[jboss-jira] [JBoss JIRA] (WFLY-2850) AJP connector with external authentication

Sylvain Brouillat (JIRA) issues at jboss.org
Tue Dec 2 12:32:40 EST 2014 

    [ https://issues.jboss.org/browse/WFLY-2850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13024498#comment-13024498 ] 

Sylvain Brouillat commented on WFLY-2850:
-----------------------------------------

Here are the full steps to be able to retreive the remote_user from front end server (like apache). Hope this will help someone.
In my case, I don't want to use JAAS on wildfly side, and let apache take care of all the authentication.

Indeed, if you just put in web.xml :
<login-config>
    <auth-method>EXTERNAL</auth-method>
</login-config>

You'll get forbidden message from undertow.
This is because ExternalAuthenticationMechanism use the default wildfly LoginModule that try to authenticate to default Realm.

All you need to do is using the ClientLoginModule (see https://docs.jboss.org/author/display/WFLY8/Security+subsystem+configuration) specifying your own security domain. Add the following to standalone.xml to add a security domain using ClientLoginModule :

<security-domain name="mySecurityDomain" cache-type="default">
    <authentication>
        <login-module code="Client" flag="optional">
        </login-module>
    </authentication>
</security-domain>

Then, tell your war file to use mySecurityDomain as security-domain adding a jboss-web.xml file to the WEB-INF/ directory. jboss-web.xml looks like :

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
    <security-domain>mySecurityDomain</security-domain>
</jboss-web> 

Actually, ClientLoginModule just put your principal and credential into securityContext without authenticating the user to any realm, so that HttpServletRequest impl (io.undertow.servlet.spec.HttpServletRequestImpl) can retreive the remote user from the security context when you call HttpServletRequest.getRemoteUser().

> AJP connector with external authentication
> ------------------------------------------
>
>                 Key: WFLY-2850
>                 URL: https://issues.jboss.org/browse/WFLY-2850
>             Project: WildFly
>          Issue Type: Feature Request
>          Components: Web (Undertow)
>    Affects Versions: 8.0.0.CR1
>            Reporter: Geert Coelmont
>            Assignee: Stuart Douglas
>            Priority: Critical
>             Fix For: 8.1.0.CR2, 8.1.0.Final
>
>
> Tomcat allows to set the tomcatAuthentication attribute of the AJP connector to false to allow external web servers (e.g. apache httpd) to handle the authentication and pass that along.
> A similar option was added recently to JBossWeb as well (see WFLY-254), but JBossWeb has been replaced by Undertow. With Undertow this option isn't available as far as I can see.
> For me this is a critical problem as there is currently no way I can do negotiated (SPNEGO) authentication from within WildFly+Undertow. (See also WFLY-2404).



--
This message was sent by Atlassian JIRA
(v6.3.8#6338)

More information about the jboss-jira mailing list