For an integration test EAR I need my Wildfly to be able to log in different users with a specific role.
org.jboss.security.auth.spi.SimpleServerLoginModule doesn't allow me to specify a role
org.jboss.security.auth.spi.IdentityLoginModule doesn't allow different users
So evidently I need to use something different. I tried to use a temporary database like this:
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="required">
<module-option name="dsJndiName" value="java:/AcmeDS" />
<module-option name="principalsQuery" value="SELECT ?" />
<module-option name="rolesQuery" value="SELECT 'my_role', 'Roles'" />
<module-option name="password-stacking" value="useFirstPass" />
</login-module>
...aaand:
<datasources>
<datasource jndi-name="java:/AcmeDS" pool-name="AcmeDS" enabled="true">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url>
<driver>h2</driver>
<pool>
<min-pool-size>10</min-pool-size>
<max-pool-size>20</max-pool-size>
<prefill>true</prefill>
</pool>
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
</datasource>
<drivers>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
As suggested in the JBoss tutorial. Still I get the following exception for the clients:
java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: the server presented no authentication mechanisms
at org.jboss.ejb.client.remoting.IoFutureHelper.get(IoFutureHelper.java:92)
at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:77)
at org.jboss.ejb.client.remoting.RemotingConnectionManager.getConnection(RemotingConnectionManager.java:51)
at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.setupEJBReceivers(ConfigBasedEJBClientContextSelector.java:155)
at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.getCurrent(ConfigBasedEJBClientContextSelector.java:115)
5 minutes later I got (I'm not aware of any changes): all available authentication mechanisms failed
(It worked right until the point where I needed a role, so I guess the setup for the client side is okay.)
What did I do I wrong? How can I get the Wildfly to at least show exceptions or something so I can debug the problem? Is there a better way to get the Wilfly to acknowledge different users with a specific role?
Have a look at the Java Security Quickstart Archetype. It has Java EE Security worked out, at least at the level I think you are trying to do.
In short, you need to have a security-domain, more like so:
<security-domain name="jboss-security-quickstart" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/ExampleDS"/>
<module-option name="principalsQuery" value="SELECT PASSWORD FROM USER WHERE EMAIL=?"/>
<module-option name="rolesQuery" value="SELECT R.ROLE, 'Roles' FROM ROLE R INNER JOIN USER_ROLE UR ON UR.ROLES_ID = R.ID INNER JOIN USER U ON U.ID = UR.USER_ID WHERE U.EMAIL=?"/>
<module-option name="hashAlgorithm" value="SHA-256"/>
<module-option name="hashEncoding" value="base64"/>
<module-option name="hashCharset" value="utf-8"/>
</login-module>
</authentication>
</security-domain>
You need to have a jboss-web.xml in your WEB-INF directory that points to it:
<!DOCTYPE jboss-web>
<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.org/schema/jbossas
http://www.jboss.org/schema/jbossas/jboss-web_7_2.xsd">
<!-- Configure usage of the security domain "javaee-security-quickstart" -->
<security-domain>javaee-security-quickstart</security-domain>
<disable-audit>true</disable-audit>
</jboss-web>
And a web.xml that uses it:
<security-constraint>
<web-resource-collection>
<web-resource-name>User Views</web-resource-name>
<url-pattern>/views/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
<role-name>USER</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/views/login.xhtml</form-login-page>
<form-error-page>/views/login.xhtml?Retry=True</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>ADMIN</role-name>
</security-role>
<security-role>
<role-name>USER</role-name>
</security-role>
These are the basics, but it's a little easier to see it in action.
