Clever Geek Handbook

How to Catch FailedLoginException in Picket Box / Undertow on Wildfly 8 for CORS Enforcement

With the ContainerResponseFilter I can apply CORS headers to all outgoing responses, and with the ExceptionMapper I can do the same for all errors and exceptions except for any authentication-related exceptions that Picketbox / Undertow is supposed to use in Wildfly.

My ExceptionMapper will never catch it no matter what I try, and as a result, the interface cannot read the 401 status since there are no CORS headers appended in the response (the XHR HTTP status code just becomes 0).

I am using this PBKDF2 to authenticate against a MySQL database, and at first I thought that maybe since the authentication was done in a separate module it was not caught by my application, but even after migrating all the authentication code to my own application I have this same problem.

This is the log entry I get when I try to authenticate with the wrong password (I get a very similar one when I just don't send any credentials at all):

2014-11-29 16: 11: 08,053 TRACE [org.jboss.security] (default job is 4) PBOX000224: End getAppConfigurationEntry (PBKDF2DatabaseDomain), AuthInfo: AppConfigurationEntry []: [0] LoginModule Class: com.example.myapplication .security.SaltedDatabaseServerLoginModule ControlFlag: LoginModuleControlFlag: Required Options: name = dsJndiName, value = java: / user name = principalsQuery, value = SELECT Hash

FROM account

WHERE ID =? name = roleQuery, value = SELECT Role

, 'Roles' FROM account WHERE account

. ID

=?

2014-11-29 16: 11: 08.053 TRACE [org.jboss.security] (default task is 4) PBOX000236: start method initialization 2014-11-29 16: 11: 08.053 TRACE [org.jboss.security] (task default is 4) PBOX000262: Module parameters [dsJndiName: java: / user, principalsQuery: SELECT Hash

FROM account

WHERE ID = ?, roleQuery: SELECT Role

, 'Roles' FROM account WHERE account

. ID

= ?, suspendResume: true] 2014-11-29 16: 11: 08.053 TRACE [org.jboss.security] (default task is 4) PBOX000240: Start login method 2014-11-29 16: 11: 08.053 TRACE [org.jboss.security] (default job is 4) PBOX000263: Executing SELECT Hash

