Wildfly JAAS HttpServletRequest.login does not keep logged in for subsequent requests

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Wildfly JAAS HttpServletRequest.login does not keep logged in for subsequent requests

Jan-Willem Gmelig Meyling
Hi everyone,

I encountered some problems when trying to use the Servlet 3.0 login method in Wildfly 10.  After logging in using `HttpServletRequest.login(String, String)`, using the code below, on successive requests I still get a Basic Authentication prompt.

I have also found the same issue on the JBoss developer forum in a post that goes back to september 2015: developer.jboss.org/thread/262640?start=0&tstart=0 . 

Why is the `login` function not working in my configuration?


My endpoint:


    @POST
    @Path("login")
    @Consumes(MediaType.APPLICATION_JSON)
    public void login(@Valid LoginRequest loginRequest) {
        try {
            User user = userController.findUserByUsername(loginRequest.getUsername()).orElseThrow(NotFoundException::new);
            httpServletRequest.login(loginRequest.getUsername(), loginRequest.getPassword());
            log.info(securityContext); // not null now!
        }
        catch (ServletException e) {
            throw new NotAuthorizedException(e.getMessage(), e, AuthenticationHeaderFilter.CHALLENGE);
        }
    }


And my `jboss-web.xml`

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xsi:schemaLocation="
        <security-domain>MyRealm</security-domain>
      </jboss-web>

And my `web.xml`:

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>MyRealm</realm-name>
    </login-config>

    <security-role>
        <role-name>admin</role-name>
    </security-role>

    <security-role>
        <role-name>user</role-name>
    </security-role>

    <security-constraint>
        <display-name>Authenticated content</display-name>
        <web-resource-collection>
            <web-resource-name>Authentication required</web-resource-name>
            <url-pattern>/api/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
    </security-constraint>

    <security-constraint>
        <display-name>Anonymous content</display-name>
        <web-resource-collection>
            <web-resource-name>Exclude from Security</web-resource-name>
            <url-pattern>/api/me/login</url-pattern>
        </web-resource-collection>
    </security-constraint>


Furthermore, I declared my security domain as follows in standalone.xml

                <security-domain name="MyRealm" cache-type="default">
                    <authentication>
                        <login-module code="Database" flag="required">
                            <module-option name="dsJndiName" value="java:jboss/MysqlXADS"/>
                            <module-option name="principalsQuery" value="SELECT password AS Password FROM user WHERE username = ?"/>
                            <module-option name="rolesQuery" value="select 'user' as Role, 'Roles' as RoleGroup union select 'admin' as Role, 'Roles' AS RoleGroup from user where admin is true and username = ?"/>
                        </login-module>
                    </authentication>
                </security-domain>


I have also posted the question on Stackoverflow, so any answer posted there will receive the bounty points: http://stackoverflow.com/questions/38896538/httpservletrequest-login-does-not-keep-logged-in-for-subsequent-requests

Thanks in advance!

Jan-Willem Gmelig Meyling





_______________________________________________
wildfly-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/wildfly-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Wildfly JAAS HttpServletRequest.login does not keep logged in for subsequent requests

Claudio Miranda
On Tue, Aug 16, 2016 at 4:55 AM, Jan-Willem Gmelig Meyling
<[hidden email]> wrote:
> And my `web.xml`:
>
>     <login-config>
>         <auth-method>BASIC</auth-method>
>         <realm-name>MyRealm</realm-name>
>     </login-config>

As you want programmatic authentication, there is no need of <login-config>





--
  Claudio Miranda

[hidden email]
http://www.claudius.com.br
_______________________________________________
wildfly-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/wildfly-dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Wildfly JAAS HttpServletRequest.login does not keep logged in for subsequent requests

Jan-Willem Gmelig Meyling
Hi Claudio,

Thanks for your comment, I have upvoted it on my Stackoverflow thread. Arjan wrote the answer I have accepted, which can be found at http://stackoverflow.com/a/38976889/2104280 .

Turns out the session behaviour for the login call is not really defined in Servlet 3.0 and may be improved in JSR 375.

Thanks for your answers!

Jan-Willem

 
On 16 Aug 2016, at 17:25, Claudio Miranda <[hidden email]> wrote:

On Tue, Aug 16, 2016 at 4:55 AM, Jan-Willem Gmelig Meyling
<[hidden email]> wrote:
And my `web.xml`:

   <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>MyRealm</realm-name>
   </login-config>

As you want programmatic authentication, there is no need of <login-config>





--
 Claudio Miranda

[hidden email]
http://www.claudius.com.br


_______________________________________________
wildfly-dev mailing list
[hidden email]
https://lists.jboss.org/mailman/listinfo/wildfly-dev

signature.asc (859 bytes) Download Attachment
Loading...