I'm currently doing a school assignment where we need to setup JAAS so it is import i use JAAS and not another security module.
When i'm trying to add: principalsQuery=select Password from Principals where PrincipalID=? to my authentication module in the WebUI I get invalid format error since it doesn't allow spaces(it accepts when there are no spaces).
Whenever i google the problem i see the standalone.xml configured with module options that include spaces. I've tried to include it in my standalone.xml (see below) but it won't work and the webUI keeps giving me the error.
<authentication>
<login-module code="test" flag="required">
<module-option name="dsJindiName" value="java:/MySqlDS"/>
<module-option name="principalQuery" value="SELECT password from user where username = ?" />
</login-module>
</authentication>
my datasource is configured as follows
<datasource jndi-name="java:/MySqlDS" pool-name="MySqlDS">
<connection-url>jdbc:mysql://localhost:3306/Kwetter</connection-url>
<driver-class>com.mysql.jdbc.Driver</driver-class>
<driver>mysql-connector-java-5.1.47.jar_com.mysql.jdbc.Driver_5_1</driver>
<security>
<user-name>root</user-name>
<password>root</password>
</security>
<validation>
<valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"/>
<background-validation>true</background-validation>
<exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"/>
</validation>
</datasource>
The DsJindiName works and is accepted by the login-module. But the principalQuery keeps giving me the error. My thinking is that the legacy security is not correctly support anymore any thoughts?
Solution:
I've figured out I needed to use Elytron to use JAAS. Using this guide
a problem occurs at the last step, the jbos-web.xml doesn't accept Elytron application security domains and errors at compiling. However, when you set the standard security domain in undertow it'll build and work like expected.
Related
I have a Wildfly 9 server with a management console secured with LDAP, but due to some shenanigans in integrating Azure Pipelines I'm also trying to allow the management console to connect automatically using the jboss-cli without a username/password prompt. To my knowledge, if you wanted a user to be able to connect via the jboss-cli on the same local network as the Wildfly server, you would have a security-realm defined as follows:
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local"/>
</authentication>
<authorization/>
</security-realm>
...And if you wanted a management interface secured with LDAP, you'd have a security-realm like this:
<security-realm name="ManagementRealm">
<server-identities>
<ssl protocol="TLSv1.2">
<keystore path="mykeystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" key-password="changeit"/>
</ssl>
</server-identities>
<authentication>
<ldap connection="LdapConnection" base-dn="OU=Users,DC=user">
<username-filter attribute="accountName"/>
</ldap>
</authentication>
<authorization>
<ldap connection="LdapConnection">
<username-to-dn>
<username-filter base-dn="OU=Users,DC=user" attribute="accountName"/>
</username-to-dn>
<group-search group-name="SIMPLE" iterative="true" group-dn-attribute="cn" group-name-attribute="cn">
<principal-to-group group-attribute="memberOf"/>
</group-search>
</ldap>
</authorization>
</security-realm>
I tried merging the two, putting <local> and <properties> tags alongside <ldap> tags, but whichever of <properties> and <ldap> that is listed second gets flagged as an unrecognized token. Is there a proper way to secure a management console with LDAP when using a web browser, but allow connections without a username or password when using the jboss-cli on the same local network in Wildfly 9?
I am experiencing authentication issue after converting LDAP to LDAPS. Here is an excerpt from my standalone.xml file. As you can see, I've added a trusted store with LDAPS certs. I am just wondering if I have missed something. I am on Wildfly v10.
