tag:blogger.com,1999:blog-4498889353428710313.post422402323853605005..comments2024-03-13T14:22:32.519-07:00Comments on Arjan Tijms' Weblog: Implementing container authentication in Java EE with JASPICArjan Tijmshttp://www.blogger.com/profile/08548593340781885396noreply@blogger.comBlogger69125tag:blogger.com,1999:blog-4498889353428710313.post-91370930156121141262022-01-24T23:09:36.256-08:002022-01-24T23:09:36.256-08:00I gone through you articles which is outstanding.
...I gone through you articles which is outstanding.<br /><br />https://stackoverflow.com/questions/70769617/how-to-configure-google-oauth-and-form-auth-in-tom-cat-to-work-together-in-the-s<br /><br />i though u could help me with this. it would be a great help to me. Anonymoushttps://www.blogger.com/profile/12516758390037310987noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-89538723291677085922018-03-30T08:47:07.931-07:002018-03-30T08:47:07.931-07:00I don't know of any @SecurityDomain. The WildF...I don't know of any @SecurityDomain. The WildFly people have promised for years that it should "just work" once Elytron is there. Elytron is in WildFly 12, but I haven't tested it.<br /><br />For WildFly 10 and 11 it's still jboss-web.xml for sure. See here: http://arjan-tijms.omnifaces.org/2015/08/activating-jaspic-in-jboss-wildfly.htmlArjan Tijmshttps://www.blogger.com/profile/08548593340781885396noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-72909478702521648502018-03-30T07:43:30.460-07:002018-03-30T07:43:30.460-07:00Hi Arjun,
In Wildfly utilizing Soteria’s JSR375 RI...Hi Arjun,<br />In Wildfly utilizing Soteria’s JSR375 RI is there a way to specify the security domain to use via @SecurityDomain instead of having to specify it in the jboss-web.xml?<br />Thanks!<br />-amammerritthttps://www.blogger.com/profile/04993467333521959136noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-36347262347333453872017-09-27T02:41:53.550-07:002017-09-27T02:41:53.550-07:00Hi Arjan. I've been able to take a look at ba...Hi Arjan. I've been able to take a look at basic-authentication and I got it working on WebLogic 12.2.1. I was able to get it working both with and without weblogic.xml. I also was able to successfully use the weblogic.xml `security-role-assignment` to provide a mapping between application-specific roles and whatever groups an identity-management solution might assign to the user. So that is all good.<br /><br />However, WebLogic 12.2.1 seems to have a hard time with remembering groups after logging in. I updated "doLogin" with map.put("javax.servlet.http.registerSession", TRUE.toString()); to remember the session. That works OK, and a new session is created. But on subsequent requests if I rebuild the callback with the existing Principal like this:<br /><br /> <br />if (principal != null) {<br /> callback = new Callback[]{<br /> new CallerPrincipalCallback(clientSubject, principal)<br /> };<br />}<br /><br />I lose all the group information. I can print the Principal name successfully, but isUserInRole('architect') will return false again. <br /><br />Since rebuilding the callback from the existing Principal wasn't working quite right, I also decided to try "do nothing" like this:<br /><br />callback = new Callback[] { new CallerPrincipalCallback(clientSubject, (Principal) null) };<br /><br />I get even stranger behavior with this. I can print the principal name. And programmatically isUserInRole('architect') will return true. However, declaratively if I attempt to go to an 'architect' protected page I'll get 403 forbidden.<br /><br />The only thing that seems to work is the trick of storing the username and groups in session variables. So as part of "doLogin" I store 2 session variables with the principal name and list of groups. I then ignore the existing Principal on subsequent request, preferring to rebuild the callback using the 2 stored session variables. WebLogic 12.2.1 was happier with this. From previous testing, I know GlassFish and Payara are also good with this.<br /><br />Is using stored session variables vs. using an existing Principal the safest way to rebuild the callback values across EE servers?mjremijanhttps://www.blogger.com/profile/01721904127841880944noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-17081780817070775172017-09-22T01:13:58.560-07:002017-09-22T01:13:58.560-07:00Hi Arjan,
