This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes JBoss/WildFly and the fly likes Disabling basic authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Disabling basic authentication" Watch "Disabling basic authentication" New topic

Disabling basic authentication

Jinu Vijay

Joined: Sep 19, 2011
Posts: 17


I have a JBOSS AS 4.3 web service application that has basic authentication using the 'UsersRolesLoginModule' configured using login-config.xml, web.xml, jboss-web.xml, etc. All authentication works fine till now!

The new 'unique' requirement (almost a reversal of the original requirement!!!) is that this authentication needs to be flag based! This is because the client may be delayed in getting the changes ready to invoke with username/password. Until then, we want the new changes to be deployed and "some configuration" on the server to switch OFF the authentication until the client is ready. When the client is ready, we switch the configuration ON. The idea is NOT to change the application ear!

In short, I would pass a null username and password, and it should go through. Tried the following ...

1. Setting 'unauthenticatedIdentity' property -- but it doesn't work!
2. Tried custom login module -- it doesn't get invoked when username and password is null!
3. Removing realm info from login-config.xml -- goes hunting for the defaultSecurityAuthentication i.e.

Interesting problem, and would like to know different views...

Jaikiran Pai

Joined: Jul 20, 2005
Posts: 9953

That's a weird and potentially problematic requirement in terms of security. But if that's what you want, then take a look at this Security on JBoss chapter and pay special attention to section 8.4.4 which explains the possible values of "flag" attribute on a login module within a login module stack. I think you might be able to come up with something by properly setting up the login module stack and the flag attribute on them.

[My Blog] [JavaRanch Journal]
Jinu Vijay

Joined: Sep 19, 2011
Posts: 17

Hi Jaikiran

Appreciate your reply! True its weird, but also a challenge ;-)

I had seen the flag that you suggested but inevitably that is useful if you have multiple login modules for a fall through mechanism.

I investigated further to find the root cause, and realize that the apache server rejects the request before it being evaluated by the jboss security realm.

Apache logs:
2013-11-05 10:22:54,778 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2013-11-05 10:22:54,779 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test

Method: public boolean authenticate(Request request, Response response, LoginConfig config)


Since this authorization is null (when no username and password is provided), it sends back unauthorized result.


At least a new learning ...

It is sorta covered in the JavaRanch Style Guide.
subject: Disabling basic authentication
Similar Threads
Custom Login Module EAP6.1 / JBoss 7.2
Single Sign-on across web-apps
Deploying EJB using MySql as a datasource
Problems with FORM Authentication
Deploying EJB using MySql as a datasource