I have an infinispan 8.2 server running, which I need to enable the jmx for.
I followed the server guide and the final domain.xml file is :
<subsystem xmlns="urn:jboss:domain:jmx:1.3">
<remoting-connector use-management-endpoint="false"/>
<expose-resolved-model/>
<expose-expression-model/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:naming:2.0">
<remote-naming/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:remoting:3.0">
<!--<endpoint/>-->
<!--<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>-->
<connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jaspitest" cache-type="default">
<authentication-jaspi>
<login-module-stack name="dummy">
<login-module code="Dummy" flag="optional"/>
</login-module-stack>
<auth-module code="Dummy"/>
</authentication-jaspi>
</security-domain>
</security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:security-manager:1.0">
<deployment-permissions>
<maximum-set>
<permission class="java.security.AllPermission"/>
</maximum-set>
</deployment-permissions>
</subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:3.0">
<core-environment>
<process-id>
<uuid/>
</process-id>
</core-environment>
<recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
</subsystem>
</profile> </profiles>
I still cannot connect to the jmx port.
Bear in mind that the server is wrapping JMX through remoting (aka JSR 160) so that it uses manager security credentials. So, you either connect locally through jvmstat (VisualVM can do this) or add the bin/client/jboss-client.jar to your client's classpath and use the following service URL to connect: service:jmx:http-remoting-jmx://host:9990 (replace http with https if you have enabled TLS on the management interface)
Since you have this entry:
<remoting-connector use-management-endpoint="false"/>
the port switches from the management-http port (9990 by default) to the http port (8080 by default), so your connection string needs to switch to:
service:jmx:http-remoting-jmx://host:8080
Related
I want to add the following to the standalone-full.xml through Wildfly/Jboss CLI.
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="MY_NAME" cache-type="default">
<authentication>
<login-module code="XXX" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="YYY" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
It is possible with the following commands:
/subsystem=security/security-domain=MY_NAME:add
/subsystem=security/security-domain=MY_NAME:write-attribute(name=cache-type, value=default)
/subsystem=security/security-domain=MY_NAME/authentication=classic:add(login-modules=[{code=XXX, flag=optional,module-options={password-stacking=useFirstPass}},{code=YYY, flag=required, module-options={password-stacking=useFirstPass}}]
NOTE: I already had <subsystem xmlns="urn:jboss:domain:security:2.0"> created, so anyone reading who doesn't have the mentioned subystem might want to run /subsystem=security:add
I have configured my application with Kerberos authentication for a specific user in jboss-eap and it's working fine. But wants to configure the same on the basis of the group i.e users in a specific group will able to authenticate.
Standalone.xml configuration for user:-
<security-domains>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="required">
<module-option name="serverSecurityDomain" value="host"/>
</login-module>
</authentication>
<mapping>
<mapping-module code="SimpleRoles" type="role">
<module-option name="saurabhgupta#ECO.COM" value="User"/>
</mapping-module>
</mapping>
</security-domain>
My environment consists of:
linux server with JBoss EAP 6.2
client station with Windows 7 64bit + Chrome
Windows Server 2008 Active Directory (act as KDC)
Application War Location:- https://github.com/kwart/spnego-demo
Does anyone went all through this and solved it somehow?
Thank you in advance, Siddharth
You can pair the SPNEGO login-module with others so that you can assign users to roles. Below is an example of how to associate your users to LDAP roles via Standalone.xml:
<security-domain name="SPNEGO">
<authentication>
<login-module code="SPNEGOUsers" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
<module-option name="removeRealmFromPrincipal" value="true"/>
</login-module>
<login-module code="AdvancedAdLdap" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="bindDN" value="test"/>
<module-option name="bindCredential" value="test"/>
<module-option name="allowEmptyPassword" value="true"/>
<module-option name="java.naming.provider.url" value="ldap://test.jboss.redhat.com:389"/>
<module-option name="baseCtxDN" value="CN=Users,DC=jboss,DC=redhat,DC=com"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="recurseRoles" value="true"/>
</login-module>
</authentication>
</security-domain>
What is the significance of the other security domain in JBoss. I am new to JBoss and read the documentation but cannot understand why it is used.