I tried to test the example code from t...Hi Arjan,<br /><br />I tried to test the example code from this blog, but I have problems with Websphere. I crossposted it on SO: https://stackoverflow.com/questions/46359348/why-doesnt-websphere-work-with-my-jaspi-login-module<br /><br />JASPI worked quickly with Wildfly. At that point, I just implemented the ServerAuthModule interface and configured that module in the server configuration, and everything was fine. Note that the auth module class was just part of my application.<br /><br />I couldn't make it work in Websphere, this time, as far as I know, implementing exactlywhat was found on this blog. As soon as my app was deployed, I had those problems:<br /><br />* Authentication is completely ignored in my app, though it's specified as required for all resources in web.xml . The login module is not invoked.<br />* Now the strangest part: Websphere's own admin console fails with a 403 Forbidden status code. I can somehow force some parts of it to display when forcing the right username in my authentication module! Every request to the console triggers breakpoints in my login module.<br />Deploying using wsadmin command-line console or even from java instead of the administration console doesn't seem to change that (as expected, but I've seen weird things in Websphere in that aspect).<br /><br />Enabling JASPI and application security in Websphere doesn't change anything.<br /><br />Anything that I could correct? Do you know of any sample using JASPI that works on Websphere?Yannick Majoroshttps://www.blogger.com/profile/16823032095354231202noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-70631760197817392272017-09-12T13:53:26.764-07:002017-09-12T13:53:26.764-07:00I'll take a look at this. It looks like I'...I'll take a look at this. It looks like I'm doing essentially the same thing so I'll see if I can find the difference.mjremijanhttps://www.blogger.com/profile/01721904127841880944noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-80829099502413292952017-09-12T13:40:08.035-07:002017-09-12T13:40:08.035-07:00>In one of your updates you say "WebLogic ...>In one of your updates you say "WebLogic doesn't require the mandatory role mapping anymore." I don't think this is the case.<br /><br />It can be confusing under which circumstances this is exactly the case, but it really should work. See https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic/basic-authentication/src/main/webapp/WEB-INF <br /><br />There's no weblogic.xml file, and that test passed on WebLogic.<br /><br />Note that for Java EE 8 default group to role mapping is mandatory when there is no container specific configuration .Arjan Tijmshttps://www.blogger.com/profile/08548593340781885396noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-55383683751068998712017-09-12T13:33:46.084-07:002017-09-12T13:33:46.084-07:00Indeed, the WLS Security team has strong opinions ...Indeed, the WLS Security team has strong opinions about the necessity for custom principals and indeed does not support them. <br /><br />See this matrix where I last tested WebLogic 12.2.1.2 and the tests with custom principals indeed fail: http://arjan-tijms.omnifaces.org/2016/12/the-state-of-portable-authentication-in.html<br /><br />After quite a huge discussion we have reached a kind of compromise support for custom principals in JSR 375, since the spec lead (Will) is from WebLogic and explained that WebLogic cannot really support custom principals in the way that all other application servers can.Arjan Tijmshttps://www.blogger.com/profile/08548593340781885396noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-23610576010353301932017-09-12T13:26:06.628-07:002017-09-12T13:26:06.628-07:00Looks like WebLogic 12.2.1.0 doesn't propagate...Looks like WebLogic 12.2.1.0 doesn't propagate a custom Principal object either.mjremijanhttps://www.blogger.com/profile/01721904127841880944noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-80761029897553998322017-09-12T10:45:34.810-07:002017-09-12T10:45:34.810-07:00Hi Arjan,
In one of your updates you say "We...Hi Arjan,<br /><br />In one of your updates you say "WebLogic doesn't require the mandatory role mapping anymore." I don't think this is the case. I'm trying to work with WebLogic 12.2.1.2.0. So far the only way I got things working is to have my roles defined in web.xml and a mapping defined in weblogic.xml too. Furthermore, the value for in web.xml, and the values for and in weblogic.xml all had to be the same value. I tried doing a mapping where I gave in weblogic.xml a different value and set that value in GroupPrincipalCallback, but so far I've not has success with WebLogic doing this mapping. WebLogic also doesn't seem to like @DeclareRoles and prefers everything in web.xml otherwise you get deployment errors.mjremijanhttps://www.blogger.com/profile/01721904127841880944noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-88446721457212096202016-11-30T22:42:32.280-08:002016-11-30T22:42:32.280-08:00Hi Arjan,
Have you found out anything for jaspic i...Hi Arjan,<br />Have you found out anything for jaspic in jetty?<br />Thanks.Rahul Khandelwalhttps://www.blogger.com/profile/03578167832086522197noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-60075124108590217772016-11-30T15:00:55.738-08:002016-11-30T15:00:55.738-08:00Hi Arjan.
