Reputation: 7440
Wildfly Security Constraint Ignored
I am trying to secure a demo web application on wildfly. I have defined this security domain in the standalone.xml
<security-domains>
<security-domain name="projects" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/TestDS"/>
<module-option name="rolesQuery" value="SELECT role, 'Roles' FROM users WHERE username=?"/>
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="hex"/>
<module-option name="principalsQuery" value="SELECT password from users WHERE username=?"/>
</login-module>
</authentication>
<authorization>
<policy-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/school"/>
<module-option name="rolesQuery" value="SELECT role, 'Roles' FROM users WHERE username=?"/>
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="hex"/>
<module-option name="principalsQuery" value="SELECT password from users WHERE username=?"/>
</policy-module>
</authorization>
</security-domain>
</security-domains>
then under the web-inf I have defined this security costraints in the web.xml
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
<security-constraint>
<web-resource-collection>
<web-resource-name>projects</web-resource-name>
<url-pattern>/twp/projects/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ADMINISTRATOR</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>projects</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/error.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>ADMINISTRATOR</role-name>
</security-role>
<security-role>
<role-name>USER</role-name>
</security-role>
</web-app>
and this content in the jboss-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/projects</security-domain>
</jboss-web>
the problem is that if i go to the /projects URL I m not redirect to the login page as if the constraint was ignored.
Upvotes: 6
Views: 3046
Answers (1)
Reputation: 3960
With the configuration of yours, it works fine. At the console do you get this two lines?:
WARN [io.undertow.servlet] (ServerService Thread Pool -- 7) UT015020: Path /twp/projects/* is secured for some HTTP methods, however it is not secured for [TRACE, HEAD, CONNECT, OPTIONS]
INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 7) WFLYUT0021: Registered web context: '/test-1.0-SNAPSHOT' for server 'default-server'
If not you should place your configuration to the corrent sections in the standalone.xml of wildfly
The first means that the path is secured and the second tells you the resitered web context.
Every url under http://localhost:8080/test-1.0-SNAPSHOT/twp/projects will be secured and redirect to the login page.
For example
but not
I use wildfly 11 with urn:jboss:domain:security:2.0 and not elytron.
Upvotes: 9
Related Questions
- Wildfly 16: Security domain specified in jboss-web.xml is ignored
- Javaee Jboss j_security_check login always fails
- SpringSecurity error on Wildfly
- Wildfly Security Manager : Permission failed for javax.management.MBeanPermission
- javax.ejb.EJBAccessException: JBAS013323: Invalid User
- InvalidBytecodeException in WildFly 8
- Cannot resolve security role
- fail to read WildFly system properties
- Wildfly, JAAS and SecurityContext
- Security exceptions when injecting an EJB in wildfly