Frage
I've tried to write my own custom login module which simplified looks like this:
https://stackoverflow.com/questions/22693010
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianpackage my.package;
public class MyUsernamePasswordLoginModule extends UsernamePasswordLoginModule {
@Override
protected Group[] getRoleSets() throws LoginException {
return new Group[] { };
}
@Override
protected boolean validatePassword(String inputPassword, String expectedPassword) {
return true;
}
@Override
protected String getUsersPassword() throws LoginException {
return "";
}
}
I think the actual implementation is not important for my question. That class is contained in my deployed EJB. Next I set up the module in my Wildflys standalone.xml. I just added
<security-domain name="my-security" cache-type="default">
<authentication>
<login-module code="my.package.MyUsernamePasswordLoginModule" flag="required" />
</authentication>
</security-domain>
to the security domains in the <subsystem xmlns="urn:jboss:domain:security:1.2"> section. Finally I anotated my @WebService classes with @SecurityDomain(value = "my-security"). If I do so I get an EJBAccessException which I don't get without the @SecurityDomain annotation. I would consider this expected behaviour since I don't provide credentials yet but if I set breakpoints to any of the methods of my login module class, I can see that it never gets executed. If I add log4j or System.out.println() calls, they don't appear on my console either. I've deployed to and started my Wildfly from Eclipse in debug mode.
Am I missing something or is just my expectation to be able to debug this wrong?
EDIT
After I found out that Eclipse wasn't showing the whole log, I found out that the default authorization module (which was Delegating) failed. I changed my security domain to
<security-domain name="my-security" cache-type="default">
<authentication>
<login-module code="my.package.MyUsernamePasswordLoginModule" flag="required" />
</authentication>
<authorization>
<policy-module code="PermitAll" flag="required"/>
</authorization>
</security-domain>
I would now expect that my request passes authorization and executes my login module after that (although authentication would make more sense before authorization) but now it just accpets all requests. So it seems I somewhere got the concept wrong and I can't seem find some documentation to clear this up for me. Can somebody tell me how to configure this correctly?
EDIT
After some debugging I found out that org.jboss.as.security.service.SimpleSecurityManager#authenticate(final String runAs, final String runAsPrincipal, final Set<String> extraRoles) is executed. It does, as it makes sense, authentication before authorization. It first gets the security context and it shows that the security domain is acctually "my-security". But then it executes it's own authentication which detects a missing principal and sets the unauthenticated identiy which has a valid authentication (WAT?). As a result the authentication succeeds and the authorization is executed. I still don't get where my login module fits in to that process and how to configure it correctly. This slowly drives me insane by now...
Lösung
Turns out the @WebContext annotationb is mandatory to enable the authentication for the web service:
@WebContext(contextRoot = "/myservice", urlPattern = "/*", authMethod = "BASIC", secureWSDLAccess = false)
This wasn't clear to me from all the tutorials. It seemed optional to enable HTTP authentication instead of jaas authentication. Maybe there is still a way without it but it now works as intended.
