1

I am trying to find a way to migrate our security solution from WildFly 22 to WildFly 26, where the legacy way with custom login modules is no longer supported. I found for example this blog post https://wildfly-security.github.io/wildfly-elytron/blog/jaas-realm/ suggesting to use jaas-realm, but I am not able to configure it to be honest.

What exactly should I do, if I want to migrate this example? This was in earlier versions of WildFly defined like this:

<security-domain name="my-form-auth" cache-type="default">
  <authentication>
    <login-module name="FirstLoginModule" code="my.first.lm.FirstLoginModule" flag="sufficient">
      <module-option name="config.filename" value=".first_lm_props" />
    </login-module>
    <login-module name="SecondLoginModule" code="my.second.lm.SecondLoginModule" flag="sufficient">
      <module-option name="config.filename" value=".second_lm_props" />
    </login-module>
  </authentication>
</security-domain>

Actual code of these login modules was available to WildFly as a dependency of deployed application.

So far, I managed to set configuration of WildFly 26 like this (with basic scenario - just one login module):

         <security-domains>
            ...
            <security-domain name="mySD" default-realm="myJaasRealm" permission-mapper="default-permission-mapper">
                <realm name="myJaasRealm"/>
            </security-domain>
        </security-domains>
        <security-realms>
            ...
            <jaas-realm name="myJaasRealm" entry="myEntry" module="my.module.with.lm">
                <file path="D:\APP\Wildfly\wildfly-26.0.1.Final\bin\elytron\JAAS-login-module.conf"/>
            </jaas-realm>
        </security-realms>
....
        <http>
            <http-authentication-factory name="example-loginconfig-http-auth" security-domain="mySD" http-server-mechanism-factory="global">
                <mechanism-configuration>
                    <mechanism mechanism-name="FORM">
                        <mechanism-realm realm-name="myJaasRealm"/>
                    </mechanism>
                </mechanism-configuration>
            </http-authentication-factory>
        </http>

....
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
        ...
        <application-security-domains>
            <application-security-domain name="other" http-authentication-factory="example-loginconfig-http-auth"/>
        </application-security-domains>
</subsystem>

JAAS-login-module.conf:

MyEntry {
  my.first.lm.FirstLoginModule sufficient;
};

jboss-web.xml:

<jboss-web>
  <context-root>${context-root}</context-root>
  <security-domain>other</security-domain>
</jboss-web>

Still, I am not able to get it to work.

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
Mono
  • 206
  • 1
  • 21
  • Debug and set a breakpoint in `my.first.lm.FirstLoginModule` to check if its called anyway. – kladderradatsch Oct 04 '22 at 13:41
  • The file path is an absolute path what seems odd to me. Furthermore, I would use slashes instead of backslashes in the path because slashes are universal in order to support all OS. – kladderradatsch Oct 04 '22 at 13:45
  • Hi. I tried the path with slashes with no luck, but i think it should be ok since I am on windows. The error I'm getting is javax.servlet.ServletException: UT010062: No SecurityContext available. I can see its not properly configured even from response I am getting on context root. It returns index page, which should be restricted content. Desired response is login page. – Mono Oct 04 '22 at 14:16
  • Just found this thread: https://groups.google.com/g/wildfly/c/FNj4bhJ8dh4 One of the comments says, that jaas-realm will not wort with login modules based on picketbox. Is this true (or still true)? My login module is based on picket box :( – Mono Oct 04 '22 at 15:24
  • Ok, I am a bit further. It was wrong on at least two levels. First, the definition of the login module in JAAS-login-module.conf must have a semicolon on the end of a row. Second, the security domain name, referenced from jboss-web.xml, have to be name of a "application-security-domain", defined in an underthow subsystem, not name of a security domain, defined in elytron subsystem. Now, security domain is working. Still, its not using my login module, but I can see that its correctly defined from the fact, that I am getting login page on context root, not restricted index page. – Mono Oct 05 '22 at 09:32
  • Now, I am getting LoginException: No LoginModule found for my.first.lm.FirstLoginModule. I think that is due to the fact mentioned higher, that my LM is based on picket box. – Mono Oct 05 '22 at 10:13
  • There is no way to use a custom LM based on Picket box anymore. PB was removed from WildFly, so modules cannot have it as a dependency. As you have found out, Elytron's security realms or custom security realms have to be used instead of the custom Login Module – diavil Nov 02 '22 at 20:14

1 Answers1

0
<jboss-web>
  <context-root>${context-root}</context-root>
  <security-domain>mySD</security-domain>
</jboss-web>

In web.xml also you have to configure your realm name like

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>myJaasRealm</realm-name>
</login-config>
Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
manohar
  • 1