I'm trying to authenticate users of the administrative consoles (Admin, JMX, JBoss Web and JBoss WS) using an LDAP provider defined in conf/login-config.xml:
<application-policy name="LDAP">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldaps://ldap.company.com:636</module-option>
<module-option name="java.naming.security.protocol">ssl</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">uid=dummy,cn=users,cn=accounts,dc=company,dc=com</module-option>
<module-option name="bindCredential">secret</module-option>
<module-option name="baseCtxDN">cn=accounts,dc=company,dc=com</module-option>
<module-option name="baseFilter">(&(objectClass=inetOrgPerson)(uid={0}))</module-option>
<module-option name="rolesCtxDN">cn=groups,cn=accounts,dc=company,dc=com</module-option>
<module-option name="roleAttributeID">dn</module-option>
<module-option name="roleFilter">(&(objectClass=posixgroup)(member={1}))</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="searchTimeLimit">-1</module-option>
</login-module>
<!-- This login-module is used only in one use case, see below for details
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties">props/admin-console-roles.properties</module-option>
</login-module>
-->
</authentication>
</application-policy>
The appropriate JAAS config has been set in the following files:
$ grep LDAP /usr/share/jbossas/server/node1/deploy/admin-console.war/WEB-INF/*xml
/usr/share/jbossas/server/node1/deploy/admin-console.war/WEB-INF/components.xml: <security:identity authenticate-method="#{authenticator.authenticate}" jaas-config-name="LDAP"/>
/usr/share/jbossas/server/node1/deploy/admin-console.war/WEB-INF/jboss-web.xml: <security-domain flushOnSessionInvalidation="true">java:/jaas/LDAP</security-domain>
Connection with the LDAP server works correctly. I have verified that capturing traffic using wireshark and setting org.jboss.secutiry logging to TRACE in jboss-log4j.xml:
<category name="org.jboss.security.auth.spi">
<priority value="TRACE" class="org.jboss.logging.XLevel"></priority>
</category>
I have also set DEBUG level for the org.jboss.seam component:
<category name="org.jboss.seam">
<priority value="DEBUG"/>
</category>
which also verifies that the authentication step is working correctly:
2014-06-09 16:42:41,189 DEBUG [org.jboss.seam.security.Identity] (http-192.0.2.1-8080-6) Login successful for: someuser
There seems to be a problem with authorization, I can't access the admin-console even though the user is correctly authenticated. I've tried two different approaches:
As I don't have a group in my LDAP named JBossAdmin (which is the role used by default):
$ grep JBossAdmin -R *
facelets/resourceNavigation.xhtml: <h:form id="navTreeForm" rendered="#{s:hasRole('JBossAdmin')}">
pages.xml: <rule if="#{s:hasRole('JBossAdmin')}">
pages.xml: <restrict>#{s:hasRole('JBossAdmin')}</restrict>
web.xml: <role-name>JBossAdmin</role-name>
I'm trying to map my LDAP groups and JBoss roles using the RoleMappingLoginModule:
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties">props/admin-console-roles.properties</module-option>
</login-module>
The contents of the props/admin-console-roles.properties is:
someuser=JBossAdmin
as documented, the syntax is username=role1,role2.
Replace the occurrences of JBossAdmin with one of the groups present in the LDAP structure, say developers:
$ grep developers -R *
facelets/resourceNavigation.xhtml: <h:form id="navTreeForm" rendered="#{s:hasRole('developers')}">
pages.xml: <rule if="#{s:hasRole('developers')}">
pages.xml: <restrict>#{s:hasRole('developers')}</restrict>
web.xml: <role-name>developers</role-name>
Neither of the two work. I'm stuck at the login page.Moreover, if I insist and press the login button again, I'm greeted with this:
How can I debug it further? Is it possible to map LDAP groups to roles in JBoss 5? Can group names (instead of user names) be used in a role.properties file when using RoleMappingLoginModule?
Related
We have to provide Alfresco and jBoss web application users authentication with openLDAP.
The OpenLDAP is configured so, that there is now need to provide any credentials to read openLDAP directory.
In case of jBoss configuration I am not providing these credentials with bindDN and bindCredential tags and authentication is working.
In case of Alfresco that is not the case, if I do not provide ldap.synchronization.java.naming.security.principal and ldap.synchronization.java.naming.security.credentials, I have synchronization error in log:
2019-02-15 10:58:04,466 ERROR [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization aborted due to error
org.alfresco.repo.security.authentication.AuthenticationException: 01150001 Failed to authenticate, username or password is wrong. User name:cn=Manager,dc=company,dc=com Reason [LDAP: error code 49 - Invalid Credentials]
So ldapsearch retreives the openLDAP directory without providing any credentials:
ldapsearch -x -h 10.0.1.15:389 -b "dc=some,dc=ua"
jBoss standalone-full.xml:
<login-module code="LdapExtended" flag="sufficient">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://10.0.1.15:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="baseCtxDN" value="ou=Users,dc=some,c=ua"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="ou=Users,dc=some,c=ua"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="roleAttributeIsDN" value="false"/>
<module-option name="roleRecursion" value="1"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
</login-module>
Alfresco alfresco-global.properties
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false
ldap.authentication.active=true
ldap.synchronization.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=uid=%s,ou=Users,dc=some,dc=ua
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://10.0.1.15:389
ldap.authentication.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.authentication=simple
ldap.authentication.defaultAdministratorUserNames=Admin
ldap.synchronization.java.naming.security.principal=uid\=someUser,ou\=users,dc\=some,dc\=ua
ldap.synchronization.java.naming.security.credentials=12356
ldap.synchronization.groupSearchBase=ou\=Users,dc\=some,dc\=ua
ldap.synchronization.userSearchBase=ou\=Users,dc\=some,dc\=ua
ldap.synchronization.groupQuery=(&(objectclass\=posixGroup)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=posixGroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userOrganizationalIdAttributeName=o
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=posixGroup
ldap.synchronization.personType=inetOrgPerson
ldap.authentication.java.naming.read.timeout=0
ldap.synchronization.userAccountStatusProperty=ds-pwp-account-disabled
ldap.synchronization.disabledAccountPropertyValue=true
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap.pooling.com.sun.jndi.ldap.connect.pool.debug=fine
synchronization.autoCreatePeopleOnLogin=true
synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.externalUserControl=true
synchronization.externalUserControlSubsystemName=ldap1
Is it possible to avoid providing OpenLDAP credentials in alfresco-global.properties?
Alfresco Community (Build: 201612)
jBoss EAP-6.4
There are two things going on with Alfresco: Authentication and Synchronization. Authentication against OpenLDAP can happen without a credential because it binds using the user's credential.
Synchronization, however, happens in batch in the background. The synchronization job that runs needs a credential to authenticate with OpenLDAP so it can query for users and groups created or modified since the last check. If you don't provide a credential it would mean your OpenLDAP directory would have to be wide open, which is surely not what you want.
I am trying setup authentication on an application on JBoss 7 against a LDAP Server. Below is the link I have followed for the configuration
LDAP authentication with JBoss 7
The LDAP login module performs three queries against the LDAP server to log in a user, as follows:
As per JBoss in Action, there are 3 steps how JBoss LDAP Login Module works:
- The first query looks up the user object using only the login id. This search is similar to the first ldapsearch query that we showed you earlier.
- A second query is a login attempt using the user’s login id and the password.
- The last query obtains the group objects.
The password is used, but you don’t have to reference it in the login module. Now let’s take a look at another login module that helps simplify development and testing.
Looking in the LDAP Server logs it looks like my setup is only doing the first step but not the 2nd. So the login fails with a password error :
10:47:11,448 DEBUG [org.jboss.security] (http-/127.0.0.1:9080-1) PBOX000283: Bad password for username testuser1
10:47:11,450 TRACE [org.jboss.security] (http-/127.0.0.1:9080-1) PBOX000244: Begin abort method
10:47:11,450 DEBUG [org.jboss.security] (http-/127.0.0.1:9080-1) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) [picketbox-4.1.1.Final-redhat-1.jar:4.1.1.Final-redhat-1]
Here is the configuration from my standalone.xml:
<security-domain name="LDAPAuth" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://localhost:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="cn=admin"/>
<module-option name="bindCredential" value="********"/>
<module-option name="baseCtxDN" value="ou=Internal,cn=Users,dc=company,dc=local"/>
<module-option name="baseFilter" value="(cn={0})"/>
<module-option name="roleFilter" value="(uniqumember={1})"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="Context.REFERRAL" value="follow"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="Context.REFERRAL" value="follow"/>
<module-option name="throwValidateError" value="true"/>
</login-module>
</authentication>
</security-domain>
I have a security domain defined in jboss-web.xml as below
<jboss-web>
<security-domain>java:/jaas/my_ldap_security_domain</security-domain>
<disable-audit>true</disable-audit>
</jboss-web>
I also have defined inside my standalone.xml
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="my_ldap_security_domain" cache-type="default">
<authentication>
<login-module code="LdapExtended" flag="sufficient">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldaps://xxx.xxx.xxx.xxx:yyyy"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="temp#my.domain"/>
<module-option name="bindCredential" value="mypass"/>
<module-option name="baseCtxDN" value="DC=my,DC=domain"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="DC=my,DC=domain"/>
<module-option name="roleFilter" value="(uniquemember={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="allowEmptyPasswords" value="true"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
My only realms present on my standalone.xml are
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
</security-realms>
I did not mention it before because i presumed that this security realms were meant to authenticate the application server console access. Sorry for that.
My doubt is how to create a jsf2 login page to authenticate against what is defined above. I read a lot of articles about but still in the same place beacause most articles use a fake authentication as example (comparing with static strings instead of showing how to consult LDAP server).
Can anyone help me?
i presumed that this security realms were meant to authenticate the application server console access
You're partially correct there. The name="ManagementRealm" does indeed specify a realm config for accessing admin functions. name="ApplicationRealm" would be the attribute to specify for securing a web application
Your current realm config is missing some things necessary for LDAP authentication. I presume you're already familiar with the login-form configuration in web.xml. Your realm configuration should look something like the following, an excerpt from the Wildfly 8 Realm Configuration Manual:
<management>
<security-realms>
<security-realm name="ApplicationRealm">
<authentication>
<ldap connection="EC2" base-dn="CN=Users,DC=darranl,DC=jboss,DC=org">
<username-filter attribute="sAMAccountName" />
</ldap>
</authentication>
</security-realm>
</security-realms>
</management>
Where the <ldap> tag specifies that your lookup is against an LDAP server. Beyond this, you only need follow the standard auth methods for a JavaEE application.
The takeaway from this should be that web application security within JavaEE generally takes the same approach of
Setting up a realm (App-server specific)
Setting up security constraints in web.xml (uniform across all JavaEE applications)
Implementing a login method (Configuration or Programmatic)
Related
Java EE 6 Programmatic security, glassfish and JDBC realm
How to properly logout of a Java EE 6 Web Application after logging in
Performing user authentication in Java EE / JSF using j_security_check
The following authentication policy is defined in login-config.xml
<policy>
<!--- - - - -->
<application-policy name="myAuthenticationPolicy">
<authentication>
<login-module code="com.ge.trans.mp.samp.jaas.LoggingLdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
A switchyard configuration is below:
<switchyard xmlns="urn:switchyard-config:switchyard:1.0"
xmlns:sy="urn:switchyard-config:switchyard:1.0"
xmlns:bean="urn:switchyard-component-bean:config:1.0"
xmlns:camel="urn:switchyard-component-camel:config:1.0"
xmlns:http="urn:switchyard-component-http:config:1.0"
xmlns:sca="http://docs.oasis-open.org/ns/opencsa/sca/200912">
<sca:composite name="http-bridge-esb" targetNamespace="urn:switchyard-quickstart:http-binding:1.0">
<sca:service name="httpPostService" promote="HttpPostBuilder/HttpPost" **sy:security="basic-auth"**>
<http:binding.http>
<operationSelector operationName="postMessage"/>
<http:contextPath>myContextPath</http:contextPath>
</http:binding.http>
</sca:service>
<sca:component name="HttpPostBuilder">
<camel:implementation.camel>
<camel:xml path="META-INF/route.xml"/>
</camel:implementation.camel>
<sca:service name="HttpPost">
<sca:interface.java interface="my.post.Class"/>
</sca:service>
</sca:component>
</sca:composite>
<domain>
<securities>
<**security name="basic-auth"** securityDomain="myAuthenticationPolicy" rolesAllowed="mesgPoster"/>
</securities>
</domain>
</switchyard>
This configuration starts up in JBoss 6.1 EAP and appears to receive messages correctly, however it does not appear to authenticate.
I am presuming that the default username password callback handler is used to handle basic auth, and am also presuming the security domain reference in the security element relates to the application policy name configured in login-config.xml.
I seem unable to locate an example configuration showing basic auth authentication using an LDAP configuration policy.
If someone could point out the dots that I am missing, or somewhere that an example for a switchyard basic auth configuration exists it would be greatly appreciated.
Your login-config.xml is incomplete and invalid.
It should look something like this:
<application-policy name="myAuthenticationPolicy">
<authentication>
<login-module flag="required" code="org.jboss.security.auth.spi.LdapExtLoginModule">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://XXX:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">XXX\XXX</module-option>
<module-option name="bindCredential">XXX</module-option>
<module-option name="baseCtxDN">dc=XXX,dc=XXX</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">dc=XXX,dc=XXX</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">name</module-option>
<module-option name="java.naming.referral">follow</module-option>
</login-module>
</authentication>
</application-policy>
I would like to authenticate the user only if he in a specific group.
To my test I have two users:
one user is in the FIRST GROUP
other is in de SECOND GROUP
I have an active directory :
CN=Users,DC=XXXX,DC=com
---usrA
---usrB
---group1
---group2
usrA is in the group1, usrB is in the group2
and I authenticate the user via JBoss with LdapLoginModule in the standalone.xml.
standelone.xml:
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="sufficient">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://192.168.1.18"/>
<module-option name="java.naming.allowEmptyPasswords" value="false"/>
<module-option name="userfilter" value="(&(objectCategory=person)(objectClass=user)(cn={USERNAME})((primaryGroupID=1109)))"/>
<module-option name="principalDNSuffix" value="#XXXX.com"/>
<module-option name="java.naming.security.authentication" value="simple"/>
</login-module>
When (primaryGroupID=1109) = group1.
The result is:
the usrA success login
the usrB success too
So the filter used does not work properly or is not used at all, and I have no error.
I tested the query of userfilter in active directory and it returns me well "usrA"
Someone has an idea of the problem? Anyone have another way to use a user according to his group?