Wildfly integration

[hazendaz]

Would be nice to use native wildfly integrations. I've played around some trying to figure this out but haven't quite got a native solution. In the meantime, continuing to use servlets does the trick.

[fanste]

Wildfly allows the injection of the HttpServletRequest. But the injected instance won't reflect the wrapped request from the NegotiateSecurityFilter. Therefore no principle is available.

So this would be really nice to fix.

[hazendaz]

I've got some code done but it's not completely working and I'm a newbie on wildfly. I could make it more readily available if I could get some help building the solution.

[devnullpointer]

Since v11, Wildfly has moved to Elytron for their security domain implementations. This means that the waffle.jaas.WindowsLoginModule that I contributed to is not viable for Wildfly version 11 and higher. We would need to implement a WindowsLoginRealm that implements SecurityRealm from the jboss libraries. I can't guarantee when I would be able to start looking at that, probably won't be until early next year unless moving to the latest Wildfly becomes a project priority at work.

[hazendaz]

Thanks for the info! Get Outlook for Android<https://aka.ms/ghei36>

…

________________________________ From: Bill Kyriakakis <[email protected]> Sent: Thursday, October 11, 2018 8:01:08 AM To: Waffle/waffle Cc: Jeremy Landis; Author Subject: Re: [Waffle/waffle] Wildfly integration (#232) Since v11, Wildfly has moved to Elytron for their security domain. This means that the waffle.jaas.WindowsLoginModule that I contributed to is not viable for Wildfly version 11 and higher. We would need to implement a WindowsLoginRealm that implements SecurityRealm from the jboss libraries. I can't guarantee when I would be able to start looking at that, probably won't be until early next year unless moving to the latest Wildfly becomes a project priority at work. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#232 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AA7hoyWSICHI6kLvZcA5qJpzMuwKBkqUks5ujzMEgaJpZM4FXH-C>.

[eekodeerder]

The waffle.jaas.WindowsLoginModule that @devnullpointer introduced is not only not compatible with WildFly version 11 and higher, it is also not compatible with Tomcat and for that matter JAAS itself.
It was a hack to get roles into a group as a list of roles and removing the roles themselves as principles. According to JAAS, roles should be principles.
The correct way to have put them into groups in earlier Wildfly versions (which did support JAAS), would have been to use the assign-groups attribute in the Wildly security-realm and NOT to modify the waffle.jaas.WindowsLoginModule which was JAAS and Tomcat compatible, but is not anymore.
How do I go about fixing waffle.jaas.WindowsLoginModule to work for roles in Tomcat as it it advertised to do, but does not? I am new to GitHub.
I would like to illustrate this point by showing the logs from the Tomcat JAASRealm:

12-Dec-2020 10:15:12.959 FINE [http-nio-8080-exec-26] org.apache.catalina.realm.JAASRealm.authenticate JAAS LoginContext created for username [PARSEC\freek]
12-Dec-2020 10:15:12.959 FINE [http-nio-8080-exec-26] org.apache.catalina.realm.JAASRealm.createPrincipal Checking Principal [waffle.jaas.UserPrincipal@20e74b3] [waffle.jaas.UserPrincipal]
12-Dec-2020 10:15:12.959 FINE [http-nio-8080-exec-26] org.apache.catalina.realm.JAASRealm.createPrincipal Principal [PARSEC\freek] is a valid user class. We will use this as the user Principal.
12-Dec-2020 10:15:12.959 FINE [http-nio-8080-exec-26] org.apache.catalina.realm.JAASRealm.createPrincipal Checking Principal [waffle.jaas.UserPrincipal@d5306624] [waffle.jaas.UserPrincipal]
12-Dec-2020 10:15:12.959 FINE [http-nio-8080-exec-26] org.apache.catalina.realm.JAASRealm.createPrincipal Checking Principal [Roles(members:waffle.jaas.RolePrincipal@ab1ba21b,waffle.jaas.RolePrincipal@4407ce47,waffle.jaas.RolePrincipal@4a7052f4,waffle.jaas.RolePrincipal@729c2796,waffle.jaas.RolePrincipal@874cee86,waffle.jaas.RolePrincipal@1ed843d3,waffle.jaas.RolePrincipal@9ee34828,waffle.jaas.RolePrincipal@7f4d8ec3,waffle.jaas.RolePrincipal@e0f037be,waffle.jaas.RolePrincipal@76046155,waffle.jaas.RolePrincipal@be714aa0,waffle.jaas.RolePrincipal@43849950,waffle.jaas.RolePrincipal@d7973642,waffle.jaas.RolePrincipal@2c6cf27b,waffle.jaas.RolePrincipal@66d0628a,waffle.jaas.RolePrincipal@73061cdd,waffle.jaas.RolePrincipal@1359d682,waffle.jaas.RolePrincipal@88cbcad5,waffle.jaas.RolePrincipal@2e65c945,waffle.jaas.RolePrincipal@504fdeae,waffle.jaas.RolePrincipal@14a9058b,waffle.jaas.RolePrincipal@f768724a,waffle.jaas.RolePrincipal@d5a6df84,waffle.jaas.RolePrincipal@be18043a,waffle.jaas.RolePrincipal@908c5ae8,waffle.jaas.RolePrincipal@8db8745f,waffle.jaas.RolePrincipal@60e37cca,waffle.jaas.RolePrincipal@dc67a34c,waffle.jaas.RolePrincipal@a64190ac,waffle.jaas.RolePrincipal@9096f7f8,waffle.jaas.RolePrincipal@5eb4309a,waffle.jaas.RolePrincipal@194c117c,waffle.jaas.RolePrincipal@e3ed649e,waffle.jaas.RolePrincipal@8e915ba2,waffle.jaas.RolePrincipal@6a7dc2ce,waffle.jaas.RolePrincipal@d5db2e6f,waffle.jaas.RolePrincipal@205276a7,waffle.jaas.RolePrincipal@c79e0cf,waffle.jaas.RolePrincipal@74e3d69c,waffle.jaas.RolePrincipal@faba74c5)] [waffle.jaas.GroupPrincipal]
12-Dec-2020 10:15:12.959 FINE [http-nio-8080-exec-26] org.apache.catalina.realm.JAASRealm.createPrincipal No valid role Principals found.

Even though all the Windows groups were found and put into RolePrinciples, they were not placed into the Subject as RolePrinciples (as required by JAAS), they cannot be found by the JAASRealm.