Container based LDAP authentication with Jboss and Spring boot

I’ve a simple API that returns a string. My objective is to secure my API using LDAP authentication. I’ve my LDAP configured in my JBoss EAP 7.1 under the security-domain. I’ve defined my security constraint in the web.xml and the corresponding security-domain in my jboss-web.xml This is my first shot to integrate LDAP with REST API. Not sure what went wrong, but when I hit my API from browser, it keeps prompting for credentials 3 times and then gives below error.

Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.

Tue Feb 22 13:42:54 EST 2022
There was an unexpected error (type=Unauthorized, status=401).
Full authentication is required to access this resource

JavaScript
​x
 
Whitelabel Error PageThis application has no explicit mapping for /error, so you are seeing this as a fallback.​Tue Feb 22 13:42:54 EST 2022There was an unexpected error (type=Unauthorized, status=401).Full authentication is required to access this resource ​

If I hit from postman, it gives similar error in json format…

{
"timestamp": 1645553512290,
"status": 401,
"error": "Unauthorized",
"message": "Bad credentials",
"path": "/SecureAPI/mypath"
}

JavaScript
 
{"timestamp": 1645553512290,"status": 401,"error": "Unauthorized","message": "Bad credentials","path": "/SecureAPI/mypath"}​

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
   <security-constraint>
    <web-resource-collection>
      <web-resource-name>WebServiceSecurity</web-resource-name>
      <url-pattern>/</url-pattern>
      <http-method>GET</http-method>     
    </web-resource-collection>
    <auth-constraint>
      <role-name>ROLE_ADMIN</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <security-role>
    <role-name>ROLE_ADMIN</role-name>
  </security-role>
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>basic ldap realm</realm-name>
  </login-config> 
</web-app>

JavaScript
 
<?xml version="1.0" encoding="UTF-8"?><web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">   <security-constraint>    <web-resource-collection>      <web-resource-name>WebServiceSecurity</web-resource-name>      <url-pattern>/</url-pattern>      <http-method>GET</http-method>         </web-resource-collection>    <auth-constraint>      <role-name>ROLE_ADMIN</role-name>    </auth-constraint>    <user-data-constraint>      <transport-guarantee>NONE</transport-guarantee>    </user-data-constraint>  </security-constraint>  <security-role>    <role-name>ROLE_ADMIN</role-name>  </security-role>  <login-config>    <auth-method>BASIC</auth-method>    <realm-name>basic ldap realm</realm-name>  </login-config> </web-app>​

jboss-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="
      http://www.jboss.com/xml/ns/javaee
      http://www.jboss.org/j2ee/schema/jboss-web_5_2.xsd">
  <context-root>SecureAPI</context-root>    
  <security-domain>java:/jaas/ldapLogin</security-domain>
</jboss-web>

JavaScript
 
<?xml version="1.0" encoding="UTF-8"?><jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   xsi:schemaLocation="      http://www.jboss.com/xml/ns/javaee      http://www.jboss.org/j2ee/schema/jboss-web_5_2.xsd">  <context-root>SecureAPI</context-root>      <security-domain>java:/jaas/ldapLogin</security-domain></jboss-web> ​

API

@RestController
public class SecuredController {
    
    @GetMapping("/mypath")
    public String sayHi() {
        return "This API is Secured";
    }

}

JavaScript
 
@RestControllerpublic class SecuredController {        @GetMapping("/mypath")    public String sayHi() {        return "This API is Secured";    }​}​

standalone-full-ha.xml configuration:

<security-domain name="ldapLogin">
                    <authentication>
                        <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                            <module-option name="java.naming.provider.url" value="ldaps://<ldapserver>:<port>"/>
                            <module-option name="java.naming.security.authentication" value="simple"/>
                            <module-option name="principalDNPrefix" value="uid="/>
                            <module-option name="principalDNSuffix" value=",ou=users,dc=bcn,dc=com"/>
                            <module-option name="rolesCtxDN" value="ou=groups,dc=bcn,dc=com"/>
                            <module-option name="uidAttributeID" value="uniqueMember"/>
                            <module-option name="matchOnUserDN" value="true"/>
                            <module-option name="roleAttributeID" value="cn"/>
                            <module-option name="roleAttributeIsDN" value="false"/>
                            <module-option name="unauthenticatedIdentity" value="guest"/>
                        </login-module>
                    </authentication>
                </security-domain>

JavaScript
 
<security-domain name="ldapLogin">                    <authentication>                        <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">                            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>                            <module-option name="java.naming.provider.url" value="ldaps://<ldapserver>:<port>"/>                            <module-option name="java.naming.security.authentication" value="simple"/>                            <module-option name="principalDNPrefix" value="uid="/>                            <module-option name="principalDNSuffix" value=",ou=users,dc=bcn,dc=com"/>                            <module-option name="rolesCtxDN" value="ou=groups,dc=bcn,dc=com"/>                            <module-option name="uidAttributeID" value="uniqueMember"/>                            <module-option name="matchOnUserDN" value="true"/>                            <module-option name="roleAttributeID" value="cn"/>                            <module-option name="roleAttributeIsDN" value="false"/>                            <module-option name="unauthenticatedIdentity" value="guest"/>                        </login-module>                    </authentication>                </security-domain>​

My dependencies in pom.xml are:

<dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
            <version>${spring-boot.version}</version>
            <exclusions>
                <exclusion>
                    <groupId>org.springframework.boot</groupId>
                    <artifactId>spring-boot-starter-tomcat</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>javax.servlet</groupId>
            <artifactId>javax.servlet-api</artifactId>
            <version>4.0.1</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
            <version>${spring-boot.version}</version>
        </dependency>
    </dependencies>

JavaScript
 
<dependencies>        <dependency>            <groupId>org.springframework.boot</groupId>            <artifactId>spring-boot-starter-web</artifactId>            <version>${spring-boot.version}</version>            <exclusions>                <exclusion>                    <groupId>org.springframework.boot</groupId>                    <artifactId>spring-boot-starter-tomcat</artifactId>                </exclusion>            </exclusions>        </dependency>        <dependency>            <groupId>javax.servlet</groupId>            <artifactId>javax.servlet-api</artifactId>            <version>4.0.1</version>        </dependency>        <dependency>            <groupId>org.springframework.boot</groupId>            <artifactId>spring-boot-starter-security</artifactId>            <version>${spring-boot.version}</version>        </dependency>    </dependencies>​

My question is, why the API prompts for credentials multiple times when accessed from browser? I confirm there is nothing wrong with the credentials that are given. Also, the json response suggests some unhandled exception. Not sure, where it is coming from. Any suggestions would be helpful.

The same configuration worked for SOAP based services. For REST, its not working. Does it make difference?

Answer

The spring security dependency adds additional security on top of my LDAP authentication. I removed the dependency and it worked.

Advertisement

Answer