How to debug WildFly security issues

In this article we will discuss how to troubleshoot WildFly security issues by enabling the right Loggers or System Properties.

WildFly security framework is based on Elytron. Before WildFly 25, you could still use Picketbox legacy framework. This is however discuss in the second part of this article.

To debug WildFly security issues the main logger is org.wildfly.security. You can turn it on as follows:

/subsystem=logging/logger=org.wildfly.security:add(level=DEBUG)

Here is the resulting logger in the configuration:

<logger category="org.wildfly.security">
    <level name="DEBUG"/>
</logger>

Once this logger is on, you will see in your server.log some important insights about security access.

For example, supposing you have attempted connecting to LDAP in a LDAPRealm. If you have enabled the org.wildfly.security, the following log reveals that the Connection settings to the LDAP Server are incorrect:

2021-11-04 15:43:19,480 DEBUG [org.wildfly.security] (default task-1) Could not create [class javax.naming.ldap.InitialLdapContext]. Failed to connect to LDAP server.: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
	at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3158)
	at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3104)
	at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2890)

Therefore, you have to fix your LDAP Realm BaseDB or password.

On the other hand, if you can see the following error log:

2021-11-04 16:32:11,725 DEBUG [org.wildfly.security] (default task-1) [javax.naming.ldap.InitialLdapContext@6d8745e2] successfully created. Connection established to LDAP server.
2021-11-04 16:32:11,726 DEBUG [org.wildfly.security] (default task-1) Trying to create identity for principal [frrfr].
2021-11-04 16:32:11,726 DEBUG [org.wildfly.security] (default task-1) Executing search [(uid={0})] in context [ou=Users,dc=wildfly,dc=org] with arguments [frrfr]. Returning attributes are [userPassword]. Binary attributes are [].
2021-11-04 16:32:11,727 DEBUG [org.wildfly.security] (default task-1) Identity for principal [frrfr] not found.
2021-11-04 16:32:11,728 DEBUG [org.wildfly.security] (default task-1) Context [javax.naming.ldap.InitialLdapContext@6d8745e2] was closed. Connection closed or just returned to the pool.
2021-11-04 16:32:11,729 DEBUG [org.wildfly.security.http.basic] (default task-1) User frrfr authentication failed.

Then, you have provided wrong username/password in your user authentication.

Besided org.wildfly.security, if you are dealing with SASL, you should also collect more information from the β€œorg.jboss.remoting” namespace:

<logger category="org.jboss.remoting">
    <level name="TRACE"/>
</logger>

WildFly legacy security debugging

If you are using the older security framework, then you have to activate a different set of loggers to debug your security actions:

/subsystem=logging/logger=org.jboss.security:add(level=ALL)

/subsystem=logging/logger=org.jboss.as.security:add(level=ALL)

/subsystem=logging/logger=org.picketbox:add(level=ALL)

Useful System Properties to activate

Besides WildFly loggers, there are several JVM properties which can be activated when you are using a specific authentication resource. For example, if you want to collect extra debug info from LDAP, then you can start WildFly with the following property:

-Dcom.sun.jndi.ldap.connect.pool.debug=all

Besides, LDAP Docker images can be started in debug mode as follows:

docker run --detach osixia/openldap:1.5.0 --loglevel debug

On the other hand, if you are performing authentication against Kerberos / SPNEGO, the following system properties will print additional debug info:

/system-property=sun.security.spnego.debug:add(value=true)
/system-property=sun.security.krb5.debug:add(value=true)

Finally, to debug SSL connection handshakes you can include the following System Property when starting WildFly:

-Djavax.net.debug=ssl:handshake

Do you want to learn more about most common WildFly loggers ? Keep reading here: 5 WildFly Loggers you should know about

Found the article helpful? if so please follow us on Socials