I'm implementing a REST service within an EJB-JAR within an EAR running on the JBoss EAP 7.1.
The unsecured version of the service works fine, but adding even basic HTTP-authentication turned out to be a challenge, since within an EJB-JAR I found no way to specify any required web.xml-entries, like <auth-method>BASIC</auth-method>
So my question is:
How can I configure JAX-RS to use HTTP authentication within an EJB-JAR?
Additional information:
To make things simpler I use default ManagementRealm like this
<security-domain name="my-security-domain" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="realm" value="ManagementRealm"/>
</login-module>
</authentication>
</security-domain>
In EJB-jar:
#Stateless
#Path("/my-rest")
#SecurityDomain(value = "my-security-domain")
#DenyAll
public class MyRestStatelessBean {
#PUT
#RolesAllowed("admin")
#Path("/doAdminStuff")
public void doAdminStuff() {
// Implementation
}
}
The solution was to use the Proactive authentication feature of the Undertow, that is actually ON by default. Specifying HTTP-BASIC-Authentication header within the request, makes Undertow to try to login the user even through my REST service due to missing web.xml doesn't require any type of authentication.
My complete configuration (using Management JBoss users from mgmt-users.properties):
# Define my security domain
/subsystem=security/security-domain=MY-SECURITY-DOMAIN:add(cache-type=default)
# Link Untertow to Elytron for authentication
/subsystem=undertow/application-security-domain=MY-SECURITY-DOMAIN:add( \
http-authentication-factory="management-http-authentication" \
)
# Add BASIC-HTTP-Authentication support to Elytron
/subsystem=elytron/http-authentication-factory=management-http-authentication:list-add( \
name=mechanism-configurations, \
value={mechanism-name="BASIC", \
mechanism-realm-configurations=[{realm-name="ManagementRealm"}] \
} \
)
# Not sure, why is this required...
/subsystem=ejb3/application-security-domain=MY-SECURITY-DOMAIN:add( \
security-domain="ManagementDomain")
Related
We have to provide Alfresco and jBoss web application users authentication with openLDAP.
The OpenLDAP is configured so, that there is now need to provide any credentials to read openLDAP directory.
In case of jBoss configuration I am not providing these credentials with bindDN and bindCredential tags and authentication is working.
In case of Alfresco that is not the case, if I do not provide ldap.synchronization.java.naming.security.principal and ldap.synchronization.java.naming.security.credentials, I have synchronization error in log:
2019-02-15 10:58:04,466 ERROR [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization aborted due to error
org.alfresco.repo.security.authentication.AuthenticationException: 01150001 Failed to authenticate, username or password is wrong. User name:cn=Manager,dc=company,dc=com Reason [LDAP: error code 49 - Invalid Credentials]
So ldapsearch retreives the openLDAP directory without providing any credentials:
ldapsearch -x -h 10.0.1.15:389 -b "dc=some,dc=ua"
jBoss standalone-full.xml:
<login-module code="LdapExtended" flag="sufficient">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://10.0.1.15:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="baseCtxDN" value="ou=Users,dc=some,c=ua"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="ou=Users,dc=some,c=ua"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="roleAttributeIsDN" value="false"/>
<module-option name="roleRecursion" value="1"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
</login-module>
Alfresco alfresco-global.properties
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false
ldap.authentication.active=true
ldap.synchronization.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=uid=%s,ou=Users,dc=some,dc=ua
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://10.0.1.15:389
ldap.authentication.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.authentication=simple
ldap.authentication.defaultAdministratorUserNames=Admin
ldap.synchronization.java.naming.security.principal=uid\=someUser,ou\=users,dc\=some,dc\=ua
ldap.synchronization.java.naming.security.credentials=12356
ldap.synchronization.groupSearchBase=ou\=Users,dc\=some,dc\=ua
ldap.synchronization.userSearchBase=ou\=Users,dc\=some,dc\=ua
ldap.synchronization.groupQuery=(&(objectclass\=posixGroup)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=posixGroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userOrganizationalIdAttributeName=o
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=posixGroup
ldap.synchronization.personType=inetOrgPerson
ldap.authentication.java.naming.read.timeout=0
ldap.synchronization.userAccountStatusProperty=ds-pwp-account-disabled
ldap.synchronization.disabledAccountPropertyValue=true
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap.pooling.com.sun.jndi.ldap.connect.pool.debug=fine
synchronization.autoCreatePeopleOnLogin=true
synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.externalUserControl=true
synchronization.externalUserControlSubsystemName=ldap1
Is it possible to avoid providing OpenLDAP credentials in alfresco-global.properties?
Alfresco Community (Build: 201612)
jBoss EAP-6.4
There are two things going on with Alfresco: Authentication and Synchronization. Authentication against OpenLDAP can happen without a credential because it binds using the user's credential.
Synchronization, however, happens in batch in the background. The synchronization job that runs needs a credential to authenticate with OpenLDAP so it can query for users and groups created or modified since the last check. If you don't provide a credential it would mean your OpenLDAP directory would have to be wide open, which is surely not what you want.
All of the Wildfly (and JBoss AS) docs and Glassfish-to-Wildfly migration examples I've seen use a JDBCrealm requiring database setup and some other config file fiddling.
Q: Is there any equivalent to the simple Glassfish file realm and keyfile in Wildfly ?
[EDIT: more explanation of built-in functionality I seek.]
In the Glassfish browser Administration Console one can go to Configurations > Security > Realms > file and then Manage Users to add new users with a name, group list, and password (for it to encrypt and store easily for you in the keyfile). The asadmin command similarly offers create-file-user to create an entry in the keyfile. That keyfile can then be simply copied from one install version to another. And any groups mentioned during the process can then be referenced as role strings in the web app configuration.
What exactly are you trying to encrypt here?
For encrypting keystore passwords and similar, what you are looking for is called a vault in Wildfly. See https://developer.jboss.org/wiki/MaskingPasswordsForWildFlyUsingNon-interactiveVaultTool.
If you are looking for a way to encrypt datastore passwords specifically, you need to use picketbox to encrypt the passwords beforehand, and use a security domain in the security subsystem for each datastore.
Example script to encrypt password:
#!/bin/bash
PASSWORD=$1
if [ -z "$PASSWORD" ]; then
echo "Usage: `basename $0` <password>"
exit 1
fi
JAVA_HOME="${JAVA_HOME:=/usr/java/default}"
cd /opt/wildfly/modules/system/layers/base/org/picketbox/main
$JAVA_HOME/bin/java -classpath picketbox-4.0.21.Beta1.jar \
org.picketbox.datasource.security.SecureIdentityLoginModule $PASSWORD \
| sed -e 's#Encoded password: ##'
Example security-domain
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
...
<security-domain name="my_security_domain" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="my_username"/>
<module-option name="password" value="my_encrypted_password"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=my_datasource"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
And in the datasource definition reference it with
<subsystem xmlns="urn:jboss:domain:datasources:3.0">
</datasources>
<datasource pool-name="my_datasource"...>
...
<security>
<security-domain>my_security_domain</security-domain>
</security>
</datasource>
</subsystem>
I realized my implementation of Loginmodule. Installed into WildFly 8.2.0.Final as module. Configure Security Domain.
add jboss-web.xml into my WebApplication in WEB-INF directory, with name of security-domain.
And when I initiate login at web form, I had this error in wildfly:
PBOX000206: Login failure: javax.security.auth.login.LoginException: unable to find LoginModule class: my.webapp.auth.WildLoginModule from [Module "deployment.MyWebApp.war:main" from Service Module Loader]
Why it cannot find my class? when this class resides in jar in wildfly modules.
What is more strange, it woks a couple weeks ago!
At last I've found my answer. I thought mistake should be in configuration of Wildfly, after long reserch and many ways of testing, I've found that my implementation of LoginModule works only if it resides in my WebApplication. But I wanted a separate module, I wanted my WebApp clean from Security realization.
