Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-30217

04144092 | JAAS-Authentication using javax.security.auth.login.LoginContext with Custom Elytron Realm

XMLWordPrintable

    • Icon: Question Question
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • Modules, Security
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      Hello,

      Customer is migrating his custom login modules to Elytron custom realm with the help of [1] https://access.redhat.com/solutions/7090019

       

      But while executing the steps their module failed with  "WFLYELY00045: Failed to load CallbackHandler from the provided module":

       

      ~~~
      [standalone@localhost:11227 /] module add --name=ch.irix.emis.security --resource-delimiter=, --resources=database-login-module.jar,federation-router-login-module.jar,ldap-login-module.jar,mandant-login-module.jar,login-module-util.jar,emis-siem-logging-client.jar,util.jar --dependencies=com.oracle,javaee.api,javax.api,jakarta.ejb.api,jakarta.jms.api,org.wildfly.security.elytron,org.apache.log4j,org.hibernate,org.jboss.logging
      [standalone@localhost:11227 /] /subsystem=elytron/custom-realm=EmisRealm:add(\
      > module=org.wildfly.extension.elytron.jaas-realm,\
      > class-name=org.wildfly.extension.elytron.JaasCustomSecurityRealmWrapper,\
      > configuration={entry=test,module=ch.irix.emis.security,path=${appl.home}/security/jaas.conf})
      {
      "outcome" => "failed",
      "failure-description" => {"WFLYCTL0080: Failed services" => {"org.wildfly.security.security-realm.EmisRealm" => "java.lang.reflect.InvocationTargetException
      Caused by: java.lang.reflect.InvocationTargetException
      Caused by: java.lang.IllegalStateException: WFLYELY00045: Failed to load CallbackHandler from the provided module."}},
      "rolled-back" => true
      }
      ~~~

       

      Their JAAS config file contain below entries:

      ~~~

      /applt/java/jboss-eap-8.0/emisGen2TI/bin $ cat /applt/security/jaas.conf
      emis =

      {         ch.egl.emis.business.security.mandantloginmodule.MandantLoginModule sufficient         ch.egl.emis.business.security.federationrouterloginmodule.FederationRouterLoginModule requisite         ch.egl.emis.business.security.ldaploginmodule.LdapLoginModule requisite java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory java.naming.provider.url=ldaps://ldaps.axusr.net:636 java.naming.security.authentication=simple bindDN=CN=Svc-EMIS-LDAP,OU=ServiceAccounts,OU=Users,OU=AXTA,OU=RESOURCES,DC=axusr,DC=net bindCredential=2Sn4pAHC949yT1 baseCtxDN=OU=CUSTOMER,DC=axusr,DC=net baseFilter=(sAMAccountName=\{0}

      )
              ch.egl.emis.business.security.databaseloginmodule.DatabaseLoginModule required
      }

      ~~~

       

       

       

      Customer's latest comment:
      I have tried to understand the Wildfly source code, and the Java code block from which the exception gets thrown basically does two things: Module loading and potentially loading the callback handler. Could it therefore be that the error message is misleading? So, I suspect that JBoss EAP actually fails before trying to potentially load a callback handler due to module loading issues. Therefore, I made another experiment and TRACEd module loading. This is the excerpt from the log right when calling.

      Attached the latest logs.

        1. moduleLoaderTrace-20250526.txt
          61 kB
          Sayan Saha Roy

              Unassigned Unassigned
              rhn-support-ssaharoy Sayan Saha Roy
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: