JBoss AS 7.1.1Final - Digest authentication sending incorrect password
matthieus Nov 28, 2012 7:21 AMHi,
I am trying to use digest authentication for my webapp. BASIC is working fine but I can't make the DIGEST version work.
https://community.jboss.org/message/744521 seems to address exactly that, but the configuration described didn't work for me.
The error I get (standard incorrect password stacktrace), using Chrome or Firefox if that matters:
11:49:17,753 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--0.0.0.0-8080-3) Login failure: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:270) [picketbox-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:155) [picketbox-4.0.7.Final.jar:4.0.7.Final] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_31] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_31] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_31] at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_31] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_31] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_31] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_31] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_31] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_31] at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_31] at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:367) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] at org.apache.catalina.authenticator.DigestAuthenticator$DigestInfo.authenticate(DigestAuthenticator.java:697) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.authenticator.DigestAuthenticator.authenticate(DigestAuthenticator.java:270) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:] at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_31]
My last attempted configuration:
web.xml (security related content):
<security-constraint> <auth-constraint> <role-name>ROLE_USER</role-name> </auth-constraint> <web-resource-collection> <url-pattern>/*</url-pattern> </web-resource-collection> </security-constraint> <security-role> <role-name>ROLE_USER</role-name> </security-role> <security-role> <role-name>ROLE_ADMIN</role-name> </security-role> <login-config> <auth-method>DIGEST</auth-method> </login-config>
standalone.xml (security related content):
<!-- below is reminiscent from my tentative of using RealmDirect --> <security-realms> <security-realm name="ManagementRealm"> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" /> </authentication> </security-realm> <security-realm name="ApplicationRealm"> <authentication> <properties path="application-users.properties" relative-to="jboss.server.config.dir" /> </authentication> <authorization> <properties path="application-roles.properties" relative-to="jboss.server.config.dir" /> </authorization> </security-realm> </security-realms> (...) <security-domain name="other" cache-type="default"> <authentication> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass" /> </login-module> <login-module code="RealmUsersRoles" flag="required"> <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties" /> <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties" /> <module-option name="hashAlgorithm" value="MD5"/> <module-option name="hashEncoding" value="RFC2617"/> <module-option name="hashUserPassword" value="false"/> <module-option name="hashStorePassword" value="true"/> <module-option name="passwordIsA1Hash" value="true"/> <module-option name="realm" value="ApplicationRealm" /> <module-option name="password-stacking" value="useFirstPass" /> </login-module> </authentication> </security-domain>
I tried with and without jboss-web.xml to define the security-domain.
To define the users/password I used the utility add-user with the following trace:
+>add-user What type of user do you wish to add? a) Management User (mgmt-users.properties) b) Application User (application-users.properties) (a): b Enter the details of the new user to add. Realm (ApplicationRealm) : Username : dev Password : Re-enter Password : What roles do you want this user to belong to? (Please enter a comma separated list, or leave blank for none) : ROLE_USER About to add user 'dev' for realm 'ApplicationRealm' Is this correct yes/no? yes Added user 'dev' to file 'C:\jboss-7.1.1.final\standalone\configuration\application-users.properties' Added user 'dev' to file 'C:\jboss-7.1.1.final\domain\configuration\application-users.properties' Added user 'dev' with roles ROLE_USER to file 'C:\jboss-7.1.1.final\standalone\configuration\application-roles.properties' Added user 'dev' with roles ROLE_USER to file 'C:\jboss-7.1.1.final\domain\configuration\application-roles.properties' Press any key to continue . . .
1. First and main question, do you see anything wrong with the configuration above ?
2. Bonus question, is RealmDirect login module (from https://docs.jboss.org/author/display/AS71/Security+Realms) part of 7.1.1 or only 7.1.2 (which seems to be not released)?
Thanking you warmly by advance