Additional logic to jboss realm

Question

Current setup of application is JSF with JBoss server. I would like to include additional logic along to existing realm authetication which navigates to login failed page. Looking for something that invalidate successful pricinpal from Realm(java).

Scenario: User typed correct password and login but there are certain condition which does not allow him to login.

Configurations:

standalone.xml

<security-domain name="login">
    <authentication>
        <login-module code="Database" flag="sufficient">
            <module-option name="dsJndiName" value="java:/datasource"/>
            <module-option name="principalsQuery" value="query"/>
            <module-option name="rolesQuery" value="query"/>
            <module-option name="hashAlgorithm" value="???"/>
            <module-option name="hashEncoding" value="???"/>
            <module-option name="principalClass" value="org.jboss.security.SimplePrincipal"/>
        </login-module>
    </authentication>
</security-domain>

jboss-web.xml

<jboss-web>
   <security-domain>login</security-domain>
</jboss-web>

faces-config.xml

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>ApplicationRealm</realm-name>
    <form-login-config>
        <form-login-page>login.html</form-login-page>
        <form-error-page>login-error.html</form-error-page>
    </form-login-config>
</login-config>

I had few ideas which I don't see very easy despite an easy change.

• Remove pricipal from session and set parameter that is checked on login page (single login page only)
• Write custom realm login module

Thank you

Answer 1

If your additional checks involve a database query in the same database as that accessible through java:/datasource then maybe all you need is a more sophisticated query for the principalsQuery.

Alternatively, you could implement a servlet filter which executes the additional logic. If the test fails and the user should not be provided access then you call HttpServletRequest.logout() and then redirect to the login-error.html page.

However, it may be more elegant to do this by modifying your security-domain configuration and adding a second login module that contains your additional logic:

<security-domain name="login">
    <authentication>
        <login-module code="Database"
                      flag="required">
            <module-option name="dsJndiName" value="java:/datasource"/>
            <module-option name="principalsQuery" value="query"/>
            <module-option name="rolesQuery" value="query"/>
            <module-option name="hashAlgorithm" value="???"/>
            <module-option name="hashEncoding" value="???"/>
            <module-option name="principalClass" value="org.jboss.security.SimplePrincipal"/>
        </login-module>
        <login-module code="com.yourorg.yourapp.ExtendedLoginCheck"
                      flag="required"
                      module="name-of-wildfly-module-containing-ExtendedLoginCheck">
            <module-option name="your module option" value="your module option value" />
            ...
        </login-module>
    </authentication>
</security-domain>

where com.yourorg.yourapp.ExtendedLoginCheck implements javax.security.auth.spi.LoginModule. Note the login-module flag attribute value has changed to required. These modules get executed one after the other and both must succeed for the authentication attempt to succeed.