FROM query account

WHERE ID =? with username 1@2.se2014-11-29 16: 11: 08,062 DEBUG [org.jboss.security] (default task is 4) PBOX000283: Invalid password for username 1@2.com2014-11-29 16: 11: 08 062 TRACE [org.jboss.security] (default task is 4) PBOX000244: interrupt cancellation method 2014-11-29 16: 11: 08,062 DEBUG [org.jboss.security] ( default job is 4) PBOX000206: Login failed: javax.security.auth.login.FailedLoginException: PBOX000070: password is not valid / password required at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login (UsernamePasswordLoginModule ).java picketbox-4.0.21.Beta1.jar: 4.0.21.Beta1] at sun.reflect.NativeMethodAccessorImpl.invoke0 (native method) [rt.jar: 1.8.0_25] at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java: 62) [rt.jar: 1.8.0_25] at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) [rt.jar: 1.8.0_25] at java.lang.reflect.Method.invoke (Method.java: 483) [rt.jar: 1.8.0_25] in javax.security.auth.login.LoginContext.invoke (LoginContext.java:755) [rt.jar: 1.8.0_25] at javax.security.auth.login.LoginContext.access $ 000 (LoginContext.java:195) [rt.jar: 1.8.0_25] at javax.security.auth.login.LoginContext $ 4.run (LoginContext.java:682) [rt.jar: 1.8.0_25] at javax.security.auth.login.LoginContext $ 4.run (LoginContext.java : 680) [rt.jar: 1.8.0_25] at java.security.AccessController.doPrivileged (native method) [rt.jar: 1.8.0_25] at javax.security.auth.login.LoginContext.invokePriv (LoginContext.java: 680) [rt.jar: 1.8.0_25] at javax.security.auth.login.LoginContext.login (LoginContext.java:587) [rt.jar: 1.8.0_25] at org.jboss.security.authentication.JBossCachedAuthenticationManager. defaultLogin (JBossCachedAuthenticationManager.java:408) [picketbox-infinispan-4.0.21.Beta1.jar: 4.0.21.Beta1] at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin (JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.21.Beta1.jar: 4.0.21.Beta1] on org.jboss.security.authentication.JBossCachedAuthentication [picketbox-infinispan-4.0.21.Beta1.jar: 4.0.21.Beta1] at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid (JBossCachedAuthenticationManager.java:146) [picketbox-infinispan-4.0.21.Beta1.jar : 4.0.21.Beta1] at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential (JAASIdentityManagerImpl.java:111) at org.wildfly.extension.undertow.security.JAASIdentityManagerApl.Iverplier. io.undertow.security.impl.BasicAuthenticationMechanism.authenticate (BasicAuthenticationMechanism.java:110) [Submission-core-1.0.15.Final.jar: 1.0.15.Final] at io.undertow.security.impl.SecurityContextImpl $ AuthAttempter.transition (SecurityContextImpl.java:281) [eng -core-1.0.15.Final.jar: 1.0.15.Final] in io.undertow.security.impl.SecurityContextImpl $ AuthAttempter.transition (SecurityContextImpl.java:298) [eng-core-1.0.15.Final.jar : 1.0.15.Final] at io.undertow.security.impl.SecurityContextImpl $ AuthAttempter.access $ 100 (SecurityContextImpl.java:268) [core-1.0.15.Final.jar: 1.0.15.Final] in io .undertow.security.impl.SecurityContextImpl.attemptAuthentication (SecurityContextImpl.java:131) [basow-core-1.0.15.Final.jar: 1.0.15.Final] in io.undertow.security.impl.SecurityContextImpl.authTransition (SecurityContextImpl .java: 106) [eng-core-1.0.15.Final.jar: 1.0.15.Final] in io.undertow.security.impl.SecurityContextImpl.authenticate (SecurityContextImpl.java:99) [under-core-1.0.15.Final.jar: 1.0.15.Final] in io.undertow.servlet.handlers.security.ServletAuticationCallHandler.handleRequest ( ServletAuthenticationCallHandler.java:54) [underow-servlet-1.0.15.Final.jar: 1.0.15.Final] at io.undertow.server.handlers.DisableCacheHandler.handleRequest (DisableCacheHandler.java:27) [under-core-1.0 .15.Final.jar: 1.0.15.Final] in io.undertow.server.handlers.PredicateHandler.handleRequest (PredicateHandler.java:25) [under-core-1.0.15.Final.jar: 1.0.15. Final] at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest (AuthenticationConstraintHandler.java:51) [Submission-core-1.0.15.Final.jar: 1.0.15.Final] at io.undertow.security.handlers.AbstractConfidentialityHandler ...handleRequest (AbstractConfidentialityHandler.java:45) [eng-core-1.0.15.Final.jar: 1.0.15.Final] in io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest (ServletConfidentialityConstraintHandler.java:61) -servlet-1.0.15.Final.jar: 1.0.15.Final] in io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest (ServletSecurityConstraintHandler.java:56) [underow-servlet-1.0.15.Final.jar : 1.0.15.Final] at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest (AuthenticationMechanismsHandler.java: 58) [Submission-core-1.0.15.Final.jar: 1.0.15.Final] in io.undertow. servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest (CachedAuthenticatedSessionHandler.java:70) [underow-servlet-1.0.15.Final.jar: 1.0.15.Final] in io.undertow.security.handlers.SecurityInitialHandler.handleRequest (SecurityInitialHandler.java:76) [step-core-1.0.15.Final.jar: 1.0.15.Final] in io.undertow.server.handlers.PredicateHandler.handleRequest (PredicateHandler.java:25 ) [under-core-1.0.15.Final.jar: 1.0.15.Final] at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest (JACCContextIdHandler.java:61) in io.undertow.server file .handlers.PredicateHandler.handleRequest (PredicateHandler.java:25) [under-core-1.0.15.Final.jar: 1.0.15.Final] in io.undertow.server.handlers.PredicateHandler.handleRequest (PredicateHandler.java: 25) [under-core-1.0.15.Final.jar: 1.0.15.Final] on io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest (ServletInitialHandler.java:240) [catch-servlet-1.0.15.Final .jar: 1.0.15.Final] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest (ServletInitialHandler.java:227) [catch-servlet-1.0.15.Final.jar: 1.0.15.Final] at io.undertow.servlet.handlers.ServletInitialHandler.access $ 000 (ServletInitialHandler.java:73 underow-servlet-1.0.15.Final.jar: 1.0.15.Final] at io.undertow.servlet.handlers.ServletInitialHandler $ 1.handleRequest (ServletInitialHandler.java:146) [Submarine servlet-1.0.15.Final.jar: 1.0.15.Final] at io.undertow.server.Connectors.executeRootHandler (Connectors.java:177) [pickup-core-1.0.15.Final.jar: 1.0.15.Final] at io.undertow.server.HttpServerExchange $ 1.run (HttpServerExchange.java:727) [Slave-core-1.0.15.Final.jar: 1.0.15.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1142) [rt.jar : 1.8.0_25] in java.util.concurrent.ThreadPoolExecutor $ Worker.run (ThreadPoolExecutor.java:617) [rt.jar: 1.8.0_25] in java.lang.Thread.run (Thread.java:745) [rt.jar: 1.8.0_25]

