Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-5569

Module dependencies don't work correctly when JAAS login is used in deployments

    XMLWordPrintable

    Details

    • Steps to Reproduce:
      Hide

      Install custom AS module (login.mongodb in my case) which contains custom login module (org.jboss.test.MongoLoginModule).

      Create new security domain, which uses the new login module:

      <security-domain name="web-tests" cache-type="default">
          <authentication>
              <login-module code="org.jboss.test.MongoLoginModule" flag="required" module="login.mongodb">
                  <module-option name="mongodb.uri" value="mongodb://localhost:21017/test?collection"/>
              </login-module>
          </authentication>
      </security-domain>
      

      Deploy application with servlet containing following code:

      //...
      LoginContext loginContext = new LoginContext("web-tests", new CallbackHandler() {
      
          @Override
          public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
              for (Callback c : callbacks) {
                  if (c instanceof PasswordCallback) {
                      ((PasswordCallback) c).setPassword(req.getParameter("password").toCharArray());
                  } else if (c instanceof NameCallback) {
                      ((NameCallback) c).setName(req.getParameter("user"));
                  }
              }
          }
      });
      loginContext.login();
      Subject subject = loginContext.getSubject();
      LOGGER.info("Login successful. Subject: " + subject);
      //...
      

      After making request to the servlet, user will see following exception:

      javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.test.MongoLoginModule from [Module "deployment.secured-webapp.war:main" from Service Module Loader]
      	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:794)
      	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
      	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
      	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
      	at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
      	at org.jboss.test.JaasLoginServlet.doGet(JaasLoginServlet.java:61)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
      	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
      	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
      	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
      	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
      	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
      	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
      	at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
      	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
      	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
      	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
      	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
      	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
      	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
      	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
      	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:198)
      	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:784)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      

      If a login module from PicketBox (e.g. "UsersRoles") is used in the "web-tests" security domain, then everything works correctly and user is authenticated.

      If security domain is referenced from the jboss-web.xml and HttpServletRequest.login(String,String) is used instead of direct JAAS, then it works also for login module in the custom AS module.

      Show
      Install custom AS module ( login.mongodb in my case) which contains custom login module ( org.jboss.test.MongoLoginModule ). Create new security domain, which uses the new login module: <security-domain name= "web-tests" cache-type= "default" > <authentication> <login-module code= "org.jboss.test.MongoLoginModule" flag= "required" module= "login.mongodb" > <module-option name= "mongodb.uri" value= "mongodb://localhost:21017/test?collection" /> </login-module> </authentication> </security-domain> Deploy application with servlet containing following code: //... LoginContext loginContext = new LoginContext( "web-tests" , new CallbackHandler() { @Override public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (Callback c : callbacks) { if (c instanceof PasswordCallback) { ((PasswordCallback) c).setPassword(req.getParameter( "password" ).toCharArray()); } else if (c instanceof NameCallback) { ((NameCallback) c).setName(req.getParameter( "user" )); } } } }); loginContext.login(); Subject subject = loginContext.getSubject(); LOGGER.info( "Login successful. Subject: " + subject); //... After making request to the servlet, user will see following exception: javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.test.MongoLoginModule from [Module "deployment.secured-webapp.war:main" from Service Module Loader] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:794) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at org.jboss.test.JaasLoginServlet.doGet(JaasLoginServlet.java:61) at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:198) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:784) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang. Thread .run( Thread .java:745) If a login module from PicketBox (e.g. "UsersRoles") is used in the "web-tests" security domain, then everything works correctly and user is authenticated. If security domain is referenced from the jboss-web.xml and HttpServletRequest.login(String,String) is used instead of direct JAAS, then it works also for login module in the custom AS module.

      Description

      When user wants to use direct JAAS login call from a deployment (e.g. servlet), (s)he will experience problems when LoginModule is placed in custom AS module.

      Login modules works correctly if they come from PicketBox, but new modules doesn't work.

      This issue is based on this StackOverflow question

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  jcacek Josef Cacek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: