Wildfly Security Constraint Ignored

Question

I am trying to secure a demo web application on wildfly. I have defined this security domain in the standalone.xml

    <security-domains>
        <security-domain name="projects" cache-type="default">
            <authentication>
                <login-module code="Database" flag="required">
                    <module-option name="dsJndiName" value="java:jboss/datasources/TestDS"/>
                    <module-option name="rolesQuery" value="SELECT role, 'Roles' FROM users WHERE username=?"/>
                    <module-option name="hashAlgorithm" value="MD5"/>
                    <module-option name="hashEncoding" value="hex"/>
                    <module-option name="principalsQuery" value="SELECT password from users WHERE username=?"/>
                </login-module>
            </authentication>
            <authorization>
                <policy-module code="Database" flag="required">
                    <module-option name="dsJndiName" value="java:jboss/datasources/school"/>
                    <module-option name="rolesQuery" value="SELECT role, 'Roles' FROM users WHERE username=?"/>
                    <module-option name="hashAlgorithm" value="MD5"/>
                    <module-option name="hashEncoding" value="hex"/>
                    <module-option name="principalsQuery" value="SELECT password from users WHERE username=?"/>
                </policy-module>
            </authorization>
        </security-domain>
    </security-domains>

then under the web-inf I have defined this security costraints in the web.xml

    <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
      
      <security-constraint>
        <web-resource-collection>
          <web-resource-name>projects</web-resource-name>
          <url-pattern>/twp/projects/*</url-pattern>
          <http-method>POST</http-method>
          <http-method>GET</http-method>
          <http-method>PUT</http-method>
          <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
          <role-name>ADMINISTRATOR</role-name>
        </auth-constraint>
      </security-constraint>
      
      <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>projects</realm-name>
        <form-login-config>
          <form-login-page>/login.xhtml</form-login-page>
          <form-error-page>/error.xhtml</form-error-page>
        </form-login-config>
      </login-config>
      <security-role>
        <role-name>ADMINISTRATOR</role-name>
      </security-role>
      <security-role>
        <role-name>USER</role-name>
      </security-role>
    </web-app>

and this content in the jboss-web.xml

    <?xml version="1.0" encoding="UTF-8"?>
    <jboss-web>
      <security-domain>java:/jaas/projects</security-domain>
    </jboss-web>

the problem is that if i go to the /projects URL I m not redirect to the login page as if the constraint was ignored.

Answer 1

With the configuration of yours, it works fine. At the console do you get this two lines?:

WARN  [io.undertow.servlet] (ServerService Thread Pool -- 7) UT015020: Path /twp/projects/* is secured for some HTTP methods, however it is not secured for [TRACE, HEAD, CONNECT, OPTIONS]
INFO  [org.wildfly.extension.undertow] (ServerService Thread Pool -- 7) WFLYUT0021: Registered web context: '/test-1.0-SNAPSHOT' for server 'default-server'

If not you should place your configuration to the corrent sections in the standalone.xml of wildfly

The first means that the path is secured and the second tells you the resitered web context.

Every url under http://localhost:8080/test-1.0-SNAPSHOT/twp/projects will be secured and redirect to the login page.

For example

http://localhost:8080/test-1.0-SNAPSHOT/twp/projects/all

but not

http://localhost:8080/test-1.0-SNAPSHOT/twp/all

I use wildfly 11 with urn:jboss:domain:security:2.0 and not elytron.