Running Wildfly 16, I specify a security domain in my application's WEB-INF/jboss-web.xml as follows:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>MyDomain</security-domain>
</jboss-web>
In Wildfly's standalone.xml in the undertow section I specify that security domain as application security domain as follows:
<subsystem xmlns="urn:jboss:domain:undertow:8.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
</host>
</server>
...
<application-security-domains>
<application-security-domain name="MyDomain" security-domain="OAuth2Domain"/>
</application-security-domains>
Next, in the elytron section I specify the security domain as follows:
<subsystem xmlns="urn:wildfly:elytron:6.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
...
<security-domain name="OAuth2Domain" default-realm="OAuth2Realm" permission-mapper="default-permission-mapper">
<realm name="OAuth2Realm"/>
</security-domain>
Of course, also OAuth2Realm is subsequently defined and Wildfly starts without complaint. However, when accessing the application through http, Wildfly always uses the security domain "other" in the legacy security section, rather than my security domain in the elytron section. How can I force Wildfly to use my Elytron security domain?
Found the solution: The application is using programmatic login using a JAAS login context, but this knows only the security domains defined in the legacy security system. To login programmatically against a domain in the elytron system an elytron authentication context must be used, as described in https://docs.jboss.org/author/display/WFLY/Client%20Authentication%20with%20Elytron%20Client.html
Related
I am trying to find a way to migrate our security solution from WildFly 22 to WildFly 26, where the legacy way with custom login modules is no longer supported. I found for example this blog post https://wildfly-security.github.io/wildfly-elytron/blog/jaas-realm/ suggesting to use jaas-realm, but I am not able to configure it to be honest.
What exactly should I do, if I want to migrate this example? This was in earlier versions of WildFly defined like this:
<security-domain name="my-form-auth" cache-type="default">
<authentication>
<login-module name="FirstLoginModule" code="my.first.lm.FirstLoginModule" flag="sufficient">
<module-option name="config.filename" value=".first_lm_props" />
</login-module>
<login-module name="SecondLoginModule" code="my.second.lm.SecondLoginModule" flag="sufficient">
<module-option name="config.filename" value=".second_lm_props" />
</login-module>
</authentication>
</security-domain>
Actual code of these login modules was available to WildFly as a dependency of deployed application.
So far, I managed to set configuration of WildFly 26 like this (with basic scenario - just one login module):
<security-domains>
...
<security-domain name="mySD" default-realm="myJaasRealm" permission-mapper="default-permission-mapper">
<realm name="myJaasRealm"/>
</security-domain>
</security-domains>
<security-realms>
...
<jaas-realm name="myJaasRealm" entry="myEntry" module="my.module.with.lm">
<file path="D:\APP\Wildfly\wildfly-26.0.1.Final\bin\elytron\JAAS-login-module.conf"/>
</jaas-realm>
</security-realms>
....
<http>
<http-authentication-factory name="example-loginconfig-http-auth" security-domain="mySD" http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="FORM">
<mechanism-realm realm-name="myJaasRealm"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
</http>
....
<subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
...
<application-security-domains>
<application-security-domain name="other" http-authentication-factory="example-loginconfig-http-auth"/>
</application-security-domains>
</subsystem>
JAAS-login-module.conf:
MyEntry {
my.first.lm.FirstLoginModule sufficient;
};
jboss-web.xml:
<jboss-web>
<context-root>${context-root}</context-root>
<security-domain>other</security-domain>
</jboss-web>
Still, I am not able to get it to work.
<jboss-web>
<context-root>${context-root}</context-root>
<security-domain>mySD</security-domain>
</jboss-web>
In web.xml also you have to configure your realm name like
<login-config>
<auth-method>FORM</auth-method>
<realm-name>myJaasRealm</realm-name>
</login-config>
I want to user an authentication realm trough ldap. This works fine.
Secondly i want store UserRoles for my application in a Roles tables, this works also fine. (Example below, with an aggregate-realm)
But i dont know how to obtain both roles. Roles from LDAP and from my Roles table together.
What i am missing?
