In this tutorial we will learn how to configure HTTP basic authentication with WildFly.
Basic authentication is a simple authentication policy built into the HTTP protocol. The client sends an HTTP request with the Authorization header that contains the word Basic word followed by a space and a base64-encoded string username:password.
As an example, in order to authorize as demo / p@55w0rd the client would send
Authorization: Basic ZGVtbzpwQDU1dzByZA==
Note: Because base64 is easily decoded, Basic authentication should only be used together with other security mechanisms such as HTTPS/SSL.
Example: enabling HTTP Basic Authentication in WildFly
First, add a user as follows:
$ ./add-user.sh -a testuser testuser@123 Added user 'testuser' to file '/PATH/TO/wildfly-14.0.1.Final/standalone/configuration/application-users.properties' Added user 'testuser' to file '/PATH/TO/wildfly-14.0.1.Final/domain/configuration/application-users.properties'
Then set the security domain in "jboss-web.xml":
<jboss-web> <context-root>webapp</context-root> <security-domain>java:/jaas/other</security-domain> </jboss-web>
And configure in your web.xml:
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" > <web-app> <display-name>Demo Authenticated Web Application</display-name> <security-constraint> <web-resource-collection> <web-resource-name>authtest</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <role-name>*</role-name> </security-role> </web-app>
Setting HTTP Basic authentication for Web Services
In case you are using EJB-based Web Services the configuration is slightly different; because the security domain is not specified into the web descriptors, we have to provide it by means of annotations:
@Stateless @WebService(targetNamespace = "https://www.mastertheboss.com/", serviceName = "SecureService") @WebContext(authMethod = "BASIC", secureWSDLAccess = false) @SecurityDomain(value = "other") public class SecureEJB { }
As you can see, the @WebContext annotation basically reflects the same configuration options of POJO-based Web Services, with BASIC authentication and unrestricted WSDL access.
Basic authentication using Database
If you want to learn how to configure authentication using a Database instead of a property file, check this tutorial: Configure an Elytron JDBC Realm on WildFly