JBoss Wildfly - database login module

2019-03-16 16:47发布

站内问答 / 前端开发
500 5 6

JBoss Wildfly 8.0.0-Final
JSF 2.2.4

First I created login using the application-users.properties and application-roles.properties. Added user with add-user.bat

Web.xml

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Admin Resource</web-resource-name>
        <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/login.xhtml</form-login-page>
        <form-error-page>/error.xhtml</form-error-page>
    </form-login-config>
</login-config>

<security-role>
    <role-name>admin</role-name>
</security-role>

Standalone.xml

<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>

login.xhtml

    <?xml version="1.0" encoding="UTF-8"?>
<ui:composition xmlns="http://www.w3.org/1999/xhtml"
    xmlns:ui="http://xmlns.jcp.org/jsf/facelets"
    xmlns:f="http://xmlns.jcp.org/jsf/core"
    xmlns:h="http://xmlns.jcp.org/jsf/html"
    xmlns:p="http://primefaces.org/ui">
    <div class="center">
        <form method="POST" action="j_security_check" id="">
            <h:panelGrid id="panel" columns="2" border="1" cellpadding="4" cellspacing="4">
                <h:outputLabel for="j_username" value="Username:" />
                <input type="text" name="j_username" />
                <h:outputLabel for="j_password" value="Password:" />
                <input type="password" name="j_password" />
                <h:panelGroup>
                    <input type="submit" value="Login" />
                </h:panelGroup>
            </h:panelGrid>
        </form>
    </div>
</ui:composition>

So that worked fine.. now I want to use database authentication.. so I change the standalone.xml. 

<login-module code="Database" flag="sufficient">
    <module-option name="dsJndiName" value="java:jboss/jsi/GarageXADataSource"/>
    <module-option name="principalsQuery" value="select encode(password, 'hex') from principal where username=?"/>
    <module-option name="rolesQuery" value="select r.role, r.role_group from role r inner join principal p on r.role = p.role where p.username=?"/>
    <module-option name="hashAlgorithm" value="SHA-512"/>
    <module-option name="hashEncoding" value="hex"/>
</login-module>

I use this sql to insert a role and a user in the database ( PostgreSQL 9.3 )

INSERT INTO role(role, role_group) VALUES ('admin', 'Roles');
INSERT INTO principal(username, email, password, role) VALUES ('Kris', 'xx@gmail.com', digest('pass', 'sha512'), 'admin');

But the login does not work. I see no errors in the log. I have used this approach before on AS 7.1.1 where it worked.

Thanks for you help.

5条回答
走好不送
2楼-- · 2019-03-16 17:31

I was facing the same problem just now, but I've just managed to fix it!

The problem seems to be the principalsQuery.

According to the documentation you have to put the "Role" and "RoleGroup" in principalsQuery and they have to be with exactly case to match.

SQL prepared statement to be executed in order to map roles. It should be an equivalent to select Role, RoleGroup from Roles where PrincipalID=?, where Role is the role name and RoleGroup column value should always be "Roles" with capital R.

I was also not seeing anything, but I've enabled the below tag (just like Chris told) in my standalone.xml and now I'm able to see errors like "invalid login/password" in the logs.

<logger category="org.jboss.security">
    <level name="TRACE"/>
</logger>

What I've done to confirm that the server was at least querying the database was to check the MySQL (in my case) logs to see if it was being queried.

All in all, the below configuration is what is working for me and btw it seems that few module-options like "hashEncoding" are not being used anymore (also according to the docs).

<security-domain name="example-jaas-realm">
    <authentication>
        <login-module code="Database" flag="required">
            <module-option name="dsJndiName" value="java:/jboss/datasources/TestDS"/>
            <module-option name="principalsQuery" value="select password as 'Password' from users where username=?"/>
            <module-option name="rolesQuery" value="select ur.rolename as 'Role', ur.rolename as 'RoleGroup' from users_roles ur, users u, roles r where r.rolename = ur.rolename and u.username = ?"/> 
        </login-module>
    </authentication>
</security-domain>

Edit

It seems that even after matching agains the database and giving a session to the user, it is still not able to access the protected area. I believe that it has to do something Role and RoleGroup.

    2014-03-20 02:03:23,116 TRACE [org.jboss.security] (default task-9) PBOX000200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@c84b3766, cache entry: null
    2014-03-20 02:03:23,120 TRACE [org.jboss.security] (default task-9) PBOX000209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@c84b3766
    2014-03-20 02:03:23,120 TRACE [org.jboss.security] (default task-9) PBOX000221: Begin getAppConfigurationEntry(example-jaas-realm), size: 4
    2014-03-20 02:03:23,120 TRACE [org.jboss.security] (default task-9) PBOX000224: End getAppConfigurationEntry(example-jaas-realm), AuthInfo: AppConfigurationEntry[]:
    [0]
    LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
    ControlFlag: LoginModuleControlFlag: required
    Options:
    name=principalsQuery, value=select password as 'Password' from users where username=?
    name=dsJndiName, value=java:/jboss/datasources/TestDS
    name=rolesQuery, value=select ur.rolename as 'Role', ur.rolename as 'RoleGroup' from users_roles ur, users u, roles r where r.rolename = ur.rolename and u.username = ?

