Implement a custom ServerAuthModule for JBoss

Question

I need to remember the original URL of the Http Request, then redirect this request to a web form for a user authentication. In case of a successful authentication, the user must be redirected to the original URL just remembered above. I am using JBoss 7.1.1 Final, a standard web.xml, and the JBoss Login Module org.jboss.security.auth.spi.DatabaseServerLoginModule:

I had referred the following links which didn't answer my question completely:

• Precedence of security-constraint over filters in Servlets

• Jaspic ServerAuthModule delegating to JAAS Krb5LoginModule

• Implementing container authentication in Java EE with JASPIC

• Oracle GlassFish Server 3.0.1 Application Development Guide

However, after impltementing my solution, my custom ServerAuthModule is not called at all. What is even worse, I did not get any HttpResponse from the server. Something got broken, please help!

My web.xml:

       <security-constraint>
            <web-resource-collection>
                <web-resource-name>All resources in /pages/*</web-resource-name>
                <description>All resources in /pages/*</description>
                <url-pattern>/pages/*</url-pattern>
                <http-method>GET</http-method>
                <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                <role-name>general</role-name>
            </auth-constraint>
        </security-constraint>

        <security-constraint>
            <display-name>Restrict direct access to the /resources folder.</display-name>
            <web-resource-collection>
                <web-resource-name>The /resources folder.</web-resource-name>
                <url-pattern>/resources/*</url-pattern>
            </web-resource-collection>
            <auth-constraint />
        </security-constraint> 

        <login-config>
            <auth-method>FORM</auth-method>
            <form-login-config>
                <form-login-page>/login.jsf</form-login-page>
                <form-error-page>/loginFailed.jsf</form-error-page>
            </form-login-config>
        </login-config>

        <security-role>
            <role-name>general</role-name>
        </security-role>     

My jboss-web.xml:

<?xml version="1.0" encoding="UTF-8"?>
    <jboss-web>
        <security-domain>jBossJaasMysqlRealm</security-domain>
         <valve>
           <class-name>org.jboss.as.web.security.jaspi.WebJASPIAuthenticator</class-name>
       </valve>
    </jboss-web>

My standalone.xml:

 <security-domain name="jBossJaasMysqlRealm" cache-type="default">
                <authentication-jaspi>
                    <login-module-stack name="lm-stack">
                        <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                            <module-option name="dsJndiName" value="java:/MySqlDS_IamOK"/>
                            <module-option name="principalsQuery" value="select password from  user where username=?"/>
                            <module-option name="rolesQuery" value="select role, 'Roles' from  user_role where  username=?"/>
                        </login-module>
                    </login-module-stack>
                    <auth-module code="at.alex.ok.web.utils.RequestMarkerServerAuthModule" login-module-stack-ref="lm-stack"/>
                </authentication-jaspi>
            </security-domain>

My custom WebServerAuthModule:

    import org.jboss.as.web.security.jaspi.modules.WebServerAuthModule;

    public class RequestMarkerServerAuthModule extends WebServerAuthModule {

        public static final String ORIGINAL_URL = "originalURL";

        protected static final Class[] supportedMessageTypes = new Class[] {
                HttpServletRequest.class, HttpServletResponse.class };


        public void initialize(MessagePolicy reqPolicy, MessagePolicy resPolicy,
                CallbackHandler cBH, Map opts) throws AuthException {

            System.out.println( this.getClass().getName() + ".initialize() called");
        }

        public Class[] getSupportedMessageTypes() {
            return supportedMessageTypes;
        }

        public AuthStatus validateRequest(MessageInfo msgInfo, Subject client,
                Subject server) throws AuthException {
            try {
                System.out.println( this.getClass().getName() + ".validateRequest() called");

                processAuthorizationToken(msgInfo, client);
                return AuthStatus.SUCCESS;

            } catch (Exception e) {
                AuthException ae = new AuthException();
                ae.initCause(e);
                throw ae;
            }
        }

        private void processAuthorizationToken(MessageInfo msgInfo, Subject s)
                throws AuthException {

            HttpServletRequest request = (HttpServletRequest) msgInfo
                    .getRequestMessage();

            String originalURL = request.getRequestURL().toString();
            request.getSession().setAttribute(ORIGINAL_URL, originalURL);
        }


        public AuthStatus secureResponse(MessageInfo msgInfo, Subject service)
                throws AuthException {

            System.out.println( this.getClass().getName() + ".secureResponse() called");

            return AuthStatus.SEND_SUCCESS;
        }

        public void cleanSubject(MessageInfo msgInfo, Subject subject)
                throws AuthException {
            System.out.println( this.getClass().getName() + ".cleanSubject() called");

    }

}

Answer 1

This question is put incorectly, because: For a redirect to the originally requested URL after a successfull login, there is no need to implement a custom ServerAuthModule for JBoss.

The interface javax.servlet.RequestDispatcher has the constant FORWARD_REQUEST_URI, which denotes the name of the Http-Request attribute under which the original request URI is made available to the processor of the forwarded request.

Using JSF 2.2 and a View-Scoped backing bean LoginBean, my solution is simply to obtain the originally requested URL in a @PostConstruct method of the backing bean, and store it in a session attribute, as follows:

@ManagedBean(name="loginBean")
@ViewScoped
public class LoginBean {

    private String originalURL;

    @PostConstruct
    private void init() {
        ExternalContext extCtx = FacesContext.getCurrentInstance().getExternalContext();

        String origURL = (String) extCtx.getRequestMap().get(RequestDispatcher.FORWARD_REQUEST_URI);

        HttpServletRequest request = (HttpServletRequest) extCtx.getRequest();
        HttpSession session = (HttpSession)extCtx.getSession(false);

        if (session == null){
            session = (HttpSession)extCtx.getSession(true);
        }

        if (origURL!=null && session.getAttribute(ORIGINAL_URL) == null){
            String applicationName = request.getContextPath();
            origURL = origURL.substring(applicationName.length(), origURL.length());
            session.setAttribute(ORIGINAL_URL, origURL);
        }
    }

Then, in the login() method of the same backing bean, redirect the user to the originally requested URL in case of a successfull log-in like this:

public String login() {

    HttpServletRequest request = (HttpServletRequest)FacesContext.getCurrentInstance().getExternalContext().getRequest();

    try {
        request.login(this.getLogin(), this.getPassword());
    } catch (ServletException e) {
        // handle bad username / password here
    }

    return this.originalURL + "?faces-redirect=true";
}