Related
I practise sip scenarios based on mobicents sip servlets. I have Restcomm-JBoss-AS7-8.2.0.1221 and my own sip application deployed on it (restcomm app is disabled). I encountered a problem with enabling jboss security. What I did:
1.Create sip-servlets-roles.properties
admin=caller
2.Create sip-servlets-users.properties (for user alice, domain 192.168.56.101, password 1234)
admin=6f8002e56ee173a3a39144ea90d18a39
3.Put above files to ../Restcomm-JBoss-AS7-8.2.0.1221/standalone/configuration
4.Deploy sip application with sip.xml
<security-constraint>
<display-name>REGISTER Method Security Constraint</display-name>
<resource-collection>
<resource-name>SipServletApp</resource-name>
<description>Require authenticated REGSITER requests</description>
<servlet-name>SipServletApp</servlet-name>
<sip-method>REGISTER</sip-method>
</resource-collection>
<auth-constraint>
<role-name>caller</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>192.168.56.101</realm-name>
</login-config>
5.standalone-sip.xml is unchanged
<security-domain name="sip-servlets">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/sip-servlets-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/sip-servlets-roles.properties"/>
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="RFC2617"/>
<module-option name="hashUserPassword" value="false"/>
<module-option name="hashStorePassword" value="true"/>
<module-option name="passwordIsA1Hash" value="true"/>
<module-option name="storeDigestCallback" value="org.jboss.security.auth.callback.RFC2617Digest"/>
</login-module>
</authentication>
</security-domain>
6.Try to register user alice with zoiper
wireshark trace
7.Enabling trace level and got Error in jboss logs
14:14:10,140 DEBUG [org.jboss.security] (Restcomm-SIP-Servlets-UDPMessageChannelThread-44) PBOX000206: Login failure: javax.security.auth.login.LoginException: java.lang.NullPointerException
at org.jboss.security.auth.spi.Util.createPasswordHash(Util.java:424)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:450)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:280)
...
8.DAR is set to my sip app
So the question is what is wrong with this configuration?
Your storePassword, ie. admin=6f8002e56ee173a3a39144ea90d18a39 is already hashed. module-option name="hashStorePassword" value="true", should be value="false"
Am trying to accomplish client certificate authentication using wildfly 8.2, I have changed logging level to ALL to enable me see errors from org.jboss.security
(NOTE:passwords used are for demonstration)
below is my configuration in wildfly 8.2 standalone.xml
<security-realm name="SSLRealm">
<server-identities>
<ssl protocol="TLSv1">
<keystore path="localhost.jks" relative-to="jboss.server.config.dir" keystore-password="localhost" alias="localhost"/>
</ssl>
</server-identities>
<authentication>
<truststore path="cacerts.jks" relative-to="jboss.server.config.dir" keystore-password="localhost"/>
</authentication>
</security-realm>
my security domain
<security-domain name="client-cert-policy" cache-type="default">
<authentication>
<login-module code="Certificate" flag="required">
<module-option name="securityDomain" value="client-cert-policy"/>
</login-module>
</authentication>
<jsse keystore-password="localhost" keystore-url="file:/${jboss.server.config.dir}/localhost.jks" truststore-password="localhost" truststore-url="file:/${jboss.server.config.dir}/cacerts.jks" client-auth="true"/>
</security-domain>
my https-listerner
<https-listener name="default-https" socket-binding="https" security-realm="SSLRealm" verify-client="REQUESTED"/>
in my web application web.xml
<security-constraint>
<display-name>allpages</display-name>
<web-resource-collection>
<web-resource-name>all-res</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>client-cert-policy</realm-name>
</login-config>
in jboss.xml
<context-root>/haven</context-root>
<security-domain>client-cert-policy</security-domain>
Despite all this my web application returns a 403 error page
Any help will be greatly be appreciated
Finally I got the client_auth to work the following are the modification are made
in standalone.xml security domain changed from Certificate to CertificateRoles, add a role property file
<security-domain name="client-cert-policy" cache-type="default">
<authentication>
<login-module code="CertificateRoles" flag="required">
<module-option name="securityDomain" value="client-cert-policy"/>
<module-option name="rolesProperties" value="file:${jboss.server.config.dir}/user_roles.properties"/>
<module-option name="defaultRolesProperties" value="file:${jboss.server.config.dir}/default_roles.properties"/>
</login-module>
</authentication>
<jsse keystore-password="localhost" keystore-url="file:/${jboss.server.config.dir}/localhost.jks" truststore-password="localhost" truststore-url="file:/${jboss.server.config.dir}/cacerts.jks" client-auth="true"/>
</security-domain>
modified web.xml to add the roles
<security-constraint>
<display-name>allpages</display-name>
<web-resource-collection>
<web-resource-name>all-res</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>sys_view</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>client-cert-policy</realm-name>
</login-config>
<security-role>
<description/>
<role-name>sys_view</role-name>
</security-role>
I have setup successfully two data sources using different encrypted password policies as follows:
Security policy 1
<security-domain name="policy1" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="user1"/>
<module-option name="password" value="-16de44"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=DATASOURCE_1"/>
</login-module>
</authentication>
</security-domain>
Security policy 2
<security-domain name="policy1" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="user2"/>
<module-option name="password" value="-16de44"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=DATASOURCE_2"/>
</login-module>
</authentication>
</security-domain>
Datasource 1
<datasource jndi-name="java:/DATASOURCE_1" pool-name="DATASOURCE_1" enabled="true">
.
