I have a Wildfly 9 server with a management console secured with LDAP, but due to some shenanigans in integrating Azure Pipelines I'm also trying to allow the management console to connect automatically using the jboss-cli without a username/password prompt. To my knowledge, if you wanted a user to be able to connect via the jboss-cli on the same local network as the Wildfly server, you would have a security-realm defined as follows:
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local"/>
</authentication>
<authorization/>
</security-realm>
...And if you wanted a management interface secured with LDAP, you'd have a security-realm like this:
<security-realm name="ManagementRealm">
<server-identities>
<ssl protocol="TLSv1.2">
<keystore path="mykeystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" key-password="changeit"/>
</ssl>
</server-identities>
<authentication>
<ldap connection="LdapConnection" base-dn="OU=Users,DC=user">
<username-filter attribute="accountName"/>
</ldap>
</authentication>
<authorization>
<ldap connection="LdapConnection">
<username-to-dn>
<username-filter base-dn="OU=Users,DC=user" attribute="accountName"/>
</username-to-dn>
<group-search group-name="SIMPLE" iterative="true" group-dn-attribute="cn" group-name-attribute="cn">
<principal-to-group group-attribute="memberOf"/>
</group-search>
</ldap>
</authorization>
</security-realm>
I tried merging the two, putting <local> and <properties> tags alongside <ldap> tags, but whichever of <properties> and <ldap> that is listed second gets flagged as an unrecognized token. Is there a proper way to secure a management console with LDAP when using a web browser, but allow connections without a username or password when using the jboss-cli on the same local network in Wildfly 9?
Related
I am experiencing authentication issue after converting LDAP to LDAPS. Here is an excerpt from my standalone.xml file. As you can see, I've added a trusted store with LDAPS certs. I am just wondering if I have missed something. I am on Wildfly v10.
<security-realms>
<security-realm name="LdapUserRealm">
<server-identities>
<ssl>
<keystore path="identity.jks" relative-to="jboss.server.config.dir" keystore-password="xxxxx" alias="xxxxx"/>
</ssl>
</server-identities>
<authentication>
<truststore path="cacerts" relative-to="jboss.server.config.dir" keystore-password="xxxxx"/>
<ldap connection="LdapConnection" base-dn="dc=xxx,dc=ad,dc=xxx,dc=com" recursive="true">
<username-filter attribute="sAMAccountName"/>
</ldap>
</authentication>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="LdapConnection" search-credential="xxxxxx" search-dn="cn=-svc-xxx-xxx,OU=Svc,OU=XTX,OU=Admin,dc=xxx,dc=ad,dc=xxx,dc=com" url="ldaps://xxx.xxx.xxx:636" />
</outbound-connections>
Any pointer or suggestion are appreciated. It will be greatly appreciated if there is a working config file I can compare to. Can someone please share a JBoss/Wildfly config file (specifically standalone.xml) which connects successfully using LDAPS?
You need to modify your LDAP outbound-connection to use the security-realm you created
<outbound-connections>
<ldap name="ldap_connection" ... security-realm="LdapUserRealm"/>
</outbound-connections>
I'm implementing keycloak as authentication administrator of my applications, I have followed the respective manuals
https://www.keycloak.org/docs/latest/getting_started/index.html#securing-a-jboss-servlet-application
In section 4.2 Installing the Client Adapter
My application server is a wildfly 17 and that documentation works well on standalone servers (full, ha)
The problem I have that my servers in Wildfly production are in domain mode (one master and two slaves), and the installation of those adapters does not work.
How can I install this adapter in domain mode on wildfly?
1 - download and extract keycloak adapter in domain controller and all host controllers
2 - manual config domain.xml "only in domain controller"
<domain xmlns="urn:jboss:domain:10.0">
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
.....
<profile name="full-ha">
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
.....
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="keycloak">
<authentication>
<login-module
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
flag="required"/>
</authentication>
</security-domain>
.......
</security-domains>
</subsystem>
.......
</profile>
sample domain.xml
result
I'm currently doing a school assignment where we need to setup JAAS so it is import i use JAAS and not another security module.
When i'm trying to add: principalsQuery=select Password from Principals where PrincipalID=? to my authentication module in the WebUI I get invalid format error since it doesn't allow spaces(it accepts when there are no spaces).
Whenever i google the problem i see the standalone.xml configured with module options that include spaces. I've tried to include it in my standalone.xml (see below) but it won't work and the webUI keeps giving me the error.
<authentication>
<login-module code="test" flag="required">
<module-option name="dsJindiName" value="java:/MySqlDS"/>
<module-option name="principalQuery" value="SELECT password from user where username = ?" />
</login-module>
</authentication>
my datasource is configured as follows
<datasource jndi-name="java:/MySqlDS" pool-name="MySqlDS">
<connection-url>jdbc:mysql://localhost:3306/Kwetter</connection-url>
<driver-class>com.mysql.jdbc.Driver</driver-class>
<driver>mysql-connector-java-5.1.47.jar_com.mysql.jdbc.Driver_5_1</driver>
<security>
<user-name>root</user-name>
<password>root</password>
</security>
<validation>
<valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"/>
<background-validation>true</background-validation>
<exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"/>
</validation>
</datasource>
The DsJindiName works and is accepted by the login-module. But the principalQuery keeps giving me the error. My thinking is that the legacy security is not correctly support anymore any thoughts?
Solution:
I've figured out I needed to use Elytron to use JAAS. Using this guide
a problem occurs at the last step, the jbos-web.xml doesn't accept Elytron application security domains and errors at compiling. However, when you set the standard security domain in undertow it'll build and work like expected.
I want to secure some ejb hosted on my Widlfly AS, so I start creating my security-domain. I don't want to authenticate on ApplicationRealm so I define my security-realm and point it in my security-domain. I want to store credentials in a text file. Here is the code:
<security-domain name="mydomain" cache-type="default">
<authentication>
<login-module code="RealmDirect" flag="required"/>
<module-option name="realm" value="myrealm"/>
<module-option name="userProperties" value="${jboss.server.config.dir}/myrealm-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/myrealm-roles.properties"/>
</authentication>
</security-domain>
still it look like my ejb are affected by ApplicationRealm by the "other" security-domain. Can I define a custom security realm and use it by security-domain in Wildfly? If yes how can I add users to it?
You need a file jboss-web.xml in WEB-INF to override the default other domain. For instance:
<jboss-web>
<security-domain>java:/jaas/mydomain</security-domain>
</jboss-web>
Then in the Wildfly config file (standalone.xml or the likes) you configure the mydomain Security Domain like you already showed. It can happily co-exist with the already present other domain.
There's an excellent post here: http://blog.eisele.net/2015/01/jdbc-realm-wildfly820-primefaces51.html
You can add users in management realm using add-user script. By default, users generated there are stored in file.
https://docs.jboss.org/author/display/WFLY8/Security+Realms provides information about how to create custom security realm.
I am trying to run my application in jboss 7 from jboss 4. In jboss 4 we changed server.xml to configure keystoreFile and keystorePass etc. Can any one help me where to make these changes in jboss7.
The server.xml equivalent in Jboss 7 is a standalone/configuration/standalone.xml for a standalone installation and domain.xml for a domain aware one.
I'm not sure where those options are or how you're supposed to configure it in Jboss 7, but start with standalone.xml file first.
Edit the file standalone/configuration/standalone.xml:
<subsystem xmlns="urn:jboss:domain:web:1.0" default-virtual-server="default-host">
<connector name="http" scheme="http" protocol="HTTP/1.1" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost" />
<alias name="example.com" />
</virtual-server>
</subsystem>
Replace thew connector tag with following one:
<connector name="https" scheme="https" protocol="HTTP/1.1" secure =”true” socket- binding="https" ssl=”your certificate name”/>
You should avoid touching the config XMLs yourself.
Rather let it up to domain controller and host controller,
and configure your server through the means mentioned here:
JBoss AS 7 JMX Console
Update:
For manual configuration, try the Web UI - http://localhost:9990/.
For automated configuration, try CLI scripts.
To develop and debug CLI commands, try jboss-cli.sh --gui.
But if you really must, it's in standalone/configuration/standalone.xml:
<subsystem xmlns="urn:jboss:domain:web:1.0" ...>
The schema is here: http://www.jboss.org/schema/jbossas/jboss-as-web_1_2.xsd
(or later versions).
Recommended way to change the AS 7 model is anyway by means of the Command Line Interface.
For example, you can set the socket binding port of the HTTP port to 8090 with :
/socket-binding-group=standard-sockets/socket-binding=http:write-attribute(name="port", value="8090")
JBoss EAP 7 uses the Undertow web server and configures it via the undertow subsystem (which replaces the web subsystem used in previous versions). SSL/TLS setup using the CLI is described in Setting up an SSL/TLS for Applications. If you would like to directly modify the standalone.xml file, the instructions can be translated to:
Add and configure an HTTPS security realm. - under /server/management/security-realms add an HTTPS security-realm element, for example
<security-realm name="HTTPSRealm">
<server-identities>
<ssl>
<keystore path="/path/to/your/keystore/myKeystore.jks"
keystore-password="myKeystorePassword"
alias="mySSLKeyPairAlias"
key-password="mySSLKeyPairPassword" />
</ssl>
</server-identities>
</security-realm>
Update the undertow subsystem to use the HTTPS security realm. - under /server/profile find the Undertow subsystem element (e.g. <subsystem xmlns="urn:jboss:domain:undertow:3.1">). It has a server child element to which you add an https-listener element referencing your HTTPSRealm created in step 1 above, for example
<https-listener name="default-ssl" socket-binding="https" security-realm="HTTPSRealm" />
More details can be found at these related links:
Security Realms
Security Realm Detailed Configuration
https-listener Attributes