I am altering an existing Java EE 7 web application to use the standard Java EE security domain mechanism to authenticate against Active Directory. I began by creating a simple proof of concept web app to test things out and to get the Wildfly config working, then I applied the changes to the main app. I'm now in the situation where the test app works but the main app does not.
How do I get the main app to work with the security domain properly? How can I diagnose this issue? What can interfere with the security process?
Here is my realm and domain config in standalone.xml:
<security-realms>
<!-- Default realms omitted -->
<security-realm name="ActiveDirectoryRealm">
<authentication>
<ldap connection="MyAD" base-dn="OU=Test Users,OU=AU,DC=company,DC=int">
<username-filter attribute="sAMAccountName"/>
</ldap>
</authentication>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="MyAD" url="ldap://company.int" search-dn="CN=Wildfly AS,OU=Service Accounts,OU=AU,DC=company,DC=int" search-credential="xxx"/>
</outbound-connections>
<!-- Skip many lines -->
<security-domain name="active-directory" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="sufficient">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="realm" value="ActiveDirectoryRealm"/>
</login-module>
</authentication>
</security-domain>
And here is my jboss-web.xml file (same in both apps):
<jboss-web>
<security-domain>active-directory</security-domain>
</jboss-web>
And finally the security bits of web.xml (same in both apps except the URL patterns constrained):
<security-constraint>
<web-resource-collection>
<web-resource-name>Unauthenticated Resources</web-resource-name>
<url-pattern>/css/*</url-pattern>
<url-pattern>/font/*</url-pattern>
<url-pattern>/images/*</url-pattern>
<url-pattern>/js/*</url-pattern>
<url-pattern>/lib/*</url-pattern>
<url-pattern>/partials/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>All Resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>My Realm</realm-name>
<form-login-config>
<form-login-page>/Login.html</form-login-page>
<form-error-page>/NoAccess.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
Some facts about the apps:
The test app works perfectly, but the main app always fails to log in (I get redirected to form-error-page). I turned TRACE logging on for org.jboss.security but all I get when I try to log in is this:
2015-07-22 13:36:54,903 TRACE [org.jboss.security] (default task-1) PBOX000354: Setting security roles ThreadLocal: null
For extra strangeness points, I can set the security domain value in jboss-web.xml to either active-directory or java:/jaas/active-directory and both work, however using the prefix in the main app causes it to fail to start. I know the prefix is no longer supported in Wildfly 8 but not sure why the behaviour is different between the two apps.
Thanks in advance for any help and suggestions, it's all greatly appreciated!
Well, this is embarrassing... it turns out the problem was in my login form. I thought they were the same between the two apps but the main app had a leading space in the names of the input fields.