Configuring HTTP Basic Authentication with WildFly

In this tutorial we will learn how to configure HTTP basic authentication with WildFly.

Basic authentication is a simple authentication policy built into the HTTP protocol. The client sends an HTTP request with the Authorization header that contains the word Basic word followed by a space and a base64-encoded string username:password.

wildfly basic authentication wildfly basic authentication

As an example, in order to authorize as demo / p@55w0rd the client would send

    Authorization: Basic ZGVtbzpwQDU1dzByZA==

Note: Because base64 is easily decoded, Basic authentication should only be used together with other security mechanisms such as HTTPS/SSL.

Example: enabling HTTP Basic Authentication in WildFly

First, add a user as follows:

$ ./add-user.sh -a testuser testuser@123  
Added user 'testuser' to file '/PATH/TO/wildfly-14.0.1.Final/standalone/configuration/application-users.properties'  
Added user 'testuser' to file '/PATH/TO/wildfly-14.0.1.Final/domain/configuration/application-users.properties'

Then set the security domain in "jboss-web.xml":

<jboss-web>  
  <context-root>webapp</context-root>  
  <security-domain>java:/jaas/other</security-domain>  
</jboss-web>

And configure in your web.xml:

<!DOCTYPE web-app PUBLIC  
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"  
 "http://java.sun.com/dtd/web-app_2_3.dtd" >  
  
<web-app>  
  <display-name>Demo Authenticated Web Application</display-name>  
  
  <security-constraint>  
    <web-resource-collection>  
      <web-resource-name>authtest</web-resource-name>  
      <url-pattern>/*</url-pattern>  
    </web-resource-collection>  
    <auth-constraint>  
      <role-name>*</role-name>  
    </auth-constraint>  
  </security-constraint>  
  <login-config>  
    <auth-method>BASIC</auth-method>  
  </login-config>  
  <security-role>  
    <role-name>*</role-name>  
  </security-role>  
  
</web-app>

Setting HTTP Basic authentication for Web Services

In case you are using EJB-based Web Services the configuration is slightly different; because the security domain is not specified into the web descriptors, we have to provide it by means of annotations:

@Stateless
@WebService(targetNamespace = "https://www.mastertheboss.com/",
serviceName = "SecureService")
@WebContext(authMethod = "BASIC",
secureWSDLAccess = false)
@SecurityDomain(value = "other")
public class SecureEJB { }

As you can see, the @WebContext annotation basically reflects the same configuration options of POJO-based Web Services, with BASIC authentication and unrestricted WSDL access.

Basic authentication using Database

If you want to learn how to configure authentication using a Database instead of a property file, check this tutorial: Configure an Elytron JDBC Realm on WildFly

0
0
0
s2sdefault

Related articles available on mastertheboss.com

JBoss security framework

Security is a fundamental part of any enterprise application .The

Configure JBoss with LDAP

In this tutorial we will show how to connect JBoss AS 7 (and earl

Configuring Single Signon on JBoss AS 7

This tutorial describes how to configure Single Signon for a JBos

Securing AS 7 applications using the ApplicationRealm

JBoss AS 7 and the EAP 6 provide out of the box a Security Domain

Securing access to JBoss-WildFly Management console

In this tutorial we will demonstrate how to secure access to the

Configuring a MongoDB Login Module

Creating a Login Module with JBoss AS 7 or WildFly can be done by