So this is why 'it woks a couple weeks ago!', cause this loginModule was inside my webapp.
Steps to use you own JAAS loginModule:
By the way, this resource JBoss AS7 helped me a lot in my situation
Implement your own Principals, Login module (how to do this you may find in i-net)
Pack this to jar
Install like module into Wildfly (if you need to use it in many projects)
Using CLI install jar as module
hint from resource
Things to remember
When you create your own module, do not forget to add dependency on "org.picketbox" and "javax.api" in the module.xml of your custom module.
module add --name=my.security.module --resources=/path/to/MyLoginModule.jar --dependencies=javax.api,org.picketbox,my.dependencies
Add Security Domain in Wildfly (GUI, CLI or manual edition standalone.xml)
And my mistake was at this step. My sec.domain looks like this:
<security-domain name="mysecdomain" cache-type="default">
<authentication>
<login-module code="my.code.MyLoginModule" flag="required">
<module-option name="jndiDb" value="java:/datasources/myDataSource"/>
<module-option name="userQuery" value=""/>
<module-option name="roleQuery" value=""/>
</login-module>
</authentication>
</security-domain>
This is why it couldn't find my code, it doesn't know in what module to find my code. So this part of standalone.xml should look like this:
<security-domain name="mysecdomain" cache-type="default">
<authentication>
<login-module code="my.code.MyLoginModule" flag="required" ___module="my.security.module"___ >
<module-option name="jndiDb" value="java:/datasources/myDataSource"/>
<module-option name="userQuery" value=""/>
<module-option name="roleQuery" value=""/>
</login-module>
</authentication>
</security-domain>
I didn't configure, or I missed some params in CLI for this param, but this module="my.security.module" should be in your config.
After that my webapp could make login and use this security module.
I have a security domain defined in jboss-web.xml as below
<jboss-web>
<security-domain>java:/jaas/my_ldap_security_domain</security-domain>
<disable-audit>true</disable-audit>
</jboss-web>
I also have defined inside my standalone.xml
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="my_ldap_security_domain" cache-type="default">
<authentication>
<login-module code="LdapExtended" flag="sufficient">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldaps://xxx.xxx.xxx.xxx:yyyy"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="temp#my.domain"/>
<module-option name="bindCredential" value="mypass"/>
<module-option name="baseCtxDN" value="DC=my,DC=domain"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="DC=my,DC=domain"/>
<module-option name="roleFilter" value="(uniquemember={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="allowEmptyPasswords" value="true"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
My only realms present on my standalone.xml are
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
</security-realms>
I did not mention it before because i presumed that this security realms were meant to authenticate the application server console access. Sorry for that.
My doubt is how to create a jsf2 login page to authenticate against what is defined above. I read a lot of articles about but still in the same place beacause most articles use a fake authentication as example (comparing with static strings instead of showing how to consult LDAP server).
Can anyone help me?
i presumed that this security realms were meant to authenticate the application server console access
You're partially correct there. The name="ManagementRealm" does indeed specify a realm config for accessing admin functions. name="ApplicationRealm" would be the attribute to specify for securing a web application
Your current realm config is missing some things necessary for LDAP authentication. I presume you're already familiar with the login-form configuration in web.xml. Your realm configuration should look something like the following, an excerpt from the Wildfly 8 Realm Configuration Manual:
<management>
<security-realms>
<security-realm name="ApplicationRealm">
<authentication>
<ldap connection="EC2" base-dn="CN=Users,DC=darranl,DC=jboss,DC=org">
<username-filter attribute="sAMAccountName" />
</ldap>
</authentication>
</security-realm>
</security-realms>
</management>
Where the <ldap> tag specifies that your lookup is against an LDAP server. Beyond this, you only need follow the standard auth methods for a JavaEE application.
