All of the Wildfly (and JBoss AS) docs and Glassfish-to-Wildfly migration examples I've seen use a JDBCrealm requiring database setup and some other config file fiddling.
Q: Is there any equivalent to the simple Glassfish file realm and keyfile in Wildfly ?
[EDIT: more explanation of built-in functionality I seek.]
In the Glassfish browser Administration Console one can go to Configurations > Security > Realms > file and then Manage Users to add new users with a name, group list, and password (for it to encrypt and store easily for you in the keyfile). The asadmin command similarly offers create-file-user to create an entry in the keyfile. That keyfile can then be simply copied from one install version to another. And any groups mentioned during the process can then be referenced as role strings in the web app configuration.
What exactly are you trying to encrypt here?
For encrypting keystore passwords and similar, what you are looking for is called a vault in Wildfly. See https://developer.jboss.org/wiki/MaskingPasswordsForWildFlyUsingNon-interactiveVaultTool.
If you are looking for a way to encrypt datastore passwords specifically, you need to use picketbox to encrypt the passwords beforehand, and use a security domain in the security subsystem for each datastore.
Example script to encrypt password:
#!/bin/bash
PASSWORD=$1
if [ -z "$PASSWORD" ]; then
echo "Usage: `basename $0` <password>"
exit 1
fi
JAVA_HOME="${JAVA_HOME:=/usr/java/default}"
cd /opt/wildfly/modules/system/layers/base/org/picketbox/main
$JAVA_HOME/bin/java -classpath picketbox-4.0.21.Beta1.jar \
org.picketbox.datasource.security.SecureIdentityLoginModule $PASSWORD \
| sed -e 's#Encoded password: ##'
Example security-domain
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
...
<security-domain name="my_security_domain" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="my_username"/>
<module-option name="password" value="my_encrypted_password"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=my_datasource"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
And in the datasource definition reference it with
<subsystem xmlns="urn:jboss:domain:datasources:3.0">
</datasources>
<datasource pool-name="my_datasource"...>
...
<security>
<security-domain>my_security_domain</security-domain>
</security>
</datasource>
</subsystem>
Related
I configure a wildfly 20 and i have a problem with the ManagementRealm (security-realm) on ldap SSL.
With LDAP, it's OK, but as soon as i switch to ldaps the authentication no longer works.
The login window opens and whatever account I indicate (even a true or false login) I turn back to the "Connect to Management Interface" screen (practically blank).
And I have no errors in any log.
I tried a WildFly 19 and 20, on centos 8.
The trustore does exist, I added it in the startup variable (as well as its password)
Here is an excerpt from my standalone.xml file
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<ldap connection="ldap_connection" base-dn="OU=Utilisateurs,DC=org">
<advanced-filter filter="(&(sAMAccountName={0})(memberOf=CN=APP-ADMIN,OU=Utilisateurs,DC=org))"/>
</ldap>
<truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="XXX" />
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="LdapSSLRealm">
<authentication>
<truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="XXX" />
</authentication>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="ldap_connection" url="ldaps://serveurad:636" search-dn="user" search-credential="XXX"/>
</outbound-connections>
If anyone has an idea I would appreciate it.
A little late but I believe you have to also reference the security realm (containing the ref to the trust store) in your <outbound-connection />:
<outbound-connections>
<ldap name="ldap_connection" url="ldaps://serveurad:636" search-dn="user" search-credential="XXX" security-realm="LdapSSLRealm"/>
</outbound-connections>
I tries to start Infinispan 10.1.3 in server mode. But after security configuration I have following error in CLI:
[disconnected]> connect
Username: admin
Password: ********
The user is not allowed to access the server resource: ISPN000287: Unauthorized access: subject 'null' lacks 'ADMIN' permission
In result I can't connect to my Infinspan server via CLI :(
I created all Infinispan configuration exactly according documentation:
in file infinispan.xml I added:
<security>
<authorization>
<identity-role-mapper />
<role name="all" permissions="ALL" />
<role name="reader" permissions="READ" />
<role name="writer" permissions="WRITE" />
<role name="supervisor" permissions="READ WRITE EXEC"/>
</authorization>
</security>
...
<endpoints socket-binding="default" security-realm="default">
<hotrod-connector name="hotrod">
<authentication>
<sasl mechanisms="SCRAM-SHA-512 SCRAM-SHA-384 SCRAM-SHA-256
SCRAM-SHA-1 DIGEST-SHA-512 DIGEST-SHA-384
DIGEST-SHA-256 DIGEST-SHA DIGEST-MD5 PLAIN"
server-name="infinispan"
qop="auth"/>
</authentication>
</hotrod-connector>
<rest-connector name="rest">
<authentication mechanisms="DIGEST BASIC"/>
</rest-connector>
</endpoints>
In file users.properties I added:
admin=123
In file groups.properties I added:
admin=admin
The CLI uses the REST API. I'm not sure if your configuration is correct, but I'm fixing some issues that might be related just now. Will be probably released in the next 10.1.x version
https://issues.redhat.com/browse/ISPN-11525
Update:
If you upgrade your 10.1.x version, it should work now
I'm implementing a REST service within an EJB-JAR within an EAR running on the JBoss EAP 7.1.
The unsecured version of the service works fine, but adding even basic HTTP-authentication turned out to be a challenge, since within an EJB-JAR I found no way to specify any required web.xml-entries, like <auth-method>BASIC</auth-method>
So my question is:
How can I configure JAX-RS to use HTTP authentication within an EJB-JAR?
