-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fixed group and role assignment on subject principal for login module #397
Conversation
* | ||
* @author rockchip[dot]tv[at]gmail[dot]com | ||
*/ | ||
public class GroupPrincipal extends UserPrincipal implements Group { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you sure we want it to extend UserPrincipal
and not create Principal
with user and group extending that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I used the jboss implementation of their SimpleGroup which extends SimplePrincipal as a blueprint.
https://github.com/picketbox/picketbox/blob/master/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SimpleGroup.java
Looks pretty good. Needs an entry in https://github.com/dblock/waffle/blob/master/CHANGELOG.md and tests around the changes in WindowsLoginModule I think. |
my bad updated the changelog on your repo not my fork. reject the commit, I'll do it on my end. For the tests, I don't think I need to add anything as you already cover the main subject principal.. |
You're doing fine, just keep adding the commits to this PR. |
For the tests, I don't think I need to add anything as you already cover the main subject principal.. |
I'd definitely try to write a test that makes sure the group list made it into the set, this part "create the group principal and add roles as members of the group". |
@hazendaz this looks good to me, all yours to merge |
OK - looks good. This improves things and still does what it use to so all on the up and up. @xystra Are you able to build and run with this or do you need us to push a release? I've been having some machine problems so not sure how quickly I can turn around a release but if needed I can prioritize getting this pushed out as quickly as I can. |
I've already built the waffle-jna project and I am using it successfully (1.8.2-SNAPSHOT) with the NegotiateSecurityFilter on WildFly 8 and 10 so there is no rush needed. I'll update to 1.8.2 when it officially gets released. |
Awesome! Thanks. If there is anything special with getting this working on wildfly, would love to have some FAQ submitted to help others get going. Even more, if there is any way you can tightly integrate that would be awesome. I tried before but know too little about wildfly to create any integration modules like we have for other containers. |
Not sure how relevant my setup is but it's pretty straight forward. In standalone.xml, add a security domain as follows, change the <subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="MySecurityDomain" cache-type="default">
<authentication>
<login-module code="waffle.jaas.WindowsLoginModule" flag="required">
<module-option name="debug" value="true"/>
<module-option name="principalFormat" value="fqn"/>
<module-option name="roleFormat" value="fqn"/>
</login-module>
</authentication>
</security-domain>... In the jboss-web.xml add a <jboss-web>
...
<security-domain>MySecurityDomain</security-domain>
</jboss-web> In the web.xml add the appropriate security filter, configure the base roles for access to the secured content, and set the realm name to the security domain <filter>
<filter-name>SecurityFilter</filter-name>
<filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
<init-param>
<param-name>authProvider</param-name>
<param-value>waffle.windows.auth.impl.WindowsAuthProviderImpl</param-value>
</init-param>
<init-param>
<param-name>allowGuestLogin</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>impersonate</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SecurityFilter</filter-name>
<url-pattern>/pages/*</url-pattern>
</filter-mapping>
<security-constraint>
<display-name>My App Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/pages/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Everyone</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MySecurityDomain</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/logout.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>Everyone</role-name>
</security-role> All that is left is to create the login page, bind the username/password to a backing bean, and call login on the backing bean. The bean passes the username/password to the public String login()
{
final FacesContext context = FacesContext.getCurrentInstance();
final HttpServletRequest request = (HttpServletRequest) context.getExternalContext().getRequest();
try
{
if (request.getUserPrincipal() != null)
{
request.logout();
}
context.getExternalContext().invalidateSession();
context.getExternalContext().getSession(true);
request.login(username, password);
if (request.isUserInRole("Everyone"))
{
return "login-success";
}
else
{
final Principal principal = request.getUserPrincipal();
LOGGER.info("User " + principal.getName() + " not in role 'Everyone'");
context.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, "User " + principal.getName() + " Not Authorized For Use.", null));
return "login-error";
}
}
catch (final ServletException | Win32Exception | IllegalStateException e)
{
context.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, "Login failed. Username or Password is incorrect.", null));
return "login-error";
}
} |
No description provided.