And this is my ExceptionMapper class (currently set to catch all Throwables in a vain attempt to make it work):

@Provider
public class NotAuthorizedExceptionMapper implements ExceptionMapper<Throwable>{

@Override
public Response toResponse(Throwable exception) {
    Response response = Response.status(Response.Status.UNAUTHORIZED).build();
    response.getHeaders().putSingle("Access-Control-Allow-Origin", "*");
    response.getHeaders().putSingle("Access-Control-Allow-Methods", "OPTIONS, GET, POST, PUT, DELETE");
    response.getHeaders().putSingle("Access-Control-Allow-Headers", "origin, content-type, accept, authorization, access-control-allow-origin, access-control-allow-methods, access-control-allow-headers, allow, content-length, date, last-modified");
    return response;
}

What can I do to catch these Authentication Exceptions and thus add CORS to them?

+3


source to share


1 answer


In the end I was able to figure out that you can add your own headers to all outgoing responses without error on Wildfly by modifying the config file (standalone.xml). This solved the problem for me:

    <subsystem xmlns="urn:jboss:domain:undertow:1.1">
        <buffer-cache name="default"/>
        <server name="default-server">
            <https-listener name="default" socket-binding="https" security-realm="ApplicationRealm"/>
            <host name="default-host" alias="localhost">
                <location name="/" handler="welcome-content"/>
                <filter-ref name="cors-origin"/>
                <filter-ref name="cors-methods"/>
                <filter-ref name="cors-headers"/>
            </host>
        </server>
        <servlet-container name="default">
            <jsp-config/>
        </servlet-container>
        <handlers>
            <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
        </handlers>
        <filters>
            <response-header name="cors-origin" header-name="Access-Control-Allow-Origin" header-value="your-domain-here.com"/>
            <response-header name="cors-methods" header-name="Access-Control-Allow-Methods" header-value="OPTIONS, GET, POST, PUT, DELETE"/>
            <response-header name="cors-headers" header-name="Access-Control-Allow-Headers" header-value="origin, content-type, accept, authorization, access-control-allow-origin, access-control-allow-methods, access-control-allow-headers, allow, content-length, date, last-modified, if-modified-since"/>
        </filters>
    </subsystem>


Edit: It turns out Wildfly doesn't add CORS headers to unauthorized responses, but when it encounters 500 errors, it ignores them very neatly. Any idea on how to fix this would be much appreciated.

+2


source






More articles:


All Articles