File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JBoss/WildFly and the fly likes Disabling basic authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Disabling basic authentication" Watch "Disabling basic authentication" New topic

Disabling basic authentication

Jinu Vijay

Joined: Sep 19, 2011
Posts: 20


I have a JBOSS AS 4.3 web service application that has basic authentication using the 'UsersRolesLoginModule' configured using login-config.xml, web.xml, jboss-web.xml, etc. All authentication works fine till now!

The new 'unique' requirement (almost a reversal of the original requirement!!!) is that this authentication needs to be flag based! This is because the client may be delayed in getting the changes ready to invoke with username/password. Until then, we want the new changes to be deployed and "some configuration" on the server to switch OFF the authentication until the client is ready. When the client is ready, we switch the configuration ON. The idea is NOT to change the application ear!

In short, I would pass a null username and password, and it should go through. Tried the following ...

1. Setting 'unauthenticatedIdentity' property -- but it doesn't work!
2. Tried custom login module -- it doesn't get invoked when username and password is null!
3. Removing realm info from login-config.xml -- goes hunting for the defaultSecurityAuthentication i.e.

Interesting problem, and would like to know different views...

Jaikiran Pai

Joined: Jul 20, 2005
Posts: 10441

That's a weird and potentially problematic requirement in terms of security. But if that's what you want, then take a look at this Security on JBoss chapter and pay special attention to section 8.4.4 which explains the possible values of "flag" attribute on a login module within a login module stack. I think you might be able to come up with something by properly setting up the login module stack and the flag attribute on them.

[My Blog] [JavaRanch Journal]
Jinu Vijay

Joined: Sep 19, 2011
Posts: 20

Hi Jaikiran

Appreciate your reply! True its weird, but also a challenge ;-)

I had seen the flag that you suggested but inevitably that is useful if you have multiple login modules for a fall through mechanism.

I investigated further to find the root cause, and realize that the apache server rejects the request before it being evaluated by the jboss security realm.

Apache logs:
2013-11-05 10:22:54,778 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2013-11-05 10:22:54,779 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test

Method: public boolean authenticate(Request request, Response response, LoginConfig config)


Since this authorization is null (when no username and password is provided), it sends back unauthorized result.


At least a new learning ...

I agree. Here's the link:
subject: Disabling basic authentication
It's not a secret anymore!