stackoom
  简体   繁体   中英

WildFly 8.2.1. Database login module results in “Forbidden” error

 原文  2015-11-05 13:52:27       java/ java-ee/ wildfly/ wildfly-8/ jaas

Question

I am migrating an application to WildFly and got to a point where I am not able to login into the admin part. I use a Database login module and after setting TRACE log level, I see that the queries are executed successfully - I see some isValid=true lines in the log.

The second column of the roles query returns Roles (no need to dig in the server config to check) :)

If I enter invalid user or pass in the login form, I can see exception in the log, saying that there's no such user (correct). My logic is that this can be treated as proof that the principals and roles queries are correct.

web.xml 

<security-constraint>
<web-resource-collection>
    <web-resource-name>Admin panel</web-resource-name>
    <description>Admin panel</description>
    <url-pattern>/admin/*</url-pattern>     
    <http-method>HEAD</http-method>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    <http-method>PUT</http-method>
    <http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
    <role-name>aaa</role-name>
</auth-constraint>
 <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
</security-constraint>
<security-role>
    <role-name>aaa</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
    <form-login-page>/admin/login.jsp</form-login-page>
    <form-error-page>/admin/loginerror.jsp</form-error-page>
    <!-- 
    <form-login-page>/admin/login.jsp</form-login-page>
    <form-error-page>/admin/loginerror.jsp</form-error-page>
     -->
</form-login-config>
</login-config>

jboss-web.xml 

<jboss-web>
  <security-domain>java:/jaas/rmwebsite</security-domain>
  <context-root>/</context-root>
</jboss-web>

standalone.xml 

<security-domain name="rmwebsite" cache-type="default">
    <authentication>
        <login-module code="Database" flag="required">
            <module-option name="dsJndiName" value="java:/RW_DB"/>
            <module-option name="principalsQuery" value="select password from principal where username = ? and activity = 1"/>
            <module-option name="rolesQuery" value="select role as Role,'Roles' as RoleGroup from Roles join principal on roles.role_id=principal.principal_type where roles.role in ('aaa', 'bbb', 'ccc', 'ddd') and principal.username=?"/>
            <module-option name="unauthenticatedIdentity" value="guest"/>
        </login-module>
    </authentication>
</security-domain>

Here is what is shown in the log after attempting to log in 

14:42:42,203 TRACE [org.jboss.security] (default task-11) PBOX000354: Setting security roles ThreadLocal: null
14:42:42,206 TRACE [org.jboss.security] (default task-12) PBOX000354: Setting security roles ThreadLocal: null
14:42:50,508 TRACE [org.jboss.security] (default task-13) PBOX000200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@eee44800, cache entry: null
14:42:50,508 TRACE [org.jboss.security] (default task-13) PBOX000209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@eee44800
14:42:50,510 TRACE [org.jboss.security] (default task-13) PBOX000221: Begin getAppConfigurationEntry(rmwebsite), size: 4
14:42:50,513 TRACE [org.jboss.security] (default task-13) PBOX000224: End getAppConfigurationEntry(rmwebsite), AuthInfo: AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=principalsQuery, value=select password from principal where username = ? and activity = 1
name=unauthenticatedIdentity, value=guest
name=dsJndiName, value=java:/RW_DB
name=rolesQuery, value=select role as Role,'Roles' as RoleGroup from Roles join principal on roles.role_id=principal.principal_type where roles.role in ('aaa', 'bbb', 'ccc', 'ddd') and principal.username=?