    2014-03-20 02:03:23,120 TRACE [org.jboss.security] (default task-9) PBOX000236: Begin initialize method
    2014-03-20 02:03:23,120 TRACE [org.jboss.security] (default task-9) PBOX000262: Module options [dsJndiName: java:/jboss/datasources/TestDS, principalsQuery: select password as 'Password' from users where username=?, rolesQuery: select ur.rolename as 'Role', ur.rolename as 'RoleGroup' from users_roles ur, users u, roles r where r.rolename = ur.rolename and u.username = ?, suspendResume: true]
    2014-03-20 02:03:23,121 TRACE [org.jboss.security] (default task-9) PBOX000240: Begin login method
    2014-03-20 02:03:23,121 TRACE [org.jboss.security] (default task-9) PBOX000263: Executing query select password as 'Password' from users where username=? with username renann
    2014-03-20 02:03:23,123 TRACE [org.jboss.security] (default task-9) PBOX000241: End login method, isValid: true
    2014-03-20 02:03:23,123 TRACE [org.jboss.security] (default task-9) PBOX000242: Begin commit method, overall result: true
    2014-03-20 02:03:23,123 TRACE [org.jboss.security] (default task-9) PBOX000263: Executing query select ur.rolename as 'Role', ur.rolename as 'RoleGroup' from users_roles ur, users u, roles r where r.rolename = ur.rolename and u.username = ? with username renann
    2014-03-20 02:03:23,123 TRACE [org.jboss.security] (default task-9) PBOX000263: Executing query select ur.rolename as 'Role', ur.rolename as 'RoleGroup' from users_roles ur, users u, roles r where r.rolename = ur.rolename and u.username = ? with username renann
    2014-03-20 02:03:23,125 TRACE [org.jboss.security] (default task-9) PBOX000210: defaultLogin, login context: javax.security.auth.login.LoginContext@248d105d, subject: Subject(690838634).principals=org.jboss.security.SimplePrincipal@730498373(renann)org.jboss.security.SimpleGroup@1160321194(teste_role(members:teste_role))org.jboss.security.SimpleGroup@1160321194(admin_role(members:admin_role))org.jboss.security.SimpleGroup@1160321194(CallerPrincipal(members:renann))
    2014-03-20 02:03:23,125 TRACE [org.jboss.security] (default task-9) PBOX000201: End isValid, result = true

Here's my web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
    <security-constraint>
        <display-name>Security Constraint Test Display Name</display-name>
        <web-resource-collection>
            <web-resource-name>Protected Area</web-resource-name>
            <url-pattern>/protected/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>HEAD</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            <http-method>CONNECT</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>teste_role</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>  
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>example-jaas-realm</realm-name>
        <form-login-config>
            <form-login-page>/index.html</form-login-page>
            <form-error-page>/error.html</form-error-page>
        </form-login-config>
    </login-config>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
    </welcome-file-list>
    <security-role>
        <role-name>teste_role</role-name>
    </security-role>
</web-app>
查看更多
0人赞 添加讨论(0) 举报
何必那么认真
3楼-- · 2019-03-16 17:37

I just had the same problem with Wildfly, look for this line in your standalone.xml

<default-security-domain value="other"/>

And change other to your securitydomain, in previous versions this option was n't necessary.

查看更多
0人赞 添加讨论(0) 举报
淡お忘
4楼-- · 2019-03-16 17:41

The problem is with constant 'Roles', you must specify it exactly like that 'Roles'. Example: Select role, 'Roles' from Role where roleId =

查看更多
0人赞 添加讨论(0) 举报
Melony?
5楼-- · 2019-03-16 17:44

Firstly DatabaseServerLoginModule logs to trace level, so you should set org.jboss.security log levels to trace in your standalone.xml as follows. Now you should see the errors in your server.log

<logger category="org.jboss.security">
    <level name="TRACE"/>
</logger>

You also need to add a realm-name within your jboss-web.xml

<jboss-web>
    <security-domain>java:/jaas/MyRealm</security-domain>
</jboss-web>

You have not supplied the surrounding tags around your login-module configuration snippet. You should have something this below. The realm name needs to match that in your web.xml

<subsystem xmlns="urn:jboss:domain:security:1.0">
  <security-domains>  
    <security-domain name="MyRealm">  
       <authentication>  
         <login-module code="Database" flag="required">  
         ....
      </authentication>  
    </security-domain>  
  </security-domains>  
</subsystem>

Once you have done this could you post any errors from your server.log.

查看更多
0人赞 添加讨论(0) 举报
看我几分像从前
6楼-- · 2019-03-16 17:48

try to add a file jboss-web.xml in the WEB-INF folder:

<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"     xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee 
    http://www.jboss.org/j2ee/schema/jboss-web_6_0.xsd" version="6.0">
    <security-domain>java:/jaas/MyRealm</security-domain>
</jboss-web>
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)