JAAS with Wildfly does not work

0

I'm having trouble performing the jaas using wildfly, although I can get it using DataSource normally, I could not find where the error is. When attempting to access the protected resources is always redirected to the error screen.

standalone.xml

    <security-domain name="login" cache-type="default">
                <authentication>
                    <login-module code="Database" flag="required">
                        <module-option name="dsJndiName" value="java:jboss/datasources/RestDS"/>
                        <module-option name="principalsQuery" value="select senha from Pessoa where email=?"/>
                        <module-option name="rolesQuery" value="select roles_name,'Roles' from Pessoa_SystemRole as user_roles inner join Pessoa as p on p.id = user_roles.Pessoa_id where p.email = ?"/>
                    </login-module>
                </authentication>
            </security-domain>

persistence.xml

   <?xml version="1.0" encoding="UTF-8"?>
   <persistence version="2.1"    xmlns="http://xmlns.jcp.org/xml/ns/persistence" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/persistence http://xmlns.jcp.org/xml/ns/persistence/persistence_2_1.xsd">
<persistence-unit name="Rest" transaction-type="JTA">
    <provider>org.hibernate.jpa.HibernatePersistenceProvider</provider>
    <jta-data-source>java:jboss/datasources/RestDS</jta-data-source>
    <properties>
        <property name="hibernate.dialect" value="org.hibernate.dialect.MySQL5InnoDBDialect"/>
        <property name="hibernate.hbm2ddl.auto" value="update" />
        <property name="hibernate.show_sql" value="true" /> 
        <property name="hibernate.format_sql" value="true" />
    </properties>
</persistence-unit>

web.xml

<login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/loginError.jsp</form-error-page>
  </form-login-config>
</login-config>

<security-constraint>
  <web-resource-collection>
      <web-resource-name>Seguranca</web-resource-name>
      <url-pattern>/login/*</url-pattern>
      <http-method>GET</http-method>
  </web-resource-collection>
  <auth-constraint>
      <role-name>ADMIN</role-name>
      <role-name>USER</role-name>
  </auth-constraint>
</security-constraint>
<security-role>
  <role-name>ADMIN</role-name>
</security-role>
<security-role>
  <role-name>USER</role-name>
</security-role>
    
asked by anonymous 13.02.2017 / 00:37

1 answer

0

When we have to implement JAAS, it is important to understand the mechanism for how authentication works using the Java EE technology specifications:

  

Security Services: The Java Authentication and Authorization Service (JAAS) enables services to authenticate and apply user access controls. The Java Container Authorization Service Provider Agreement (JACC) defines a contract between a Java EE application server and an authorization service provider, allowing custom authorization service providers to connect to any Java EE product. The Java Container Authentication Service Provider Interface (JASPIC) defines a standard interface by which authentication modules can be integrated with containers so that these modules can establish the authentication identities used by the containers. [Gonçalves, Antonio - 2013 , 10 p.]

Now, in practice, keep in mind that in Java EE, containers are responsible for providing application security. A container basically provides two types of security: declarative and programmatic.

Personally, I'd rather implement security using the declarative security type because since the deployment descriptor information (web.xml; jboss-web.xml; standalone.xml; domain.xml) is contained / defined in an external file, it can be changed without the need to modify the source code. And this is a benefit and reduces maintenance and refactoring of source code.

To understand the type of declarative security using

Source:[ Michal Cmil et al - 2014 , 309 p. p>

I believe that in your case, the next configuration setting needs to be run in the JBoss Web Deployment Descriptor, WEB-INF/jboss-web.xml . You need to declare the security domain here, which will be used to authenticate users:

<jboss-web>
    <security-domain>java:/jaas/login</security-domain>
</jboss-web>

Consider the following:

  

The login form must contain fields for entering a username and password. These fields should be named j_username and j_password, respectively. The authentication form must post these values to the logical name j_security_check.

     

All of these names beginning with j_ are standardized by the Java Servlet specification - we just need to follow the convention to allow the automatic mechanisms to work. [ Michal Cmil et al - 2014 , 310 p.]

....
<form method="post" action="j_security_check" name="nameForm" >
....

NOTE : Sorry for the wall of texts, but unfortunately it is necessary to have a good theoretical basis.

Reference :
[Juneau, Josh - 2013], Apress, © 2013, # : A Problem-Solution Approach - Proven Solutions for Java Enterprise Edition 7 Developement
[Gonçalves, Antonio - 2013] , Apress, © 2013, Beginning Java EE 7 (Expert Voice in Java)
[JSR 196 - JASPIC], JSR 196 - JASPIC : JavaTM Authentication Service Provider for Containers
[Anjana Mankale - 2013], Copyright © 2013 Packt Publishing, Spring Security 3.x Cookbook : Over 60 recipes to help you securely secure your web applications with Spring Security.
[Michal Cmil et al - 201 4], Copyright © 2014 Packt Publishing, Java EE 7 Development with WildFly : Leverage the power of the WildFly application server from JBoss to develop modern Java EE 7 applications.

    
19.11.2017 / 22:01