<security-realms>
<security-realm name="LdapUserRealm">
<server-identities>
<ssl>
<keystore path="identity.jks" relative-to="jboss.server.config.dir" keystore-password="xxxxx" alias="xxxxx"/>
</ssl>
</server-identities>
<authentication>
<truststore path="cacerts" relative-to="jboss.server.config.dir" keystore-password="xxxxx"/>
<ldap connection="LdapConnection" base-dn="dc=xxx,dc=ad,dc=xxx,dc=com" recursive="true">
<username-filter attribute="sAMAccountName"/>
</ldap>
</authentication>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="LdapConnection" search-credential="xxxxxx" search-dn="cn=-svc-xxx-xxx,OU=Svc,OU=XTX,OU=Admin,dc=xxx,dc=ad,dc=xxx,dc=com" url="ldaps://xxx.xxx.xxx:636" />
</outbound-connections>
Any pointer or suggestion are appreciated. It will be greatly appreciated if there is a working config file I can compare to. Can someone please share a JBoss/Wildfly config file (specifically standalone.xml) which connects successfully using LDAPS?
You need to modify your LDAP outbound-connection to use the security-realm you created
<outbound-connections>
<ldap name="ldap_connection" ... security-realm="LdapUserRealm"/>
</outbound-connections>
Scenario:
User connects to JDV without Kerberos (just name and PW)
jndi datasource is defined to connect with domain security
jndi datasource needs different user that is kerberos aware
how do I define the user at the datasource, when its on kerberos?
example:
<datasource jndi-name="java:/K_MYSQL" pool-name="K_MYSQL" enabled="true">
<connection-url>jdbc:mysql://localhost/k_test</connection-url>
<driver>mysql</driver>
<pool>
<allow-multiple-users>true</allow-multiple-users>
</pool>
<security>
<security-domain>FUNKE.HK</security-domain>
</security>
</datasource>
See an example for using Kerberos with Oracle here [1], follow similar instructions to MySQL. This article shows both Kerberos at the data source and as well as at Teiid JDBC layer.
[1] https://developer.jboss.org/wiki/KerberosAuthenticationToOracleFromTeiid
I am using JBOSS EAP 6.3, working with domain mode, I have installed and create user admin with passowrd xxx. I am able to login management console
Now I want to enable Role-Based Access Control (RABC) in JBOSS. I have modified domain.xml to enable RABC
<management>
<access-control provider="rbac">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
</include>
</role>
</role-mapping>
</access-control>
</management>
Now the problem is I am trying to open management console using same user and passoword but it shows below error
what should be default credential for RBAC profile or I need to add user again after enabling RBAC?
In order to bypass this error, you have to define a role-mapping from the groups or users defined in the realm to the desired roles.
For example, to grant SuperUser access to the user admin you have already created, use the following JBoss CLI command:
/core-service=management/access=authorization/role-mapping=SuperUser/include=user-admin:add(type=USER,name=admin)
You will see the following result in the domain.xml:
<access-control provider="rbac">
<role-mapping>
<role name="SuperUser">
<include>
<user name="admin"/>
</include>
</role>
</role-mapping>
I want to secure some ejb hosted on my Widlfly AS, so I start creating my security-domain. I don't want to authenticate on ApplicationRealm so I define my security-realm and point it in my security-domain. I want to store credentials in a text file. Here is the code:
<security-domain name="mydomain" cache-type="default">
<authentication>
<login-module code="RealmDirect" flag="required"/>
<module-option name="realm" value="myrealm"/>
<module-option name="userProperties" value="${jboss.server.config.dir}/myrealm-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/myrealm-roles.properties"/>
</authentication>
</security-domain>
still it look like my ejb are affected by ApplicationRealm by the "other" security-domain. Can I define a custom security realm and use it by security-domain in Wildfly? If yes how can I add users to it?
You need a file jboss-web.xml in WEB-INF to override the default other domain. For instance:
<jboss-web>
<security-domain>java:/jaas/mydomain</security-domain>
</jboss-web>
Then in the Wildfly config file (standalone.xml or the likes) you configure the mydomain Security Domain like you already showed. It can happily co-exist with the already present other domain.
There's an excellent post here: http://blog.eisele.net/2015/01/jdbc-realm-wildfly820-primefaces51.html
You can add users in management realm using add-user script. By default, users generated there are stored in file.
https://docs.jboss.org/author/display/WFLY8/Security+Realms provides information about how to create custom security realm.