I have a Java Webapp running on Wildfly 8. I am trying to protect my calm web service with the help of Annotations relaxation. I use the curl of the command line tool to check the rest of the api.
The basic authentication setup seems to work. Http requests to web services with the annotation "@PermitAll" work fine. Curl says:
~ % curl -v http://localhost:8080/ItilityServer-web/rest/account > GET /ItilityServer-web/rest/account HTTP/1.1 > User-Agent: curl/7.40.0 > Host: localhost:8080 > Accept: */* > < HTTP/1.1 200 OK < Connection: keep-alive < X-Powered-By: Undertow/1 < Server: WildFly/8 < Content-Length: 0 < Date: Wed, 28 Jan 2015 10:47:11 GMT < * Connection
But HTTP requests containing a valid username and password are rejected with a 401 status code that is not authorized. Wildfly logs an unsurpassed error:
2015-01-28 11:42:43,565 TRACE [org.jboss.security] (default task-5) PBOX000263: Executing query SELECT a.password FROM Account a WHERE a.name = ? with username hans 2015-01-28 11:42:43,566 DEBUG [org.jboss.security] (default task-5) PBOX000283: Bad password for username hans
But this is not so. The decrypted authorization data "aGFuczpoZWxtaWhlbG1paGVsbWk =" is hans: helmihelmihelmi, and this username and password are stored in my db. The same jpql requests as in the security domain lead to the "hans" error and its password "helmihelmihelmi".
Here is my setup:
web.xml
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> <context-param> <param-name>resteasy.role.based.security</param-name> <param-value>true</param-value> </context-param> <login-config> <auth-method>BASIC</auth-method> <realm-name>Application</realm-name> </login-config> <security-role> <role-name>store</role-name> </security-role> </web-app>
(I don’t know what security areas there are, so I just left this property in the login-config tag)
My security domain is in standalone.xml
<security-domain name="DBLogin" cache-type="default"> <authentication> <login-module code="Database" flag="required"> <module-option name="dsJndiName" value="java:jboss/datasources/ExampleDS"/> <module-option name="principalsQuery" value="SELECT a.password FROM Account a WHERE a.name = ?"/> <module-option name="rolesQuery" value="SELECT a.userRole FROM Account a WHERE a.name = ?"/> <module-option name="hashAlgorithm" value="SHA-256"/> <module-option name="hashEncoding" value="Base64"/> <module-option name="hashCharset" value="UTF-8"/> <module-option name="unauthenticatedIdentity" value="guest"/> </login-module> </authentication> </security-domain>
Restful webservice
@GET @RolesAllowed(AuthRole.STORE) @Produces(MediaType.APPLICATION_JSON) public Response getAccountByName() { Response.ResponseBuilder builder = Response.ok(); return builder.build(); }
and import.xml to create a user at startup
insert into Account(id, name, email, password, user_role) values (0, 'hans', ' john.smith@mailinator.com ', 'helmihelmihelmi', 'store') insert into Store(id, name, zipcode, street, housenumber, town, account_id) values(0, 'Edeka', 72622, 'stephanstraße', 10, 'Reudern', 0);
I don’t know how to find a solution, because I don’t even know the problem. Hope someone can help.