I have a security domain defined in jboss-web.xml as below
<jboss-web>
<security-domain>java:/jaas/my_ldap_security_domain</security-domain>
<disable-audit>true</disable-audit>
</jboss-web>
I also have defined inside my standalone.xml
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="my_ldap_security_domain" cache-type="default">
<authentication>
<login-module code="LdapExtended" flag="sufficient">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldaps://xxx.xxx.xxx.xxx:yyyy"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="temp#my.domain"/>
<module-option name="bindCredential" value="mypass"/>
<module-option name="baseCtxDN" value="DC=my,DC=domain"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="DC=my,DC=domain"/>
<module-option name="roleFilter" value="(uniquemember={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="allowEmptyPasswords" value="true"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
My only realms present on my standalone.xml are
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
</security-realms>
I did not mention it before because i presumed that this security realms were meant to authenticate the application server console access. Sorry for that.
My doubt is how to create a jsf2 login page to authenticate against what is defined above. I read a lot of articles about but still in the same place beacause most articles use a fake authentication as example (comparing with static strings instead of showing how to consult LDAP server).
Can anyone help me?
i presumed that this security realms were meant to authenticate the application server console access
You're partially correct there. The name="ManagementRealm" does indeed specify a realm config for accessing admin functions. name="ApplicationRealm" would be the attribute to specify for securing a web application
Your current realm config is missing some things necessary for LDAP authentication. I presume you're already familiar with the login-form configuration in web.xml. Your realm configuration should look something like the following, an excerpt from the Wildfly 8 Realm Configuration Manual:
<management>
<security-realms>
<security-realm name="ApplicationRealm">
<authentication>
<ldap connection="EC2" base-dn="CN=Users,DC=darranl,DC=jboss,DC=org">
<username-filter attribute="sAMAccountName" />
</ldap>
</authentication>
</security-realm>
</security-realms>
</management>
Where the <ldap> tag specifies that your lookup is against an LDAP server. Beyond this, you only need follow the standard auth methods for a JavaEE application.
The takeaway from this should be that web application security within JavaEE generally takes the same approach of
Setting up a realm (App-server specific)
Setting up security constraints in web.xml (uniform across all JavaEE applications)
Implementing a login method (Configuration or Programmatic)
Related
Java EE 6 Programmatic security, glassfish and JDBC realm
How to properly logout of a Java EE 6 Web Application after logging in
Performing user authentication in Java EE / JSF using j_security_check
Related
we are currently running into issues when configuring LDAP authentication for a deployed VDB, we would like to enter our active directory username and password when authenticating.
We have successful configured LDAP authentication for admin console, but running into errors during server start up.
I have been able to successfully configure authentication for the admin console at hostname:9990. I have done so by with the following changes to Standalone.xml we can provide our active directory user/pass and log in to the admin console.
Below are defined security domain which we are running into issues. And a security realm which is working.
This is the error we are receiving
ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-1) Exception during createSubject() for java:/refresh: PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1086)
at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1081)
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_121]
at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1080)
at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:600)
at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:282)
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:318)
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:122)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1980)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1913)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_121]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_121]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121]
This is the security realm which is working when authenticating for the admin panel
<security-realm name="ldap-security-realm">
<authentication>
<ldap connection="ldap-connection" base-dn="dc=main">
<advanced-filter filter="(&(sAMAccountName={0}))"/>
</ldap>
</authentication>
</security-realm>
<outbound-connections>
<ldap name="ldap-connection" url="ldap://hostname:389" search dn="adminusername" search-credential="adminpassword"/>
</outbound-connections>
This is the security domain which we are trying to enable authentication for a deployed VDB
<datasource jndi-name="java:/refresh" pool-name="refresh" enabled="true">
<connection-url>jdbc:teiid:refresh#mm://hostname:31000</connection-url>
<driver>teiid</driver>
<security>
<security-domain>test_ldap_security_domain</security-domain>
</security>
</datasource>
<security-domain name="test_ldap_security_domain">
<authentication>
<login-module code="LdapExtended" flag="sufficient">
<module-option name="java.naming.provider.url" value="ldap://hostname:389" />
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
<module-option name="java.naming.security.authentication" value="simple" />
<module-option name="bindDN" value="adminusername" />
<module-option name="bindCredential" value="adminpassword" />
<module-option name="distinguishedNameAttribute" value="sAMAccountName" />
<module-option name="baseFilter" value="(sAMAccountName={0})" />
<module-option name="baseCtxDN" value="dc=main" />
</login-module>
</authentication>
</security-domain>
<transport name="odata">
<authentication security-domain="test_ldap_security_domain"/>
</transport>
<transport name="jdbc" socket-binding="teiid-jdbc" protocol="teiid">
<authentication security-domain="test_ldap_security_domain"/>
</transport>
<transport name="odbc" socket-binding="teiid-odbc" protocol="pg">
<authentication security-domain="test_ldap_security_domain"/>
<ssl mode="disabled"/>
</transport>
The data source configuration by default during the startup tries to create a minimum number of connections. Since data source is secured based on user credentials and there is no active user during the startup it fails.
