[wildfly-dev] Wildfly JAAS HttpServletRequest.login does not keep logged in for subsequent requests
Jan-Willem Gmelig Meyling
jan-willem at youngmediaexperts.nl
Tue Aug 16 03:55:59 EDT 2016
Hi everyone,
I encountered some problems when trying to use the Servlet 3.0 login method in Wildfly 10. After logging in using `HttpServletRequest.login(String, String)`, using the code below, on successive requests I still get a Basic Authentication prompt.
I have also found the same issue on the JBoss developer forum in a post that goes back to september 2015: developer.jboss.org/thread/262640?start=0&tstart=0 <http://developer.jboss.org/thread/262640?start=0&tstart=0> .
Why is the `login` function not working in my configuration?
My endpoint:
@POST
@Path("login")
@Consumes(MediaType.APPLICATION_JSON)
public void login(@Valid LoginRequest loginRequest) {
try {
User user = userController.findUserByUsername(loginRequest.getUsername()).orElseThrow(NotFoundException::new);
httpServletRequest.login(loginRequest.getUsername(), loginRequest.getPassword());
log.info(securityContext); // not null now!
}
catch (ServletException e) {
throw new NotAuthorizedException(e.getMessage(), e, AuthenticationHeaderFilter.CHALLENGE);
}
}
And my `jboss-web.xml`
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.jboss.com/xml/ns/javaee
http://www.jboss.org/j2ee/schema/jboss-web_5_1.xsd">
<security-domain>MyRealm</security-domain>
</jboss-web>
And my `web.xml`:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MyRealm</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
<security-constraint>
<display-name>Authenticated content</display-name>
<web-resource-collection>
<web-resource-name>Authentication required</web-resource-name>
<url-pattern>/api/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Anonymous content</display-name>
<web-resource-collection>
<web-resource-name>Exclude from Security</web-resource-name>
<url-pattern>/api/me/login</url-pattern>
</web-resource-collection>
</security-constraint>
Furthermore, I declared my security domain as follows in standalone.xml
<security-domain name="MyRealm" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/MysqlXADS"/>
<module-option name="principalsQuery" value="SELECT password AS Password FROM user WHERE username = ?"/>
<module-option name="rolesQuery" value="select 'user' as Role, 'Roles' as RoleGroup union select 'admin' as Role, 'Roles' AS RoleGroup from user where admin is true and username = ?"/>
</login-module>
</authentication>
</security-domain>
I have also posted the question on Stackoverflow, so any answer posted there will receive the bounty points: http://stackoverflow.com/questions/38896538/httpservletrequest-login-does-not-keep-logged-in-for-subsequent-requests <http://stackoverflow.com/questions/38896538/httpservletrequest-login-does-not-keep-logged-in-for-subsequent-requests>
Thanks in advance!
Jan-Willem Gmelig Meyling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/wildfly-dev/attachments/20160816/4b403108/attachment.html
More information about the wildfly-dev
mailing list