How to configure groups in Jboss EAP for Kerberos implementation? - kerberos

I have configured my application with Kerberos authentication for a specific user in jboss-eap and it's working fine. But wants to configure the same on the basis of the group i.e users in a specific group will able to authenticate.
Standalone.xml configuration for user:-
<security-domains>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="required">
<module-option name="serverSecurityDomain" value="host"/>
</login-module>
</authentication>
<mapping>
<mapping-module code="SimpleRoles" type="role">
<module-option name="saurabhgupta#ECO.COM" value="User"/>
</mapping-module>
</mapping>
</security-domain>
My environment consists of:
linux server with JBoss EAP 6.2
client station with Windows 7 64bit + Chrome
Windows Server 2008 Active Directory (act as KDC)
Application War Location:- https://github.com/kwart/spnego-demo
Does anyone went all through this and solved it somehow?
Thank you in advance, Siddharth

You can pair the SPNEGO login-module with others so that you can assign users to roles. Below is an example of how to associate your users to LDAP roles via Standalone.xml:
<security-domain name="SPNEGO">
<authentication>
<login-module code="SPNEGOUsers" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
<module-option name="removeRealmFromPrincipal" value="true"/>
</login-module>
<login-module code="AdvancedAdLdap" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="bindDN" value="test"/>
<module-option name="bindCredential" value="test"/>
<module-option name="allowEmptyPassword" value="true"/>
<module-option name="java.naming.provider.url" value="ldap://test.jboss.redhat.com:389"/>
<module-option name="baseCtxDN" value="CN=Users,DC=jboss,DC=redhat,DC=com"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="recurseRoles" value="true"/>
</login-module>
</authentication>
</security-domain>

Related

How to add security domain with Wildfly/Jboss CLI

I want to add the following to the standalone-full.xml through Wildfly/Jboss CLI.
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="MY_NAME" cache-type="default">
<authentication>
<login-module code="XXX" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="YYY" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
It is possible with the following commands:
/subsystem=security/security-domain=MY_NAME:add
/subsystem=security/security-domain=MY_NAME:write-attribute(name=cache-type, value=default)
/subsystem=security/security-domain=MY_NAME/authentication=classic:add(login-modules=[{code=XXX, flag=optional,module-options={password-stacking=useFirstPass}},{code=YYY, flag=required, module-options={password-stacking=useFirstPass}}]
NOTE: I already had <subsystem xmlns="urn:jboss:domain:security:2.0"> created, so anyone reading who doesn't have the mentioned subystem might want to run /subsystem=security:add

JBoss - connect and authenticate users in two domains

I've encountered a problem regarding JBoss with authenticating users in two different Active Directory Domains. I want to configure JBoss to be able to authenticate user through LDAP depending on where is his account created (domain A or B). Here's a part of my configuration for domain A. How can I adapt it, so JBoss will firstly check if user is in domain A and if not - in domain B and authenticate him correctly once he finds him? Trust between domains is set correctly. Info regarding users - they are created in different OU. JBoss version is 6.4 running in domain mode. I have a second config for domain B which is working ok, i just have to somehow add it to current config so there will be no errors and issues when it comes to authenticating users.
<security-domain name="SECDOMAIN_1" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap_addres:port"/>
<module-option name="bindDN" value="ad_user_used_to_authenticate_in_domain"/>
<module-option name="bindCredential" value="password_for_user"/>
<module-option name="baseCtxDN" value="dc=xxx,dc=yyy"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="dc=xxx,dc=yyy"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="ou"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>
</authentication>
</security-domain>
I've managed to find the solution for this issue. All I had to do, is to create another login module within security domain and change the requirements to optional. It should look like this:
<security-domain name="SECDOMAIN_1" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="optional">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap_addres:port"/>
<module-option name="bindDN" value="ad_user_used_to_authenticate_in_domain"/>
<module-option name="bindCredential" value="password_for_user"/>
<module-option name="baseCtxDN" value="dc=xxx,dc=yyy"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="dc=xxx,dc=yyy"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="ou"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="optional">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="second_ldap_addres:port"/>
<module-option name="bindDN" value="second_ad_user_used_to_authenticate_in_domain"/>
<module-option name="bindCredential" value="second_password_for_user"/>
<module-option name="baseCtxDN" value="dc=zzz,dc=www"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="dc=zzz,dc=www"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="ou"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
</login-module>
</authentication>
</security-domain>