This article describe a very interesti...Hi Arjan. <br /><br />This article describe a very interesting topic, I have to confess that I never heard from JASPIC before. I'm developing a Java EE 7 application on WildFly 10.1.0 and currently the authentication mechanism is FORM based linked with a Security Domain at database level. Altough this strategy is running and supporting this important secutiry requirement, I want to adopt JASPIC to have more control and to build our own authentication module. Following the steps described in the article the username and password (credentials) to authenticate are not present, but in my application I have a form with those fields to send the values and a rule in the web application descriptor to map the form-login and form-error pages. How can I adapt my application to work with JASPIC using those defined form rules and identifying the scenarios in which the validateRequest method don't have to review the user an password to authenticate if a valid process was runned before?Anonymoushttps://www.blogger.com/profile/02513774196371967258noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-77024920634817821912016-10-20T11:45:50.699-07:002016-10-20T11:45:50.699-07:00Great news, and thanks for the spoiler :)Great news, and thanks for the spoiler :)Anonymoushttps://www.blogger.com/profile/18364232595681202972noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-28945510790596510352016-10-20T11:13:53.419-07:002016-10-20T11:13:53.419-07:00Good to hear you like the article :)
Tomcat will ...Good to hear you like the article :)<br /><br />Tomcat will indeed be added to the matrix, the Java EE 7 samples project that's the home of the tests for that has already been updated for Tomcat. Tomcat is a special case since it doesn't need to be tested for the integration with EJB, CDI, JSF, etc. I'm planning to update the matrix when the next version of Liberty is released. Small spoiler ahead of that: Tomcat passes all tests till so far ;)Arjan Tijmshttps://www.blogger.com/profile/08548593340781885396noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-84594422024469030502016-10-20T10:58:01.618-07:002016-10-20T10:58:01.618-07:00Awesome article, and you still update it after all...Awesome article, and you still update it after all these years(I have seen the Note about Tomcat 8.5.x and 9.x)<br />Are you planning to add them to the matrix (server / functionality) comparasion ?Anonymoushttps://www.blogger.com/profile/18364232595681202972noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-1432566426799919292016-08-24T23:35:14.300-07:002016-08-24T23:35:14.300-07:00I see, for now it may be best to ask on the Jetty ...I see, for now it may be best to ask on the Jetty mailing list about this. I'm going to try myself too soon, but that will take some time.<br /><br />Do note that Soteria at the moment is only supported on a limited amount of servers, namely Payara, JBoss and TomEE. It should theoretically also work on Tomcat if you add a CDI implementation to it, but I haven't tested that. Same goes for Jetty, it should work if you add CDI, but you just as well need to activate JASPIC then first.<br /><br />Since Soteria asks a lot from the server in terms of compatible JASPIC features, my guess would be that it initially would not work on Jetty, but who knows.Arjan Tijmshttps://www.blogger.com/profile/08548593340781885396noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-21129170076672871482016-08-24T23:15:16.807-07:002016-08-24T23:15:16.807-07:00Hi Arjan,
Thanks for the prompt reply.
Our compan...Hi Arjan,<br />Thanks for the prompt reply.<br /><br />Our company uses jetty as server and as of now we are not using any standard authentication mechanism. To port the authentication to JASPIC, I need to do a POC for jetty, that's why Jetty is important for my use case.<br /><br />About the stack overflow link you mentioned, I tried the github project mentioned in answer, but I can't find a place to plug my custom auth module. I am still trying to make it work and will let you know if it works.<br /><br />For the soteria, I'll look into it for using custom auth modules.<br /><br />Thanks again.Rahul Khandelwalhttps://www.blogger.com/profile/03578167832086522197noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-12040388326273547562016-08-24T13:46:20.678-07:002016-08-24T13:46:20.678-07:00I'm glad you liked the article. Payara is one ...I'm glad you liked the article. Payara is one of the best servers to use for JASPIC.<br /><br />I'm regularly testing JASPIC on almost all servers (see e.g. http://arjan-tijms.omnifaces.org/2016/06/the-state-of-portable-authentication-in.html) but Jetty is the one server I didn't test yet. Instead of Jetty you could try Tomcat (8.5 or 9), which also works really well. <br /><br />I did ask about Jetty a while back, so maybe the answer given back then is helpful to you: http://stackoverflow.com/questions/14224792/how-to-use-jaspi-jaspic-on-jetty<br /><br />(I really have to followup on Jetty and add it to the test set, so thanks for reminding me)<br /><br />>Could you also provide some details about how to use JASPIC in soteria for this same example.<br /><br />You wouldn't so much use JASPIC -in- Soteria. Instead, Soteria builds on top of JASPIC and it provides a more HTTP specific CDI enabled variant of the ServerAuthModule called the AuthenticationMechanism.<br /><br />Soteria is still in active development and not officially released yet. See this for (early) details: http://arjan-tijms.omnifaces.org/p/whats-new-in-java-ee-security-api-10.html#32Arjan Tijmshttps://www.blogger.com/profile/08548593340781885396noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-72905233528279258982016-08-24T12:22:36.530-07:002016-08-24T12:22:36.530-07:00Hi Arjan,
