Two Laptop Bag*
The moose likes JBoss/WildFly and the fly likes Disabling basic authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Disabling basic authentication" Watch "Disabling basic authentication" New topic
Author

Disabling basic authentication

Jinu Vijay
Greenhorn

Joined: Sep 19, 2011
Posts: 20

Hallo!

I have a JBOSS AS 4.3 web service application that has basic authentication using the 'UsersRolesLoginModule' configured using login-config.xml, web.xml, jboss-web.xml, user.properties etc. All authentication works fine till now!

The new 'unique' requirement (almost a reversal of the original requirement!!!) is that this authentication needs to be flag based! This is because the client may be delayed in getting the changes ready to invoke with username/password. Until then, we want the new changes to be deployed and "some configuration" on the server to switch OFF the authentication until the client is ready. When the client is ready, we switch the configuration ON. The idea is NOT to change the application ear!

In short, I would pass a null username and password, and it should go through. Tried the following ...

1. Setting 'unauthenticatedIdentity' property -- but it doesn't work!
2. Tried custom login module -- it doesn't get invoked when username and password is null!
3. Removing realm info from login-config.xml -- goes hunting for the defaultSecurityAuthentication i.e. defaultuser.properties

Interesting problem, and would like to know different views...

Regards
Jinu
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10210
    
166

That's a weird and potentially problematic requirement in terms of security. But if that's what you want, then take a look at this Security on JBoss chapter http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html and pay special attention to section 8.4.4 which explains the possible values of "flag" attribute on a login module within a login module stack. I think you might be able to come up with something by properly setting up the login module stack and the flag attribute on them.

[My Blog] [JavaRanch Journal]
Jinu Vijay
Greenhorn

Joined: Sep 19, 2011
Posts: 20

Hi Jaikiran

Appreciate your reply! True its weird, but also a challenge ;-)

I had seen the flag that you suggested but inevitably that is useful if you have multiple login modules for a fall through mechanism.

I investigated further to find the root cause, and realize that the apache server rejects the request before it being evaluated by the jboss security realm.

Apache logs:
2013-11-05 10:22:54,778 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2013-11-05 10:22:54,779 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test


Class: org.apache.catalina.authenticator.BasicAuthenticator.java
Method: public boolean authenticate(Request request, Response response, LoginConfig config)
...

...

Since this authorization is null (when no username and password is provided), it sends back unauthorized result.

References:
http://www.docjar.com/html/api/org/apache/catalina/authenticator/AuthenticatorBase.java.html
http://www.docjar.com/html/api/org/apache/catalina/authenticator/BasicAuthenticator.java.html

At least a new learning ...

Thanks!
Jinu
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: Disabling basic authentication