JAAS with Wildfly does not work

Asked

Viewed 526 times

0

I am having problems to perform the jaas using wildfly, although I can register using Datasource normally,I could not find where the error is. While trying to access the protected resources is always redirected to the error screen.

standalone.xml

    <security-domain name="login" cache-type="default">
                <authentication>
                    <login-module code="Database" flag="required">
                        <module-option name="dsJndiName" value="java:jboss/datasources/RestDS"/>
                        <module-option name="principalsQuery" value="select senha from Pessoa where email=?"/>
                        <module-option name="rolesQuery" value="select roles_name,'Roles' from Pessoa_SystemRole as user_roles inner join Pessoa as p on p.id = user_roles.Pessoa_id where p.email = ?"/>
                    </login-module>
                </authentication>
            </security-domain>

persistence.xml

   <?xml version="1.0" encoding="UTF-8"?>
   <persistence version="2.1"    xmlns="http://xmlns.jcp.org/xml/ns/persistence" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/persistence http://xmlns.jcp.org/xml/ns/persistence/persistence_2_1.xsd">
<persistence-unit name="Rest" transaction-type="JTA">
    <provider>org.hibernate.jpa.HibernatePersistenceProvider</provider>
    <jta-data-source>java:jboss/datasources/RestDS</jta-data-source>
    <properties>
        <property name="hibernate.dialect" value="org.hibernate.dialect.MySQL5InnoDBDialect"/>
        <property name="hibernate.hbm2ddl.auto" value="update" />
        <property name="hibernate.show_sql" value="true" /> 
        <property name="hibernate.format_sql" value="true" />
    </properties>
</persistence-unit>

web xml.

<login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/loginError.jsp</form-error-page>
  </form-login-config>
</login-config>

<security-constraint>
  <web-resource-collection>
      <web-resource-name>Seguranca</web-resource-name>
      <url-pattern>/login/*</url-pattern>
      <http-method>GET</http-method>
  </web-resource-collection>
  <auth-constraint>
      <role-name>ADMIN</role-name>
      <role-name>USER</role-name>
  </auth-constraint>
</security-constraint>
<security-role>
  <role-name>ADMIN</role-name>
</security-role>
<security-role>
  <role-name>USER</role-name>
</security-role>
java

  • Post the error, which is very important to help identify it

  • 1

    So Renan Carlos does not generate any error on the console. It seems to be working normally but always falls on the error page configured loginError.jsp.But thanks for the tip anyway.

1 answer

0

When we have to implement JAAS, it’s important to understand the mechanism of how authentication works using Java EE technology specifications:

Security services: The Java Authentication and Authorization Service (JAAS) allows services to authenticate and apply access controls to users. The Java Container Authorization Service Provider (JACC) Agreement defines a contract between a Java EE application server and an authorization service provider, allowing custom authorization service providers to be connected to any Java EE product. The Java Authentication Service Provider Interface for Containers (JASPIC) defines a standard interface by which authentication modules can be integrated with containers so that these modules can establish the authentication identities used by containers.[Gonçalves, Antonio - 2013, 10 p.]

Now, in practice keep in mind that in Java EE, containers are responsible for providing application security. A container basically provides two types of security: declarative and programmatic.

Personally, I prefer to implement security using the declarative security type because as the implementation descriptor information (web.xml; jboss-web.xml; standalone.xml; Domain.xml) is contained/defined in an external file, it can be changed without the need to modify the source code. And this is a benefit and reduces maintenance and refactoring of source code.

To understand the type of declarative security using

Tipo de segurança: declarativa Source: [Michal Cmil et al - 2014, 309 p.]

I believe that in your case, the next configuration adjustment needs to be executed in the Jboss web deployment descriptor, WEB-INF/jboss-web.xml. You need to declare the security domain here, which will be used to authenticate users:

<jboss-web>
    <security-domain>java:/jaas/login</security-domain>
</jboss-web>

And consider the following:

The login form must contain fields to enter a username and password. These fields must be named j_username and j_password, respectively. The authentication form must post these values in the logical name j_security_check.

All of these names starting with j_ are standardized by the Java Servlet specification - we just need to follow the convention to allow automatic mechanisms to work.[Michal Cmil et al - 2014, 310 p.]

....
<form method="post" action="j_security_check" name="nameForm" >
....

NOTE: Sorry about the wall of texts, but unfortunately it is necessary to have a good theoretical basis.

Reference:
[Juneau, Josh - 2013], Apress, 2013, Java EE 7 Recipes: A problem-Solution Approach - Proven Solutions for Java Enterprise Edition 7 Developement
[Gonçalves, Antonio - 2013], Apress, 2013, Beginning Java EE 7 (Expert Voice in Java)
[JSR 196 - JASPIC], JSR 196 - JASPIC: Javatm Authentication Service Provider Interface for Containers
[Anjana Mankale - 2013], Copyright 2013 Packt Publishing, Spring Security 3.x Cookbook: Over 60 Recipes to help you successfully Safghanuard your web Applications with Spring Security.
[Michal Cmil et al - 2014], Copyright 2014 Packt Publishing, Java EE 7 Development with Wildfly: Leverage the power of the Wildfly application server from Jboss to develop Modern Java EE 7 Applications.

Browser other questions tagged java

You are not signed in. Login or sign up in order to post.