Current setup of application is JSF with JBoss server. I would like to include additional logic along to existing realm authetication which navigates to login failed page. Looking for something that invalidate successful pricinpal from Realm(java).
Scenario: User typed correct password and login but there are certain condition which does not allow him to login.
Configurations:
standalone.xml
<security-domain name="login">
<authentication>
<login-module code="Database" flag="sufficient">
<module-option name="dsJndiName" value="java:/datasource"/>
<module-option name="principalsQuery" value="query"/>
<module-option name="rolesQuery" value="query"/>
<module-option name="hashAlgorithm" value="???"/>
<module-option name="hashEncoding" value="???"/>
<module-option name="principalClass" value="org.jboss.security.SimplePrincipal"/>
</login-module>
</authentication>
</security-domain>
jboss-web.xml
<jboss-web>
<security-domain>login</security-domain>
</jboss-web>
faces-config.xml
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ApplicationRealm</realm-name>
<form-login-config>
<form-login-page>login.html</form-login-page>
<form-error-page>login-error.html</form-error-page>
</form-login-config>
</login-config>
I had few ideas which I don't see very easy despite an easy change.
Thank you
If your additional checks involve a database query in the same database as that accessible through java:/datasource then maybe all you need is a more sophisticated query for the principalsQuery.
Alternatively, you could implement a servlet filter which executes the additional logic. If the test fails and the user should not be provided access then you call HttpServletRequest.logout() and then redirect to the login-error.html page.
However, it may be more elegant to do this by modifying your security-domain configuration and adding a second login module that contains your additional logic:
<security-domain name="login">
<authentication>
<login-module code="Database"
flag="required">
<module-option name="dsJndiName" value="java:/datasource"/>
<module-option name="principalsQuery" value="query"/>
<module-option name="rolesQuery" value="query"/>
<module-option name="hashAlgorithm" value="???"/>
<module-option name="hashEncoding" value="???"/>
<module-option name="principalClass" value="org.jboss.security.SimplePrincipal"/>
</login-module>
<login-module code="com.yourorg.yourapp.ExtendedLoginCheck"
flag="required"
module="name-of-wildfly-module-containing-ExtendedLoginCheck">
<module-option name="your module option" value="your module option value" />
...
</login-module>
</authentication>
</security-domain>
where com.yourorg.yourapp.ExtendedLoginCheck implements javax.security.auth.spi.LoginModule. Note the login-module flag attribute value has changed to required. These modules get executed one after the other and both must succeed for the authentication attempt to succeed.