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
What would happen if I just remove these two modules? Given that my application has my own domain specific security domain defined.
You can have various security domains elements configured in JBoss. They can be referenced via jboss-web.xml files in different web projects if you want to have different security levels for different war's.
other is the default security domain. It can be removed (replaced with something more sophisticated), just be sure to remove its references also.
So far, I am unable to find help for authenticating against multiple LDAP servers except where talking about failover.
We have an LDAP for internal users, and an LDAP for external users. Suddenly, our app needs to be available to both internal users and external users. How would I set this up?
Here is the current config for just internal users:
<security-domain name="dc-ldap-auth">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://dvldap-1.example.com:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="uid=someid,ou=People,ou=Intranet,o=example.com"/>
<module-option name="bindCredential" value="somecred"/>
<module-option name="baseCtxDN" value="ou=People,ou=Intranet,o=example.com"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="ou=Groups,ou=Intranet,o=example.com"/>
<module-option name="roleFilter" value="(uniqueMember={1})"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="searchScope" value="ONELEVEL_SCOPE"/>
</login-module>
</authentication>
</security-domain>
If you need simple configuration
Just use what JAAS offers. Add the two configurations to login module chain and set the flag on the first of them to sufficient value (look at Configuration class for all the options and their description).
For optimal performance: The first configuration should be the one to which users authenticate more often.
<security-domain name="dc-ldap-auth">
<authentication>
<login-module code="LdapExtended" flag="sufficient">
<module-option name="java.naming.provider.url"
value="ldap://internal-ldap.my-company.example"/>
<!-- add other options for the first LDAP server -->
</login-module>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.provider.url"
value="ldap://external-ldap.my-company.example"/>
<!-- add other options for the second LDAP server -->
</login-module>
</authentication>
</security-domain>
If you need great performance
If you are able to determine (from the loginname for instance) which LDAP you should search in, then I would suggest to implement your own login module. It can delegate the processing to LdapExtLoginModule instances.
I have setup successfully two data sources using different encrypted password policies as follows:
Security policy 1
<security-domain name="policy1" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="user1"/>
<module-option name="password" value="-16de44"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=DATASOURCE_1"/>
</login-module>
</authentication>
</security-domain>
Security policy 2
<security-domain name="policy1" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="user2"/>
<module-option name="password" value="-16de44"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=DATASOURCE_2"/>
</login-module>
</authentication>
</security-domain>
Datasource 1
<datasource jndi-name="java:/DATASOURCE_1" pool-name="DATASOURCE_1" enabled="true">
.
.
<security>
<security-domain>policy_1</security-domain>
</security>
</datasource>
Datasource 2
<datasource jndi-name="java:/DATASOURCE_2" pool-name="DATASOURCE_2" enabled="true">
.
.
<security>
<security-domain>policy_2</security-domain>
</security>
</datasource>
However, I would like to know if it's possible to use the same policy for both datasources? I haven't been able to find a way to include more than one pool_name in the managedConnectionFactoryName policy attribute:
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=DATASOURCE_1 ??????, DATASOURCE_2 ?????"/>
Is the managedConnectionFactoryName attribute absolutely necessary? what could be a side effect if this attribute is not added?
Does this answer your question? https://access.redhat.com/solutions/304063
That means:
<module-option name="managedConnectionFactoryName">jboss.jca:name=DS1,service=LocalTxCM</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:name=DS2,service=LocalTxCM</module-option>
It seems that Wildfly 8.2 prefers this syntax:
<module-option name="managedConnectionFactoryName" value="jboss.jca:name=DS1,service=LocalTxCM"/>
But, It still does not seem to honor the security-domain for more that one datasource.
Does anyone know the significance of
service=LocalTxCM
in the example above? Seems like this would be different for xa-datasouces.