Change the data source configuration not to create any connections during the startup.
<pool>
<prefill>false</prefill>
</pool>
I am trying setup authentication on an application on JBoss 7 against a LDAP Server. Below is the link I have followed for the configuration
LDAP authentication with JBoss 7
The LDAP login module performs three queries against the LDAP server to log in a user, as follows:
As per JBoss in Action, there are 3 steps how JBoss LDAP Login Module works:
- The first query looks up the user object using only the login id. This search is similar to the first ldapsearch query that we showed you earlier.
- A second query is a login attempt using the user’s login id and the password.
- The last query obtains the group objects.
The password is used, but you don’t have to reference it in the login module. Now let’s take a look at another login module that helps simplify development and testing.
Looking in the LDAP Server logs it looks like my setup is only doing the first step but not the 2nd. So the login fails with a password error :
10:47:11,448 DEBUG [org.jboss.security] (http-/127.0.0.1:9080-1) PBOX000283: Bad password for username testuser1
10:47:11,450 TRACE [org.jboss.security] (http-/127.0.0.1:9080-1) PBOX000244: Begin abort method
10:47:11,450 DEBUG [org.jboss.security] (http-/127.0.0.1:9080-1) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) [picketbox-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
Here is the configuration from my standalone.xml:
<security-domain name="LDAPAuth" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://localhost:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="cn=admin"/>
<module-option name="bindCredential" value="********"/>
<module-option name="baseCtxDN" value="ou=Internal,cn=Users,dc=company,dc=local"/>
<module-option name="baseFilter" value="(cn={0})"/>
<module-option name="roleFilter" value="(uniqumember={1})"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="Context.REFERRAL" value="follow"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="Context.REFERRAL" value="follow"/>
<module-option name="throwValidateError" value="true"/>
</login-module>
</authentication>
</security-domain>
The following authentication policy is defined in login-config.xml
<policy>
<!--- - - - -->
<application-policy name="myAuthenticationPolicy">
<authentication>
<login-module code="com.ge.trans.mp.samp.jaas.LoggingLdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
A switchyard configuration is below:
<switchyard xmlns="urn:switchyard-config:switchyard:1.0"
xmlns:sy="urn:switchyard-config:switchyard:1.0"
xmlns:bean="urn:switchyard-component-bean:config:1.0"
xmlns:camel="urn:switchyard-component-camel:config:1.0"
xmlns:http="urn:switchyard-component-http:config:1.0"
xmlns:sca="http://docs.oasis-open.org/ns/opencsa/sca/200912">
<sca:composite name="http-bridge-esb" targetNamespace="urn:switchyard-quickstart:http-binding:1.0">
<sca:service name="httpPostService" promote="HttpPostBuilder/HttpPost" **sy:security="basic-auth"**>
<http:binding.http>
<operationSelector operationName="postMessage"/>
<http:contextPath>myContextPath</http:contextPath>
</http:binding.http>
</sca:service>
<sca:component name="HttpPostBuilder">
<camel:implementation.camel>
<camel:xml path="META-INF/route.xml"/>
</camel:implementation.camel>
<sca:service name="HttpPost">
<sca:interface.java interface="my.post.Class"/>
</sca:service>
</sca:component>
</sca:composite>
<domain>
<securities>
<**security name="basic-auth"** securityDomain="myAuthenticationPolicy" rolesAllowed="mesgPoster"/>
</securities>
</domain>
</switchyard>
This configuration starts up in JBoss 6.1 EAP and appears to receive messages correctly, however it does not appear to authenticate.
I am presuming that the default username password callback handler is used to handle basic auth, and am also presuming the security domain reference in the security element relates to the application policy name configured in login-config.xml.
I seem unable to locate an example configuration showing basic auth authentication using an LDAP configuration policy.
If someone could point out the dots that I am missing, or somewhere that an example for a switchyard basic auth configuration exists it would be greatly appreciated.
Your login-config.xml is incomplete and invalid.
