10 Replies Latest reply on Feb 11, 2013 10:47 AM by chrisburrell

    JBoss 7.1 identity assertion

    tomek.f

      Hi.

       

      I have to  implement identity assertion in  web application. Basically JBoss server will have handshake with Apache server - which will authenticate against Active Directory and thanks to that will assert authentication. The point is that user will only login to the system with login and password and with that form based authentication should be ommited. How can I try to do that? Could you send me any link to  start reading? I cannot find any  proper documentation about this issuee.

       

      Regards,

      Tomek.

        • 1. Re: JBoss 7.1 identity assertion
          jfclere
          • 2. Re: JBoss 7.1 identity assertion
            akrestan

            Dear Jean-Frederic,

             

            what Tomasz, a colleague of mine, wrote above is about something different. I will try to explain and at the same time describe the current problems with Apache and JBoss 7.1 integration.

             

            Integration between Apache HTTPD and JBoss 7.1 is achieved through configuration of AJP (Apache JServ Protocol) on both sides. This we can make work, but when it comes to setting up authentication and authorization and delegation of responsibilities between Apache and JBoss whe have experienced big problems, mostly because  of changes in JBoss 7 compared to earlier releases:

             

            1) ajp connector configuration used to have an attribute called tomcatAuthentication like this:

             

             

            {code:xml}<connector name="ajp" protocol="AJP/1.3" scheme="ajp" socket-binding="ajp" tomcatAuthentication="false"/>{code}

             

            This attribute is no longer supported in standalone.xml, there is actually a logged bug against this here https://issues.jboss.org/browse/AS7-1581 which has not been answered yet.

             

            I can circumvent the problem of missing tomcatAuthentication switch by building a custom version of "org.jboss.as.web" module from the sources and making JBoss use of my modified "org.jboss.as.web". In particular in the Ajp classes (AjpProtocol, AjpProcessor, AjpAprProtocol, AjpAprProcessor) I hardcoded the tomcatAuthentication flag to "false" (default is "true"). By doing this I can make JBoss accept user identity established by Apache, instead of presenting user with the application's form based login screen. This is what I call "identity assertion". So far so good, but the story does not end here.

             

            2) with the tomcatAuthentication flag artificially set to false, it  is not possible to make use of the security-domain configuration, namely its authorization configuration. The reason here is that the JBoss's class org.jboss.as.web.security.JBossWebRealm that evaluates the user's role, delegates to the Tomcat class org.apache.catalina.realm.RealmBase. The RealmBase uses the following code:

             

             

            {code}public boolean hasRole(Principal principal, String role) {

                 if ((principal == null) || (role == null) || !(principal instanceof GenericPrincipal)) {

                      return false;

                 }

            ...

            }

            {code}

             

             

            The authorization evaluation will always yield false since the Principal created using  the Apache's AJP13_FORWARD_REQUEST?remote_user data is of class  org.apache.catalina.connector.CoyotePrincipal, not org.apache.catalina.realm.GenericPrincipal created normally during form based authentication. But the story does not end here either.

             

            3) It is possible to turn off the Tomcat's authorization through a not very well documented feature in the  jboss-web.xml DD:

             

             

            {code:xml}<use-jboss-authorization>true</use-jboss-authorization>{code}

             

            This is probably meant for such situation, but the problem here is that to do this the previous versions of JBoss used a configuration element called application-policy to configure an authorization manager/permission policy, but I was not able to find out whether such configuration is still supported in JBoss 7. Because of this missing configuration the authorization process ends up with NPE.

             

             

             

            We would sincerely appreciate if someone could shed some light to this situation for us, as to me it looks as though not much attention was paid to these things in  JBoss 7. I think others must have or soon will have similar problems too.

            Thanks.

             

            Regards

             

            Ales Krestan

            • 3. Re: JBoss 7.1 identity assertion
              jfclere

              You have to write a Valve to add this feature.

              • 4. Re: JBoss 7.1 identity assertion
                akrestan

                Hi, I am a bit doubtful about your suggestion. Could you please elaborate what it is you expect to be achieved through an implementation of Valve? I presume you are talking about org.apache.catalina.Valve.

                 

                But the integration between Apache HTTPD, JBoss, LDAP with a separate configuration of an authorization provider is, as I see it,  a rather common thing and it used to be available in JBoss 6 and earlier versions. Are you suggesting that such setup configuration is no longer supported in JBoss 7 and one is supposed to write custom implementations of Tomcat or JBoss interfaces?

                 

                Thanks

                 

                Regards

                 

                A.K.

                • 5. Re: JBoss 7.1 identity assertion

                  Ales,

                   

                  I have to solve something  which seems similar in the sense where i have some reverse proxy which did the authentification with a trust relationship with jboss.

                  I can retrieve the identity in a http header, for this i write  a valve but I clearly I have to assert identity to jboss and the meantime jboss must load the roles of this asserted id

                  but there is no such api and all seems done in the login modules. So I succeed  with creating GenericPrincipal et passing it to jboss but there is abig hole in the roles area.

                  We need clearly an assert on the Realm  used.

                  do you have make someprogress on you side?

                  thanks

                  • 6. Re: JBoss 7.1 identity assertion
                    js84

                    I can't believe that this issue/bug ist still unresolved nearly 10 months after revealing it. We are using Apache2/mod_auth_kerb/mod_jk as an authenticating reverse proxy, passing the auhtenticated user via AJP to Tomcat or JBoss webcontainers as an approved standard SSO implementation. Because in mod_proxy the headersize is not configureable, but we need to increase it to 16 kB for the Kerberos tokens in our AD environment, mod_jk/AJP is currently the only solution. 

                    • 7. Re: JBoss 7.1 identity assertion
                      jfclere

                      ProxyIOBufferSize 16384

                      • 8. Re: JBoss 7.1 identity assertion
                        js84

                        Thank you for your information! I would never have tried to do this because in the reference there is documented the following restriction: "The size must be less or equal 8192" (as I remember the same restriction had mod_jk.so up to a recent release).

                         

                        But I did a slight missmatch in my posting yesterday: I have to set tomcatAuthentication="false" for the AJP connector configuration of the webcontainer, otherwise the webcontainer will never be able to fetch the forwarded authenticated user by request.getRemoteUser().

                        • 9. Re: JBoss 7.1 identity assertion
                          akrestan

                          Hi Yannick,

                           

                          sorry for not responding earlier. We have resolved the issue, or I should better say another colleague of mine by the name of Radek Smejkal with a little assistance from me, by following Jean-Frederic's advise. We are now testing it.  I am currently  having difficulty to find enough time to describe the solution concisely for the benefit of everyone, but  will try to do it in the comming weeks.

                           

                          Regards.

                           

                          A.K.

                          • 10. Re: JBoss 7.1 identity assertion
                            chrisburrell

                            Hi Yannick

                             

                            Has there been any movement on this?

                             

                            Cheers

                            Chris