JBoss 7.1.0 Security Domain: Multiple LDAPs--sequential, not failover

So far, I am unable to find help for authenticating against multiple LDAP servers except where talking about failover.
We have an LDAP for internal users, and an LDAP for external users. Suddenly, our app needs to be available to both internal users and external users. How would I set this up?
Here is the current config for just internal users:
<security-domain name="dc-ldap-auth">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://dvldap-1.example.com:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="uid=someid,ou=People,ou=Intranet,o=example.com"/>
<module-option name="bindCredential" value="somecred"/>
<module-option name="baseCtxDN" value="ou=People,ou=Intranet,o=example.com"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="ou=Groups,ou=Intranet,o=example.com"/>
<module-option name="roleFilter" value="(uniqueMember={1})"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="searchScope" value="ONELEVEL_SCOPE"/>
</login-module>
</authentication>
</security-domain>
If you need simple configuration
Just use what JAAS offers. Add the two configurations to login module chain and set the flag on the first of them to sufficient value (look at Configuration class for all the options and their description).
For optimal performance: The first configuration should be the one to which users authenticate more often.
<security-domain name="dc-ldap-auth">
<authentication>
<login-module code="LdapExtended" flag="sufficient">
<module-option name="java.naming.provider.url"
value="ldap://internal-ldap.my-company.example"/>
<!-- add other options for the first LDAP server -->
</login-module>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.provider.url"
value="ldap://external-ldap.my-company.example"/>
<!-- add other options for the second LDAP server -->
</login-module>
</authentication>
</security-domain>
If you need great performance
If you are able to determine (from the loginname for instance) which LDAP you should search in, then I would suggest to implement your own login module. It can delegate the processing to LdapExtLoginModule instances.

How to configure multiple datasources with the single security policy in wildfly

I have setup successfully two data sources using different encrypted password policies as follows:
Security policy 1
<security-domain name="policy1" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="user1"/>
<module-option name="password" value="-16de44"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=DATASOURCE_1"/>
</login-module>
</authentication>
</security-domain>
Security policy 2
<security-domain name="policy1" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="user2"/>
<module-option name="password" value="-16de44"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=DATASOURCE_2"/>
</login-module>
</authentication>
</security-domain>
Datasource 1
<datasource jndi-name="java:/DATASOURCE_1" pool-name="DATASOURCE_1" enabled="true">
.
.
<security>
<security-domain>policy_1</security-domain>
</security>
</datasource>
Datasource 2
<datasource jndi-name="java:/DATASOURCE_2" pool-name="DATASOURCE_2" enabled="true">
.
.
<security>
<security-domain>policy_2</security-domain>
</security>
</datasource>
However, I would like to know if it's possible to use the same policy for both datasources? I haven't been able to find a way to include more than one pool_name in the managedConnectionFactoryName policy attribute:
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=DATASOURCE_1 ??????, DATASOURCE_2 ?????"/>
Is the managedConnectionFactoryName attribute absolutely necessary? what could be a side effect if this attribute is not added?
Does this answer your question? https://access.redhat.com/solutions/304063
That means:
<module-option name="managedConnectionFactoryName">jboss.jca:name=DS1,service=LocalTxCM</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:name=DS2,service=LocalTxCM</module-option>
It seems that Wildfly 8.2 prefers this syntax:
<module-option name="managedConnectionFactoryName" value="jboss.jca:name=DS1,service=LocalTxCM"/>
But, It still does not seem to honor the security-domain for more that one datasource.
Does anyone know the significance of
service=LocalTxCM
in the example above? Seems like this would be different for xa-datasouces.

LDAP authentication with JBoss 7

I want to develop a simple java web application with JBoss 7 server to enable login from username/password entered by the user and authenticate with ldap.
So this is what i wrote in web.xml placed in WEB-INF/
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Enter user name and password</realm-name>
</login-config>
then added jboss-web.xml in same folder
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/website-domain</security-domain>
</jboss-web>
Then I added the website-domain realm in standalone.xml
<security-domain name="website-domain" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
<module-option name="bindDN" value="ou=people,dc=mycompany,dc=com" />
<module-option name="bindCredential" value="shad"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="Context.REFERRAL" value="follow"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="allowEmptyPasswords" value="true"/>
</login-module>
</authentication>
</security-domain>
So how the username and password entered will be sent to these modules ? Or do I have to write a custom JAAS realm ? Is their any working example you guys can share me??
I wrote a post in portuguese...
http://jbossdivers.wordpress.com/2012/02/12/utilizando-ldap-login-module-no-jboss-as-7-1/
Your webapp needs to point to your security domain website-domain by adding a line in WEB-INF/jboss-web.xml
<security-domain flushOnSessionInvalidation="true">java:/jaas/website-domain</security-domain>
I believe in Jboss 7 you need to only specify website-domain (no java:/jaas/ prefix)