14:42:50,516 TRACE [org.jboss.security] (default task-13) PBOX000236: Begin initialize method
14:42:50,516 TRACE [org.jboss.security] (default task-13) PBOX000237: Saw unauthenticated indentity: guest
14:42:50,517 TRACE [org.jboss.security] (default task-13) PBOX000262: Module options [dsJndiName: java:/RW_DB, principalsQuery: select password from principal where username = ? and activity = 1, rolesQuery: select role as Role,'Roles' as RoleGroup from Roles join principal on roles.role_id=principal.principal_type where roles.role in ('aaa', 'bbb', 'ccc', 'ddd') and principal.username=?, suspendResume: true]
14:42:50,519 TRACE [org.jboss.security] (default task-13) PBOX000240: Begin login method
14:42:50,553 TRACE [org.jboss.security] (default task-13) PBOX000263: Executing query select password from principal where username = ? and activity = 1 with username myuser
14:42:50,561 TRACE [org.jboss.security] (default task-13) PBOX000241: End login method, isValid: true
14:42:50,561 TRACE [org.jboss.security] (default task-13) PBOX000242: Begin commit method, overall result: true
14:42:50,561 TRACE [org.jboss.security] (default task-13) PBOX000263: Executing query select role as Role,'Roles' as RoleGroup from Roles join principal on roles.role_id=principal.principal_type where roles.role in ('aaa', 'bbb', 'ccc', 'ddd') and principal.username=? with username myuser
14:42:50,563 TRACE [org.jboss.security] (default task-13) PBOX000263: Executing query select role as Role,'Roles' as RoleGroup from Roles join principal on roles.role_id=principal.principal_type where roles.role in ('aaa', 'bbb', 'ccc', 'ddd') and principal.username=? with username myuser
14:42:50,575 TRACE [org.jboss.security] (default task-13) PBOX000210: defaultLogin, login context: javax.security.auth.login.LoginContext@1acfc77a, subject: Subject(1719716068).principals=org.jboss.security.SimplePrincipal@1733036054(myuser)org.jboss.security.SimpleGroup@1984058353(Roles(members:ddd))org.jboss.security.SimpleGroup@1984058353(CallerPrincipal(members:myuser))
14:42:50,576 TRACE [org.jboss.security] (default task-13) PBOX000207: updateCache, input subject: Subject(1719716068).principals=org.jboss.security.SimplePrincipal@1733036054(myuser)org.jboss.security.SimpleGroup@1984058353(Roles(members:ddd))org.jboss.security.SimpleGroup@1984058353(CallerPrincipal(members:myuser)), cached subject: Subject(1754901421).principals=org.jboss.security.SimplePrincipal@1733036054(myuser)org.jboss.security.SimpleGroup@1984058353(Roles(members:ddd))org.jboss.security.SimpleGroup@1984058353(CallerPrincipal(members:myuser))
14:42:50,577 TRACE [org.jboss.security] (default task-13) PBOX000208: Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@40d62081
14:42:50,577 TRACE [org.jboss.security] (default task-13) PBOX000201: End isValid, result = true
14:42:50,589 TRACE [org.jboss.security] (default task-13) PBOX000354: Setting security roles ThreadLocal: null
14:42:50,591 TRACE [org.jboss.security] (default task-14) PBOX000200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@eee44800, cache entry: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@40d62081
14:42:50,592 TRACE [org.jboss.security] (default task-14) PBOX000204: Begin validateCache, domainInfo: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@40d62081, credential class: class [C
14:42:50,592 TRACE [org.jboss.security] (default task-14) PBOX000205: End validateCache, result = true
14:42:50,592 TRACE [org.jboss.security] (default task-14) PBOX000201: End isValid, result = true
14:42:50,595 TRACE [org.jboss.security] (default task-14) PBOX000354: Setting security roles ThreadLocal: null
14:51:39,168 TRACE [org.jboss.security] (default task-15) PBOX000200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@eee44800, cache entry: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@40d62081
14:51:39,168 TRACE [org.jboss.security] (default task-15) PBOX000204: Begin validateCache, domainInfo: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@40d62081, credential class: class [C
14:51:39,169 TRACE [org.jboss.security] (default task-15) PBOX000205: End validateCache, result = true
14:51:39,169 TRACE [org.jboss.security] (default task-15) PBOX000201: End isValid, result = true
14:51:39,172 TRACE [org.jboss.security] (default task-15) PBOX000354: Setting security roles ThreadLocal: null

1 answers

solution1
 0 ACCPTED  2015-11-06 14:27:14

Originally the web.xml defined a security role 'admin', which is not in aaa, bbb, ccc, ddd. The result was still 'forbidden' - 403 error. The auth constraint referred *. I changed it to refer 'aaa' for test.

The issue seems to be solved after I did the following: * returned back * in auth constraint * defined security roles for 'aaa', 'bbb', 'ccc' and 'ddd'.

Thanks Franck for your answers.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Error starting Wildfly 8.2.1 server Wildfly digest login-config with database login module Wildfly and JAAS login module Port Unification in Wildfly-8.2.1 Web socket disconnecting on OpenShift (with WildFly 8.2.1) Wildfly custom login module never gets executed? WildFly login module called for every http request Issue with upgrading from JBOSS 7.1.1 to Wildfly 8.2.1 WildFly 10.x always getting HTTP error 403: forbidden Metaspace memory concumption issues of Java 8 applications deployed on Wildfly 8.2.1
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM