Wildfly LDAPS Integration Failed - jboss

I am experiencing authentication issue after converting LDAP to LDAPS. Here is an excerpt from my standalone.xml file. As you can see, I've added a trusted store with LDAPS certs. I am just wondering if I have missed something. I am on Wildfly v10.
<security-realms>
<security-realm name="LdapUserRealm">
<server-identities>
<ssl>
<keystore path="identity.jks" relative-to="jboss.server.config.dir" keystore-password="xxxxx" alias="xxxxx"/>
</ssl>
</server-identities>
<authentication>
<truststore path="cacerts" relative-to="jboss.server.config.dir" keystore-password="xxxxx"/>
<ldap connection="LdapConnection" base-dn="dc=xxx,dc=ad,dc=xxx,dc=com" recursive="true">
<username-filter attribute="sAMAccountName"/>
</ldap>
</authentication>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="LdapConnection" search-credential="xxxxxx​​​​​​​​​​​​​​​" search-dn="cn=-svc-xxx-xxx,OU=Svc,OU=XTX,OU=Admin,dc=xxx,dc=ad,dc=xxx,dc=com" url="ldaps://xxx.xxx.xxx:636" />
</outbound-connections>
Any pointer or suggestion are appreciated. It will be greatly appreciated if there is a working config file I can compare to. Can someone please share a JBoss/Wildfly config file (specifically standalone.xml) which connects successfully using LDAPS?

You need to modify your LDAP outbound-connection to use the security-realm you created
<outbound-connections>
<ldap name="ldap_connection" ... security-realm="LdapUserRealm"/>
</outbound-connections>

Related

Wildfly 9 - Can Management Interface be secured with $local and LDAP?

I have a Wildfly 9 server with a management console secured with LDAP, but due to some shenanigans in integrating Azure Pipelines I'm also trying to allow the management console to connect automatically using the jboss-cli without a username/password prompt. To my knowledge, if you wanted a user to be able to connect via the jboss-cli on the same local network as the Wildfly server, you would have a security-realm defined as follows:
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local"/>
</authentication>
<authorization/>
</security-realm>
...And if you wanted a management interface secured with LDAP, you'd have a security-realm like this:
<security-realm name="ManagementRealm">
<server-identities>
<ssl protocol="TLSv1.2">
<keystore path="mykeystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" key-password="changeit"/>
</ssl>
</server-identities>
<authentication>
<ldap connection="LdapConnection" base-dn="OU=Users,DC=user">
<username-filter attribute="accountName"/>
</ldap>
</authentication>
<authorization>
<ldap connection="LdapConnection">
<username-to-dn>
<username-filter base-dn="OU=Users,DC=user" attribute="accountName"/>
</username-to-dn>
<group-search group-name="SIMPLE" iterative="true" group-dn-attribute="cn" group-name-attribute="cn">
<principal-to-group group-attribute="memberOf"/>
</group-search>
</ldap>
</authorization>
</security-realm>
I tried merging the two, putting <local> and <properties> tags alongside <ldap> tags, but whichever of <properties> and <ldap> that is listed second gets flagged as an unrecognized token. Is there a proper way to secure a management console with LDAP when using a web browser, but allow connections without a username or password when using the jboss-cli on the same local network in Wildfly 9?

Installing the Keycloak client adapter in Wildfly domain mode

I'm implementing keycloak as authentication administrator of my applications, I have followed the respective manuals
https://www.keycloak.org/docs/latest/getting_started/index.html#securing-a-jboss-servlet-application
In section 4.2 Installing the Client Adapter
My application server is a wildfly 17 and that documentation works well on standalone servers (full, ha)
The problem I have that my servers in Wildfly production are in domain mode (one master and two slaves), and the installation of those adapters does not work.
How can I install this adapter in domain mode on wildfly?
1 - download and extract keycloak adapter in domain controller and all host controllers
2 - manual config domain.xml "only in domain controller"
<domain xmlns="urn:jboss:domain:10.0">
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
.....
<profile name="full-ha">
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
.....
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="keycloak">
<authentication>
<login-module
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
flag="required"/>
</authentication>
</security-domain>
.......
</security-domains>
</subsystem>
.......
</profile>
sample domain.xml
result

Adding principalsQuery in webUI doesn't allow spaces

I'm currently doing a school assignment where we need to setup JAAS so it is import i use JAAS and not another security module.
When i'm trying to add: principalsQuery=select Password from Principals where PrincipalID=? to my authentication module in the WebUI I get invalid format error since it doesn't allow spaces(it accepts when there are no spaces).
Whenever i google the problem i see the standalone.xml configured with module options that include spaces. I've tried to include it in my standalone.xml (see below) but it won't work and the webUI keeps giving me the error.
<authentication>
<login-module code="test" flag="required">
<module-option name="dsJindiName" value="java:/MySqlDS"/>
<module-option name="principalQuery" value="SELECT password from user where username = ?" />
</login-module>
</authentication>
my datasource is configured as follows
<datasource jndi-name="java:/MySqlDS" pool-name="MySqlDS">
<connection-url>jdbc:mysql://localhost:3306/Kwetter</connection-url>
<driver-class>com.mysql.jdbc.Driver</driver-class>
<driver>mysql-connector-java-5.1.47.jar_com.mysql.jdbc.Driver_5_1</driver>
<security>
<user-name>root</user-name>
<password>root</password>
</security>
<validation>
<valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"/>
<background-validation>true</background-validation>
<exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"/>
</validation>
</datasource>
The DsJindiName works and is accepted by the login-module. But the principalQuery keeps giving me the error. My thinking is that the legacy security is not correctly support anymore any thoughts?
Solution:
I've figured out I needed to use Elytron to use JAAS. Using this guide
a problem occurs at the last step, the jbos-web.xml doesn't accept Elytron application security domains and errors at compiling. However, when you set the standard security domain in undertow it'll build and work like expected.

GWT & Certification

I have GWT, RestyGWT, Widlfly
Standalone.xml
<security-realm name="AdminSslRealm">
<server-identities>
<ssl>
<keystore path="${env.DBO_PATH_CONFIG}/${env.ADMIN_CONSOLE}" keystore-password="console" />
</ssl>
</server-identities>
</security-realm>
</security-realms>
...
<https-listener name="httpsAdmin" socket-binding="httpsAdmin" security-realm="AdminSslRealm" enable-http2="true" />
...
<socket-binding name="httpsAdmin" port="${jboss.https.port:8553}" />
So I have 2 question:
1)When I send first JSON I have such error
OPTIONS https://localhost:8443/services/v2/admin/test net::ERR_INSECURE_RESPONSE
Ok I go in browser https://localhost:8443/services/v2/admin/test. and see this picture
After I accept this connection all work fine
How do I make the client automatically accept such a connection???
2) After this when I send another JSON I have porblems with CORS
XMLHttpRequest cannot load https://localhost:8443/services/v2/admin/test. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://127.0.0.1:8888' is therefore not allowed access.
Can I solve this problem without the inclusion of CORS on the WiildFy???
if I can help in addressing these issues the certificate? If yes. Prompt how to adjust. On Wildfly I did, but I can not on GWT SuperDev Mode=(

Create a security realm in Wildfly

I want to secure some ejb hosted on my Widlfly AS, so I start creating my security-domain. I don't want to authenticate on ApplicationRealm so I define my security-realm and point it in my security-domain. I want to store credentials in a text file. Here is the code:
<security-domain name="mydomain" cache-type="default">
<authentication>
<login-module code="RealmDirect" flag="required"/>
<module-option name="realm" value="myrealm"/>
<module-option name="userProperties" value="${jboss.server.config.dir}/myrealm-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/myrealm-roles.properties"/>
</authentication>
</security-domain>
still it look like my ejb are affected by ApplicationRealm by the "other" security-domain. Can I define a custom security realm and use it by security-domain in Wildfly? If yes how can I add users to it?
You need a file jboss-web.xml in WEB-INF to override the default other domain. For instance:
<jboss-web>
<security-domain>java:/jaas/mydomain</security-domain>
</jboss-web>
Then in the Wildfly config file (standalone.xml or the likes) you configure the mydomain Security Domain like you already showed. It can happily co-exist with the already present other domain.
There's an excellent post here: http://blog.eisele.net/2015/01/jdbc-realm-wildfly820-primefaces51.html
You can add users in management realm using add-user script. By default, users generated there are stored in file.
https://docs.jboss.org/author/display/WFLY8/Security+Realms provides information about how to create custom security realm.