I have a trivial problem about execute endpoint resteasy with a trusted SecurityDomain and a specific RolesAllowed.
After a successfull login with loginmodule approach with a login form , the response of endpoint is an access denied (HTTP Status 403 - Access to the requested resource has been denied)
Now I describe the actual case use:
Environment is Jboss AS7, there is an .ear artifact with following configuration
standalone.xml
<management>
...
<security-realm name="EJBRealm">
<authentication>
<jaas name="CustomRealm"/>
</authentication>
</security-realm>
...
</management>
<subsystem xmlns="urn:jboss:domain:security:1.1">
...
<security-domain name="CustomRealm">
<authentication>
<login-module code="Database" flag="sufficient">
<module-option name="dsJndiName" value="java:jboss/jdbc/PUDS"/>
<module-option name="principalsQuery" value="SELECT 'system' FROM dual WHERE ? = 'system'"/>
<module-option name="rolesQuery" value="SELECT 'authenticated', 'Roles' from dual WHERE ? = 'system'"/>
</login-module>
<login-module code="custom.jaas.AuthenticationProxyLoginModule" flag="sufficient" module="custom.authentication">
<module-option name="authBE_ip_port" value="${install.module.authBE_ip_port}"/>
<module-option name="authBE_ip_address" value="${install.module.authBE_ip_address}"/>
<module-option name="authBE_context_path" value="${install.module.authBE_context_path}"/>
</login-module>
</authentication>
</security-domain>
...
</subsystem>
In this ear there is a web-module artifact .war with a set of endpoint with resteasy approach with following configuration:
web.xml
<context-param>
<param-name>resteasy.role.based.security</param-name>
<param-value>true</param-value>
</context-param>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/login.html</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured Content</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>ADMIN</role-name>
</security-role>
This role exist on database autentication realm
jboss-web.xml
<jboss-web version="7.1"
xmlns="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/schema/jbossas/jboss-web_7_1.xsd">
<security-domain>CustomRealm</security-domain>
</jboss-web>
On jboss-web.xml I setting the customrealm defined on standlalone.xml
The resteasy class is defined as followed:
@Component
@Path(value = "/endpoint")
@SecurityDomain("CustomRealm")
@DeclareRoles({"ADMIN", "DEFAULT"})
public class CustomRest implements ICustomRest
{
...
@Override
@GET
@Path(value = "/testendpoint/{id}")
@Consumes(value = MediaType.APPLICATION_JSON)
@RolesAllowed("ADMIN")
public void testendpoint(@PathParam(value = "id") Long id) throws Exception {
//code to execute
}
...
}
This class is annotated with securitydomain at class scope and on method testendpoint define the annotation @RolesAllowed with ADMIN (as defined on web.xml)
If I call the rest uri
http://localhost:8080/api/services/endpoint/testendpoint/23456
the login form is viewed, I insert correct credentials that received from custom.jaas.AuthenticationProxyLoginModule module correctly. The autentication is ok after a successfull login as aspect it.
After all ok, the endpoint don't execute but the response is Access Denied systematically.
What's my wrong?
Login module is configured correctly on standlone.xml, the login form is viewed correctly, the submit credentials is received correctly from custom loginmodule, the method login grant ok authentication, but in the final the response of endpoint is an access denied!!!! Why? It's very trivial and I have got nothing to resolve this trivial problem!
It's all ok , but access denied! I'm sure there is a few wrong that I don't able to understand!
Thanks in advances for a response!
Ok! I find the wrong!!! I analyzed the code of custom login module and I realized that the native method of loginmodule getRoleSets define a custom role called "authenticated" and not retrieve the roles from database :| ! I fixed so the role with authenticated removing "ADMIN" and all go ok!
Finally I can execute this rest endpoint with a secure login as I aspect it!
I'm very happy to resolve this trouble! Is not a good idea to fix a role on custom method getRoleSets but this is an application on production from many years and I must integrate a webmodule rest endpoint over them!
Thanks all!!