.
<security>
<security-domain>policy_1</security-domain>
</security>
</datasource>
Datasource 2
<datasource jndi-name="java:/DATASOURCE_2" pool-name="DATASOURCE_2" enabled="true">
.
.
<security>
<security-domain>policy_2</security-domain>
</security>
</datasource>
However, I would like to know if it's possible to use the same policy for both datasources? I haven't been able to find a way to include more than one pool_name in the managedConnectionFactoryName policy attribute:
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=DATASOURCE_1 ??????, DATASOURCE_2 ?????"/>
Is the managedConnectionFactoryName attribute absolutely necessary? what could be a side effect if this attribute is not added?
Does this answer your question? https://access.redhat.com/solutions/304063
That means:
<module-option name="managedConnectionFactoryName">jboss.jca:name=DS1,service=LocalTxCM</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:name=DS2,service=LocalTxCM</module-option>
It seems that Wildfly 8.2 prefers this syntax:
<module-option name="managedConnectionFactoryName" value="jboss.jca:name=DS1,service=LocalTxCM"/>
But, It still does not seem to honor the security-domain for more that one datasource.
Does anyone know the significance of
service=LocalTxCM
in the example above? Seems like this would be different for xa-datasouces.
I'm trying to enable access to Guvnor through LDAP defined roles. I've managed to get JBoss to connect to my LDAP server and authenticate by user, but I have no idea how to do that by role instead. What I want is to allow, for example, all users with the Role "Guvnor Administrator" to log into the Guvnor page.
Can anyone help me with this? I've tried several configurations, including modifying the web.xml in guvnor.war, but the closest I could get to role-based authorization was through configuring user permissions in the Guvnor administration page.
My standalone.xml:
<security-domain name="drools-guvnor" cache-type="default">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://myLDAPHost"/>
<module-option name="baseCtxDN" value="ou=Users,dc=proj,dc=com"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="ou=Roles, dc=flow,dc=com"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="ONELEVEL_SCOPE"/>
</login-module>
</authentication>
</security-domain>
beans.xml:
<security:IdentityImpl> <s:modifies/>
<!-- JAAS based authentication -->
<security:authenticatorName>jaasAuthenticator</security:authenticatorName>
</security:IdentityImpl>
<security:jaas.JaasAuthenticator>
<s:modifies/>
<security:jaasConfigName>drools-guvnor</security:jaasConfigName>
</security:jaas.JaasAuthenticator>
<!-- SECURITY AUTHORIZATION CONFIGURATION --> <!-- This is used to enable or disable role-based authorization. By default it is disabled. -->
<guvnorSecurity:RoleBasedPermissionResolver>
<s:modifies/>
<guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization>
</guvnorSecurity:RoleBasedPermissionResolver>
<weld:scan>
<!-- Disable the seam-security by drools rules
<weld:exclude name="org.jboss.seam.security.permission.RuleBasedPermissionResolver"/>-->
<!-- TODO remove me when GUVNOR-1196 is fixed -->
<weld:exclude name="org.drools.guvnor.gwtutil.**"/>
<weld:exclude name="org.drools.guvnor.client.**"/>
</weld:scan>
I want to develop a simple java web application with JBoss 7 server to enable login from username/password entered by the user and authenticate with ldap.
So this is what i wrote in web.xml placed in WEB-INF/
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Enter user name and password</realm-name>
</login-config>
then added jboss-web.xml in same folder
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/website-domain</security-domain>
</jboss-web>
Then I added the website-domain realm in standalone.xml
<security-domain name="website-domain" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
<module-option name="bindDN" value="ou=people,dc=mycompany,dc=com" />
<module-option name="bindCredential" value="shad"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="Context.REFERRAL" value="follow"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="allowEmptyPasswords" value="true"/>
</login-module>
</authentication>
</security-domain>
So how the username and password entered will be sent to these modules ? Or do I have to write a custom JAAS realm ? Is their any working example you guys can share me??
I wrote a post in portuguese...
http://jbossdivers.wordpress.com/2012/02/12/utilizando-ldap-login-module-no-jboss-as-7-1/
Your webapp needs to point to your security domain website-domain by adding a line in WEB-INF/jboss-web.xml
<security-domain flushOnSessionInvalidation="true">java:/jaas/website-domain</security-domain>
I believe in Jboss 7 you need to only specify website-domain (no java:/jaas/ prefix)