiguration.addApplicationPolicy(applicationPolicy); deploymentInfo.setJaspiAuthenticationMechanism(new JASPIAuthenticationMechanism(securityDomain, null)); deploymentInfo.setSecurityContextFactory(new JASPICSecurityContextFactory(securityDomain));

You need to execute this from io.undertow.servlet.ServletExtension

Too bad JBoss requires JASPIC activation. But one of the above methods should really work. I just checked them in the WildFly 9.0 warehouse and it worked there. The validateRequest method of the test SAM is called correctly.

+2
source

More articles:


All Articles