I am implementing LDAP security in Jboss Fuse 6.2.1.
My confusion is about how to map 7 roles in Jboss Fuse 6.2.1 with LDAP group.
You have to use the role mapping param and define the groups configured equal to the rolename..it should be as below.
role.mapping=JBossAdmin=admin;JBossMonitor=Monitor,viewer
--seshadri
Related
I am using a WebLogic 12.2.1.3 server on Linux. I added an OpenLDAP provider in the security realm. Now I see the list of users and group memberships in WebLogic as defined in LDAP and can login with one of those user cn's and password.
So far, so good.
However, in the Users and Groups list, the description column is blank for the LDAP entries. Which attribute should be added to the LDAP object to fill this?
The field is just named "description" for me
By following the keycloak documentation: https://www.keycloak.org/docs/latest/server_admin/#_ldap_mappers
I created a group mapper like this:
But I don't see an option to give the name keycloak group so that the imported ldap group can be mapped to this group.
Instead , when I "Sync LDAP Groups to Keycloak Groups" , a new group with the name of ldap group is created.
Any idea how to map existing ldap groups to a single keycloak group ?
Default LDAP Provider doesn't provide this option, the only way is custom federation provider. Override this logic in it if you need. ImportSynchronization interface is responsible for it.
Beside having some roles from database (using org.jboss.security.mapping.providers.role.DatabaseRolesMappingProvider), I would like to assign some fixed role for all authenticated user. How could I achieve that in JBoss 7?
Thanks
You can make authentication with basic or digest method. Here the guide:
[http://docs.jboss.org/exojcr/1.14.7-GA/developer/en-US/html/ch82.html
I am able to obtain information about the current deployments on the JBoss Server via JBoss CLI. (deployment-info)
I can connect to the JBoss CLI directly from the ssh terminal or from an web interface (Management console).
By using the CLI there would be much more possible then querying the deployment info.
Does anybody know if it is possible to have an user which has restricted or limited rights for the JBoss CLI?
So that this user has only rights to query the deployment information but nothing else, for instance.
You can RBAC for JBoss instance and configure user with 'monitor' role. User with this role can only perform Read-only operation. Go through documentation for more details on RBAC
Our current application uses JSF/JPA technology and is deployed on Weblogic 12.1.2 and does the following:
Authenticates a user through an IDP
The IDP after authenticating the user sends back the Groups the user belong to
Using Web.xml and WebLogic.xml we map the Groups to Roles
Our Application Scoped roles are very granular and it helps us do the following:
Hide UI pages or components on UI
use RolesAllowed annotation on methods
Since Group to Role mapping is in Weblogic.xml, our application users can't change the groups to roles mapping and this is the problem that I have to solve.
My goal is to do the following:
Authenticate a user through our IDP
The IDP will send us the Groups user belongs to
Define the roles in web.xml
Define tables that our application will read to find Group to Role mapping
Use Weblogic API to do Group to Role Mapping
Create a UI to allow our users to change the Group to Role mapping
The problem that i am running into is that i can't find how to do Group to Role Mapping dynamically using WebLogic since i can't get access to WebLogic API that will allow me to change Group to Role mapping in my deployed application. Has anyone done this before?
I have looked at creating a custom Role mapper but i am not sure how to get the handle to this custom Role Mapper in our deployed application.
As of Java EE 7, this is not possible based on this thread
dynamic roles on a Java EE server
If someone does want this feature added to Java EE 8 then please vote for the following two open feature requests in Java EE 8
https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-8
https://java.net/jira/browse/JASPIC_SPEC-22
Not really a concrete answer, but it can be done using a Weblogic specific solution.
See examples in:
https://docs.oracle.com/cd/E13212_01/wles/docs42/dvspisec/examples.html
You have to implement the getRoles method:
import weblogic.security.spi.RoleMapper;
import weblogic.security.spi.RoleProvider;
public final class MyRoleMapperProviderImpl implements RoleProvider, RoleMapper
{
public Map getRoles(Subject subject, Resource resource,
ContextHandler handler)
{
...
}
}
You can generate a MBean for it as well to establish automatic loading:
https://docs.oracle.com/middleware/1213/wls/DEVSP/generate_mbeantype.htm#DEVSP617
java -DMDF=xmlfile -Dfiles=filesdir -DcreateStubs=true
weblogic.management.commo.WebLogicMBeanMaker
The result can be added as a jar to the server classpath and the implementation is available on server startup.