<security-domain name="securtiyDomain" default-realm="my-realm" permission-mapper="default-permission-mapper">
<realm name=jdbc-realm" role-decoder="from-roles-attribute"/>
</security-domain>
<security-realms>
<aggregate-realm name="my-realm" authentication-realm="ldap-realm" authorization-realms="jdbc-realm ldap-realm"/>
<jdbc-realm name="jdbc-realm">
<principal-query .... >
<attribute-mapping>
<attribute to="roles" index="1"/>
</attribute-mapping>
</principal-query>
</jdbc-realm>
<ldap-realm name="ldap-realm" dir-context="ldap-connection" direct-verification="true">
<identity-mapping ...>
<attribute-mapping>
<attribute from="cn" to="Roles" .../>
</attribute-mapping>
<user-password-mapper from="userPassword"/>
</identity-mapping>
</ldap-realm>
<simple-role-decoder name="from-roles-attribute" attribute="roles"/>
Your security-domain configuration does not have aggregate realm my-realm in its list of realms. Try something like below:
<security-domain name="securtiyDomain" default-realm="my-realm" permission-mapper="default-permission-mapper">
<realm name=my-realm" role-decoder="from-roles-attribute"/>
</security-domain>
JBoss/Wildfly => standalone.xml
Redirect http to https only if the request url contains a domain name. If the web site access from ip address do not redirect.
http://x.x.x.x:8080 -> do not redirect
http://xx.example.com -> redirect to https://xx.example.com
I am using http to https redirect using the below code in standalone.xml
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<filter-ref name="http-to-https" predicate="equals(%p,8080)"/>
</host>
</server>
<filters>
<rewrite name="http-to-https" target="https://%v%U%q" redirect="true"/>
</filters>
But in this case redirect all request from ip or domain name if port is 8080.
http://x.x.x.x:8080 -> redirecting to https://x.x.x.x:8080
http://xx.example.com -> redirecting to https://xx.example.com
But i do not redirect if request from ip, only redirect from domain name.
I am using http to https redirect using the below code in standalone.xml. But its not redirect in both conditions.
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<filter-ref name="http-to-https" predicate="regex(pattern='/http://(.*).example.com/g') and equals(%p,8080)"/>
</host>
</server>
<filters>
<rewrite name="http-to-https" target="https://%v%U%q" redirect="true"/>
</filters>
EDIT
proxy server forward 80 -> 8080. (i.e http://xx.example.com ->
http://xx.example.com:8080)
Also i tried with this, but its not redirect in both conditions.
<filter-ref name="http-to-https" predicate="regex(pattern='http://(.*).example.com', value=%U, full-match=false) and equals(%p,8080)"/>
Thanks
Finally i got the solution
<filter-ref name="http-to-https" predicate="regex(pattern='example', value=%v, full-match=false) and equals(%p,8080)"/>
http://x.x.x.x:8080 -> do not redirect
http://xx.example.com -> redirect to https://xx.example.com
A background process active on my Wildfly 10.0.0.Final needs to connect to a webservice using Axis. On the remote server, there is a self-signed certificate, which I imported in a truststore using openssl to get it from the remote server and they keytool to create the truststore and import the certificate into it.
I set up my Wildfly 10.0.0.Final's standalone.xml like this:
<security-realm name="SSLRealm">
<server-identities>
<ssl>
<keystore path="keystore.jks" relative-to="jboss.server.config.dir"
keystore-password="mykeystorepassword" alias="myalias"
key-password="mykeypass" />
</ssl>
</server-identities>
<authentication>
<truststore path="truststore.jks" relative-to="jboss.server.config.dir"
keystore-password="mytruststorepassword" />
</authentication>
</security-realm>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" />
<https-listener name="default-ssl" security-realm="SSLRealm" socket-binding="https" />
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content" />
</host>
</server>
but still, when the background process tries to connect to the remote service, I obtain the following exception:
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
Any idea how to solve this issue? It seems like the truststore is not being used or something like this...
I had the same problem and could only solve it by adding parameters to the startup script for wildfly:
-Djavax.net.ssl.trustStore=foo.jks
-Djavax.net.ssl.trustStorePassword=bar
which, of course, overrides the default cacerts.
But I am unclear why the truststore defined in the security-realm seems to be ignored.
This is the problem:
I have a custom security domain that autentificates users in active directory but gets the roles from a file (in future from the DB)
Everything works like a charm per project, however the session is not shared across more than one project, even tho the projects share the same security domain, if the user autentificated in one project it has to autentificate again on the other.
Security Domain definition from standalone.xml
<security-domain name="custom-form-auth" cache-type="default">
<authentication>
<login-module code="ro.test.login.CustomLoginModule" flag="required" module="ro.test.Process-login">
<module-option name="activeDirectory" value="${jboss.server.config.dir}/activeDirectory.properties"/>
</login-module>
</authentication>
</security-domain>
jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>custom-form-auth</security-domain>
<disable-audit>true</disable-audit>
</jboss-web>
For shared authentication across applications you must enable the Single Signon functionality. The Single Signon configuration allows a centralized login configuration for corporate sites that use different Web context.
To enable SSO in JBoss7 you need add the sso option in the web subsystem (SSO is configured per host):
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
<sso reauthenticate="false"/>
</virtual-server>
</subsystem>
See: https://developer.jboss.org/wiki/JBossAS711WebSSONon-Clustered