Reputation: 31
jboss EAP 6.3.3 fallback authentication
I have an app to deploy that requires SSO to work off AD. This is working with the following snippets:
jboss-web.xml
<security-domain>java:/jaas/SPNEGO</security-domain>
<valve>
<class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>
</valve>
jboss-deployment-structure.xml
<dependencies>
<module name="javax.api" slot="main"/>
<module name="org.jboss.security.negotiation" />
<module name="sun.jdk" slot="main"/>
</dependencies>
domain.xml
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="optional">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="HTTP/[email protected]"/>
<module-option name="keyTab" value="/xx/xx/xx.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
<module-option name="removeRealmFromPrincipal" value="true"/>
</login-module>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://xx.xx.xx:389"/>
<module-option name="bindDN" value="cn=xx,ou=xx,ou=xx,dc=xx,dc=xx"/>
<module-option name="bindCredential" value="xxencryptmexx"/>
<module-option name="baseCtxDN" value="ou=xx,ou=xx,dc=xx,dc=xx"/>
<module-option name="baseFilter" value="(&(samaccountname={0})(objectclass=user))"/>
<module-option name="searchScope" value="ONELEVEL_SCOPE"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="rolesCtxDN" value="ou=xx,ou=xx,dc=xx,dc=xx"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="roleAttributeIsDN" value="false"/>
<module-option name="roleRecursion" value="2"/>
<module-option name="java.naming.referral" value="follow"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
I would like to deploy the same app to another server with a different profile without changing the jboss-web.xml and jboss-deployment-structure.xml to have a fallback authentication to use the databaseserverlogin module. This app will then be used by others to make RPC calls to it (no SSO). I tried stacking the login-module below:
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName" value="java:/MyDatabaseDS"/>
<module-option name="principalsQuery" value="select passwd from Users where username=?"/>
<module-option name="rolesQuery" value="select userRoles, 'Roles' from UserRoles where username=?"/>
<module-option name="ignorePasswordCase" value="true"/>
</login-module>
The error I'm getting running a wget command (in hoping that it will fallback to databaseserverlogin module)
HTTP request sent, awaiting response... 401 Unauthorized
Unknown authentication scheme.
Authorization failed.
I can successfully use the databaseserverlogin module by itself, but not without stripping out the valve entry in jboss-web.xml.
Is this setup possible? I'm trying to avoid modifying the WAR file received from development.
I tried the following link but stuck on class not found org.jboss.security.negotiation.NegotiationWithBasicFallbackAuthenticator? I assumed the patch would have been included in latest jboss EAP 6.3.3? Probably a bad assumption.
Thanks in advance for any guidance (and patience if I'm not making sense).
Upvotes: 1
Views: 1072
Answers (1)
Reputation: 31
Sorted, with help from RedHat Support.
•To enable fallback to basic, add the following to the top of the WEB-INF/web.xml file:
<context-param>
<description>BASIC Authentication FallBack</description>
<param-name>org.jboss.security.negotiation.NegotiationAuthenticator.BasicAuthFallBack</param-name>
<param-value>true</param-value>
</context-param>
Link to newly created knowledge base solution here if you have RedHat support https://access.redhat.com/solutions/1488173
Upvotes: 2
Related Questions
- JBoss EAP 6.2: Exchange auth-method of war-file
- Java EE (JBoss EAP) custom auth-method JWT
- How to flush the authentication cache in JBoss EAP 7
- JBoss EAP 7 Basic Authentication not work
- JBOSS EAP 7 - EJB Client user data
- Alternative for NegotiationAuthenticator class from JBoss EAP 6 in WildFly 10.1?
- How can I fallback to BASIC or FORM authentication when SPNEGO can't be used for a client?
- JBoss EAP 6.2 | How to configure datasource username password to be dynamic
- JBoss EAP 6.3 / AS 7 Clustered SSO with unsecured pages
- Jboss 4.3 EAP in Eclipse asks credentials on server startup