It should look something like this:
<application-policy name="myAuthenticationPolicy">
<authentication>
<login-module flag="required" code="org.jboss.security.auth.spi.LdapExtLoginModule">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://XXX:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">XXX\XXX</module-option>
<module-option name="bindCredential">XXX</module-option>
<module-option name="baseCtxDN">dc=XXX,dc=XXX</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">dc=XXX,dc=XXX</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="java.naming.referral">follow</module-option>
</login-module>
</authentication>
</application-policy>
I'm trying to authenticate users of the administrative consoles (Admin, JMX, JBoss Web and JBoss WS) using an LDAP provider defined in conf/login-config.xml:
<application-policy name="LDAP">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldaps://ldap.company.com:636</module-option>
<module-option name="java.naming.security.protocol">ssl</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">uid=dummy,cn=users,cn=accounts,dc=company,dc=com</module-option>
<module-option name="bindCredential">secret</module-option>
<module-option name="baseCtxDN">cn=accounts,dc=company,dc=com</module-option>
<module-option name="baseFilter">(&(objectClass=inetOrgPerson)(uid={0}))</module-option>
<module-option name="rolesCtxDN">cn=groups,cn=accounts,dc=company,dc=com</module-option>
<module-option name="roleAttributeID">dn</module-option>
<module-option name="roleFilter">(&(objectClass=posixgroup)(member={1}))</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="searchTimeLimit">-1</module-option>
</login-module>
<!-- This login-module is used only in one use case, see below for details
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties">props/admin-console-roles.properties</module-option>
</login-module>
-->
</authentication>
</application-policy>
The appropriate JAAS config has been set in the following files:
$ grep LDAP /usr/share/jbossas/server/node1/deploy/admin-console.war/WEB-INF/*xml
/usr/share/jbossas/server/node1/deploy/admin-console.war/WEB-INF/components.xml: <security:identity authenticate-method="#{authenticator.authenticate}" jaas-config-name="LDAP"/>
/usr/share/jbossas/server/node1/deploy/admin-console.war/WEB-INF/jboss-web.xml: <security-domain flushOnSessionInvalidation="true">java:/jaas/LDAP</security-domain>
Connection with the LDAP server works correctly. I have verified that capturing traffic using wireshark and setting org.jboss.secutiry logging to TRACE in jboss-log4j.xml:
<category name="org.jboss.security.auth.spi">
<priority value="TRACE" class="org.jboss.logging.XLevel"></priority>
</category>
I have also set DEBUG level for the org.jboss.seam component:
<category name="org.jboss.seam">
<priority value="DEBUG"/>
</category>
which also verifies that the authentication step is working correctly:
2014-06-09 16:42:41,189 DEBUG [org.jboss.seam.security.Identity] (http-192.0.2.1-8080-6) Login successful for: someuser
There seems to be a problem with authorization, I can't access the admin-console even though the user is correctly authenticated. I've tried two different approaches:
As I don't have a group in my LDAP named JBossAdmin (which is the role used by default):
$ grep JBossAdmin -R *
facelets/resourceNavigation.xhtml: <h:form id="navTreeForm" rendered="#{s:hasRole('JBossAdmin')}">
pages.xml: <rule if="#{s:hasRole('JBossAdmin')}">
pages.xml: <restrict>#{s:hasRole('JBossAdmin')}</restrict>
web.xml: <role-name>JBossAdmin</role-name>
I'm trying to map my LDAP groups and JBoss roles using the RoleMappingLoginModule:
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties">props/admin-console-roles.properties</module-option>
</login-module>
The contents of the props/admin-console-roles.properties is:
someuser=JBossAdmin
as documented, the syntax is username=role1,role2.
Replace the occurrences of JBossAdmin with one of the groups present in the LDAP structure, say developers:
$ grep developers -R *
facelets/resourceNavigation.xhtml: <h:form id="navTreeForm" rendered="#{s:hasRole('developers')}">
pages.xml: <rule if="#{s:hasRole('developers')}">
pages.xml: <restrict>#{s:hasRole('developers')}</restrict>
web.xml: <role-name>developers</role-name>
Neither of the two work. I'm stuck at the login page.Moreover, if I insist and press the login button again, I'm greeted with this:
How can I debug it further? Is it possible to map LDAP groups to roles in JBoss 5? Can group names (instead of user names) be used in a role.properties file when using RoleMappingLoginModule?
I have a problem with the jbpm-console, generated to source , I installed jbpm-console-ng-jboss-as7.0.war in jboss, that deploy OK, config security-domain in the subsystem "urn:jboss:domain:security:1.1" and add users and roles properties , in the standalone, create the jboss user, but when login to jbpm-console, I have the following error Login failed: Not Authorized
The security-dommain is that in standalone.xml :
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
...
<security-domain name="jbpm-console-ng" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
The roles.properties you content is that :
root=jbpm-console-user,user,analyst,PM,IT,Reviewer
The users.properties you content is that :
root=root
The jboss user is "root".
Help me plis !!
Make sure your security-domain is being referenced in jboss-web.xml
<jboss-web>
<security-domain>jbpm-console-ng</security-domain>
</jboss-web>
this file is on jbpm-console.war/WEB-INF/jboss-web.xml