Thanks for the article, it was helpful a...Hi Arjan,<br />Thanks for the article, it was helpful and I was able to use JASPIC in payara.<br />I am trying to use this same example (custom auth) JASPIC in jetty 9, but I can't seem to make it work.<br />Could you help with that ?<br /><br />Could you also provide some details about how to use JASPIC in soteria for this same example.<br /><br />Thanks.Rahul Khandelwalhttps://www.blogger.com/profile/03578167832086522197noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-85519088911429071332016-04-04T02:07:59.159-07:002016-04-04T02:07:59.159-07:00Hi Alex,
I implemented almost exactly what you...Hi Alex,<br /><br />I implemented almost exactly what you're asking for in Soteria (the JSR 375 RI). See here: https://github.com/javaee-security-spec/soteria/blob/master/impl/src/main/java/org/glassfish/soteria/cdi/RememberMeInterceptor.java and https://github.com/javaee-security-spec/soteria/blob/master/impl/src/main/java/org/glassfish/soteria/mechanisms/FormAuthenticationMechanism.java<br /><br />Although this is based on an Interceptor and a helper class (HttpMessageContext), it's essentially build on top of JASPIC, so whatever that code is doing is something you could do.<br /><br />I do wonder why you specifically use JBoss 7.1.1.Final? This is a very old beta version of JBoss that contained many bugs. Specifically JASPIC barely works in that version. From the top of my head I don't think it was even in a half usable state before at least 7.2.0 or 7.2.1, somewhere along that version.<br /><br />For a time I used a patch for JBoss 7.x, see here: https://github.com/javaeekickoff/jboss-as-jaspic-patch That fixed a couple of worst bugs, but even that needed 7.2.x at least if I remember correctly.<br /><br />Your best bet would be to use the latest beta of JBoss EAP 7, which is WildFly 10.0.Final.Arjan Tijmshttps://www.blogger.com/profile/08548593340781885396noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-42402483686265852192016-04-03T18:30:22.915-07:002016-04-03T18:30:22.915-07:00Hello Arjan!
I read your article, as well as a co...Hello Arjan!<br /><br />I read your article, as well as a couple of related ones. Currently I am trying to solve this problem:<br /><br /><br />http://stackoverflow.com/questions/36348377/implement-a-custom-serverauthmodule-for-jboss<br /><br />but I am not able to.<br />May I ask you for advice?<br /><br />Thank you,<br />Kind regards: AlexUnknownhttps://www.blogger.com/profile/01396280297047334213noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-35462739640016654522016-02-23T23:02:42.938-08:002016-02-23T23:02:42.938-08:00Thanks for your answers Arjan!
For those with the...Thanks for your answers Arjan!<br /><br />For those with the same kind of problems, here you have a proprietary solution for Glassfish:<br />https://blogs.oracle.com/nasradu8/entry/extend_certificaterealm_with_loginmodule_glassfish<br /><br />There, the server cryptografically checks the remote client certificate against the truststore, and later you can perform your login logic with a custom login module.<br /><br />Not standard, but custom solution. I didn't tried yet with JASPIC over Glassfish, but anyway, as Arjan says, it will be implementation-specific...Alex Bennasarhttps://www.blogger.com/profile/05692970832417194407noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-38001976599166486452016-02-22T06:59:43.624-08:002016-02-22T06:59:43.624-08:00Don't worry about the English, it's perfec...Don't worry about the English, it's perfectly fine ;)<br /><br />The answer is really that JASPIC doesn't have anything specific to say about this. It's just an SPI/API. It's called at exactly the same moment when the server would otherwise call a proprietary authentication mechanism/identity store.<br /><br />So, the best way to find an answer is to study how existing certificate implementations do this.<br /><br />At any length, for JSR 375 we'll be looking at implementing a certificate authentication mechanism and identity store before long. Since the authentication mechanism there is JASPIC based you could use that as an example too.<br />Arjan Tijmshttps://www.blogger.com/profile/08548593340781885396noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-72401225791527244432016-02-22T06:48:03.548-08:002016-02-22T06:48:03.548-08:00I'm going to elaborate a little more (sorry fo...I'm going to elaborate a little more (sorry for my poor english):<br /><br />I understand the SAM has the responsibility of knowing, in this case, where the accepted certificates are, and of comparing the certificate attached to the request with the accepted certificates to see if someone matches.<br /><br />My question is, since that is not enough for ensuring the user is who says he is (as he can attach an arbitrary certiicate), who performs the SSL handshake, and when is it done?<br /><br />Many thanksAlex Bennasarhttps://www.blogger.com/profile/05692970832417194407noreply@blogger.comtag:blogger.com,1999:blog-4498889353428710313.post-15354997406074895992016-02-22T05:37:36.328-08:002016-02-22T05:37:36.328-08:00Thanks for your help Arjan. What I still don't...Thanks for your help Arjan. What I still don't understand is: when I read (req.getAttribute...) the certificate attached to the request, did the server previously checked (SSL/TLS handshake) the remote user knows the associated private key?<br /><br />Thanks for your help!!Alex Bennasarhttps://www.blogger.com/profile/05692970832417194407noreply@blogger.com