Additional information:
To make things simpler I use default ManagementRealm like this
<security-domain name="my-security-domain" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="realm" value="ManagementRealm"/>
</login-module>
</authentication>
</security-domain>
In EJB-jar:
#Stateless
#Path("/my-rest")
#SecurityDomain(value = "my-security-domain")
#DenyAll
public class MyRestStatelessBean {
#PUT
#RolesAllowed("admin")
#Path("/doAdminStuff")
public void doAdminStuff() {
// Implementation
}
}
The solution was to use the Proactive authentication feature of the Undertow, that is actually ON by default. Specifying HTTP-BASIC-Authentication header within the request, makes Undertow to try to login the user even through my REST service due to missing web.xml doesn't require any type of authentication.
My complete configuration (using Management JBoss users from mgmt-users.properties):
# Define my security domain
/subsystem=security/security-domain=MY-SECURITY-DOMAIN:add(cache-type=default)
# Link Untertow to Elytron for authentication
/subsystem=undertow/application-security-domain=MY-SECURITY-DOMAIN:add( \
http-authentication-factory="management-http-authentication" \
)
# Add BASIC-HTTP-Authentication support to Elytron
/subsystem=elytron/http-authentication-factory=management-http-authentication:list-add( \
name=mechanism-configurations, \
value={mechanism-name="BASIC", \
mechanism-realm-configurations=[{realm-name="ManagementRealm"}] \
} \
)
# Not sure, why is this required...
/subsystem=ejb3/application-security-domain=MY-SECURITY-DOMAIN:add( \
security-domain="ManagementDomain")
I have a JBoss EAP 7.1 with some XA datasource.
The datasource has a security domain:
<security>
<security-domain>encrypted-ds</security-domain>
</security>
which makes use of the encrypted-password login module (for various political reasons):
<security-domain name="encrypted-ds" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="user_name_here"/>
<module-option name="password" value="some_hash_here"/>
</login-module>
</authentication>
</security-domain>
Yet, I get those cyclic warning messages when the server has started:
11:25:15,506 WARN [org.jboss.jca.core.tx.jbossts.XAResourceRecoveryImpl] (Periodic Recovery) IJ000904: No security domain defined for crash recovery: java:/jdbc/myDataSource
11:25:15,511 WARN [org.jboss.jca.core.tx.jbossts.XAResourceRecoveryImpl] (Periodic Recovery) IJ000905: Subject for crash recovery was null: java:/jdbc/myDataSource
This is similar, but not the same as question Wildfly xa transaction warning "No security domain defined for crash recovery" , as here, I have a username and an encrypted password, and a security domain. I can fathom why the system would consider there is no security domain nor subject/username.
You can add the same security domain for recovery
<recovery>
<recover-credential>
<security-domain>your sec domain here</security-domain>
</recover-credential>
</recovery>
I ended up using the JBoss Vault to manage the encrypted password.
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html-single/how_to_configure_server_security/index#secure_passwords
I realized my implementation of Loginmodule. Installed into WildFly 8.2.0.Final as module. Configure Security Domain.
add jboss-web.xml into my WebApplication in WEB-INF directory, with name of security-domain.
And when I initiate login at web form, I had this error in wildfly:
PBOX000206: Login failure: javax.security.auth.login.LoginException: unable to find LoginModule class: my.webapp.auth.WildLoginModule from [Module "deployment.MyWebApp.war:main" from Service Module Loader]
Why it cannot find my class? when this class resides in jar in wildfly modules.
What is more strange, it woks a couple weeks ago!
At last I've found my answer. I thought mistake should be in configuration of Wildfly, after long reserch and many ways of testing, I've found that my implementation of LoginModule works only if it resides in my WebApplication. But I wanted a separate module, I wanted my WebApp clean from Security realization.
So this is why 'it woks a couple weeks ago!', cause this loginModule was inside my webapp.
Steps to use you own JAAS loginModule:
By the way, this resource JBoss AS7 helped me a lot in my situation
Implement your own Principals, Login module (how to do this you may find in i-net)
Pack this to jar
Install like module into Wildfly (if you need to use it in many projects)
Using CLI install jar as module
hint from resource
Things to remember
When you create your own module, do not forget to add dependency on "org.picketbox" and "javax.api" in the module.xml of your custom module.
module add --name=my.security.module --resources=/path/to/MyLoginModule.jar --dependencies=javax.api,org.picketbox,my.dependencies
Add Security Domain in Wildfly (GUI, CLI or manual edition standalone.xml)
And my mistake was at this step. My sec.domain looks like this:
<security-domain name="mysecdomain" cache-type="default">
<authentication>
<login-module code="my.code.MyLoginModule" flag="required">
<module-option name="jndiDb" value="java:/datasources/myDataSource"/>
<module-option name="userQuery" value=""/>
<module-option name="roleQuery" value=""/>
</login-module>
</authentication>
</security-domain>
This is why it couldn't find my code, it doesn't know in what module to find my code. So this part of standalone.xml should look like this:
<security-domain name="mysecdomain" cache-type="default">
<authentication>
<login-module code="my.code.MyLoginModule" flag="required" ___module="my.security.module"___ >
<module-option name="jndiDb" value="java:/datasources/myDataSource"/>
<module-option name="userQuery" value=""/>
<module-option name="roleQuery" value=""/>
</login-module>
</authentication>
</security-domain>
I didn't configure, or I missed some params in CLI for this param, but this module="my.security.module" should be in your config.
After that my webapp could make login and use this security module.