The takeaway from this should be that web application security within JavaEE generally takes the same approach of
Setting up a realm (App-server specific)
Setting up security constraints in web.xml (uniform across all JavaEE applications)
Implementing a login method (Configuration or Programmatic)
Related
Java EE 6 Programmatic security, glassfish and JDBC realm
How to properly logout of a Java EE 6 Web Application after logging in
Performing user authentication in Java EE / JSF using j_security_check
I'm trying to authenticate users of the administrative consoles (Admin, JMX, JBoss Web and JBoss WS) using an LDAP provider defined in conf/login-config.xml:
<application-policy name="LDAP">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldaps://ldap.company.com:636</module-option>
<module-option name="java.naming.security.protocol">ssl</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">uid=dummy,cn=users,cn=accounts,dc=company,dc=com</module-option>
<module-option name="bindCredential">secret</module-option>
<module-option name="baseCtxDN">cn=accounts,dc=company,dc=com</module-option>
<module-option name="baseFilter">(&(objectClass=inetOrgPerson)(uid={0}))</module-option>
<module-option name="rolesCtxDN">cn=groups,cn=accounts,dc=company,dc=com</module-option>
<module-option name="roleAttributeID">dn</module-option>
<module-option name="roleFilter">(&(objectClass=posixgroup)(member={1}))</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="searchTimeLimit">-1</module-option>
</login-module>
<!-- This login-module is used only in one use case, see below for details
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties">props/admin-console-roles.properties</module-option>
</login-module>
-->
</authentication>
</application-policy>
The appropriate JAAS config has been set in the following files:
$ grep LDAP /usr/share/jbossas/server/node1/deploy/admin-console.war/WEB-INF/*xml
/usr/share/jbossas/server/node1/deploy/admin-console.war/WEB-INF/components.xml: <security:identity authenticate-method="#{authenticator.authenticate}" jaas-config-name="LDAP"/>
/usr/share/jbossas/server/node1/deploy/admin-console.war/WEB-INF/jboss-web.xml: <security-domain flushOnSessionInvalidation="true">java:/jaas/LDAP</security-domain>
Connection with the LDAP server works correctly. I have verified that capturing traffic using wireshark and setting org.jboss.secutiry logging to TRACE in jboss-log4j.xml:
<category name="org.jboss.security.auth.spi">
<priority value="TRACE" class="org.jboss.logging.XLevel"></priority>
</category>
I have also set DEBUG level for the org.jboss.seam component:
<category name="org.jboss.seam">
<priority value="DEBUG"/>
</category>
which also verifies that the authentication step is working correctly:
2014-06-09 16:42:41,189 DEBUG [org.jboss.seam.security.Identity] (http-192.0.2.1-8080-6) Login successful for: someuser
There seems to be a problem with authorization, I can't access the admin-console even though the user is correctly authenticated. I've tried two different approaches:
As I don't have a group in my LDAP named JBossAdmin (which is the role used by default):
$ grep JBossAdmin -R *
facelets/resourceNavigation.xhtml: <h:form id="navTreeForm" rendered="#{s:hasRole('JBossAdmin')}">
pages.xml: <rule if="#{s:hasRole('JBossAdmin')}">
pages.xml: <restrict>#{s:hasRole('JBossAdmin')}</restrict>
web.xml: <role-name>JBossAdmin</role-name>
I'm trying to map my LDAP groups and JBoss roles using the RoleMappingLoginModule:
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties">props/admin-console-roles.properties</module-option>
</login-module>
The contents of the props/admin-console-roles.properties is:
someuser=JBossAdmin
as documented, the syntax is username=role1,role2.
Replace the occurrences of JBossAdmin with one of the groups present in the LDAP structure, say developers:
$ grep developers -R *
facelets/resourceNavigation.xhtml: <h:form id="navTreeForm" rendered="#{s:hasRole('developers')}">
pages.xml: <rule if="#{s:hasRole('developers')}">
pages.xml: <restrict>#{s:hasRole('developers')}</restrict>
web.xml: <role-name>developers</role-name>
Neither of the two work. I'm stuck at the login page.Moreover, if I insist and press the login button again, I'm greeted with this:
How can I debug it further? Is it possible to map LDAP groups to roles in JBoss 5? Can group names (instead of user names) be used in a role.properties file when using RoleMappingLoginModule?