What is the significance of the other security domain in JBoss. I am new to JBoss and read the documentation but cannot understand why it is used.
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
What would happen if I just remove these two modules? Given that my application has my own domain specific security domain defined.
You can have various security domains elements configured in JBoss. They can be referenced via jboss-web.xml files in different web projects if you want to have different security levels for different war's.
other is the default security domain. It can be removed (replaced with something more sophisticated), just be sure to remove its references also.
Related
I want to add the following to the standalone-full.xml through Wildfly/Jboss CLI.
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="MY_NAME" cache-type="default">
<authentication>
<login-module code="XXX" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="YYY" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
It is possible with the following commands:
/subsystem=security/security-domain=MY_NAME:add
/subsystem=security/security-domain=MY_NAME:write-attribute(name=cache-type, value=default)
/subsystem=security/security-domain=MY_NAME/authentication=classic:add(login-modules=[{code=XXX, flag=optional,module-options={password-stacking=useFirstPass}},{code=YYY, flag=required, module-options={password-stacking=useFirstPass}}]
NOTE: I already had <subsystem xmlns="urn:jboss:domain:security:2.0"> created, so anyone reading who doesn't have the mentioned subystem might want to run /subsystem=security:add
So far, I am unable to find help for authenticating against multiple LDAP servers except where talking about failover.
We have an LDAP for internal users, and an LDAP for external users. Suddenly, our app needs to be available to both internal users and external users. How would I set this up?
Here is the current config for just internal users:
<security-domain name="dc-ldap-auth">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://dvldap-1.example.com:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="uid=someid,ou=People,ou=Intranet,o=example.com"/>
<module-option name="bindCredential" value="somecred"/>
<module-option name="baseCtxDN" value="ou=People,ou=Intranet,o=example.com"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="ou=Groups,ou=Intranet,o=example.com"/>
<module-option name="roleFilter" value="(uniqueMember={1})"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="searchScope" value="ONELEVEL_SCOPE"/>
</login-module>
</authentication>
</security-domain>
If you need simple configuration
Just use what JAAS offers. Add the two configurations to login module chain and set the flag on the first of them to sufficient value (look at Configuration class for all the options and their description).
For optimal performance: The first configuration should be the one to which users authenticate more often.
<security-domain name="dc-ldap-auth">
<authentication>
<login-module code="LdapExtended" flag="sufficient">
<module-option name="java.naming.provider.url"
value="ldap://internal-ldap.my-company.example"/>
<!-- add other options for the first LDAP server -->
</login-module>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.provider.url"
value="ldap://external-ldap.my-company.example"/>
<!-- add other options for the second LDAP server -->
</login-module>
</authentication>
</security-domain>
If you need great performance
If you are able to determine (from the loginname for instance) which LDAP you should search in, then I would suggest to implement your own login module. It can delegate the processing to LdapExtLoginModule instances.
I have setup successfully two data sources using different encrypted password policies as follows:
Security policy 1
<security-domain name="policy1" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="user1"/>
<module-option name="password" value="-16de44"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=DATASOURCE_1"/>
</login-module>
</authentication>
</security-domain>
Security policy 2
<security-domain name="policy1" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="user2"/>
<module-option name="password" value="-16de44"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=DATASOURCE_2"/>
</login-module>
</authentication>
</security-domain>
Datasource 1
<datasource jndi-name="java:/DATASOURCE_1" pool-name="DATASOURCE_1" enabled="true">
.
.
<security>
<security-domain>policy_1</security-domain>
</security>
</datasource>
Datasource 2
<datasource jndi-name="java:/DATASOURCE_2" pool-name="DATASOURCE_2" enabled="true">
.
.
<security>
<security-domain>policy_2</security-domain>
</security>
</datasource>
However, I would like to know if it's possible to use the same policy for both datasources? I haven't been able to find a way to include more than one pool_name in the managedConnectionFactoryName policy attribute:
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=DATASOURCE_1 ??????, DATASOURCE_2 ?????"/>
Is the managedConnectionFactoryName attribute absolutely necessary? what could be a side effect if this attribute is not added?
Does this answer your question? https://access.redhat.com/solutions/304063
That means:
<module-option name="managedConnectionFactoryName">jboss.jca:name=DS1,service=LocalTxCM</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:name=DS2,service=LocalTxCM</module-option>
It seems that Wildfly 8.2 prefers this syntax:
<module-option name="managedConnectionFactoryName" value="jboss.jca:name=DS1,service=LocalTxCM"/>
But, It still does not seem to honor the security-domain for more that one datasource.
Does anyone know the significance of
service=LocalTxCM
in the example above? Seems like this would be different for xa-datasouces.
I'm trying to enable access to Guvnor through LDAP defined roles. I've managed to get JBoss to connect to my LDAP server and authenticate by user, but I have no idea how to do that by role instead. What I want is to allow, for example, all users with the Role "Guvnor Administrator" to log into the Guvnor page.
Can anyone help me with this? I've tried several configurations, including modifying the web.xml in guvnor.war, but the closest I could get to role-based authorization was through configuring user permissions in the Guvnor administration page.
My standalone.xml:
<security-domain name="drools-guvnor" cache-type="default">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://myLDAPHost"/>
<module-option name="baseCtxDN" value="ou=Users,dc=proj,dc=com"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="ou=Roles, dc=flow,dc=com"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="ONELEVEL_SCOPE"/>
</login-module>
</authentication>
</security-domain>
beans.xml:
<security:IdentityImpl> <s:modifies/>
<!-- JAAS based authentication -->
<security:authenticatorName>jaasAuthenticator</security:authenticatorName>
</security:IdentityImpl>
<security:jaas.JaasAuthenticator>
<s:modifies/>
<security:jaasConfigName>drools-guvnor</security:jaasConfigName>
</security:jaas.JaasAuthenticator>
<!-- SECURITY AUTHORIZATION CONFIGURATION --> <!-- This is used to enable or disable role-based authorization. By default it is disabled. -->
<guvnorSecurity:RoleBasedPermissionResolver>
<s:modifies/>
<guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization>
</guvnorSecurity:RoleBasedPermissionResolver>
<weld:scan>
<!-- Disable the seam-security by drools rules
<weld:exclude name="org.jboss.seam.security.permission.RuleBasedPermissionResolver"/>-->
<!-- TODO remove me when GUVNOR-1196 is fixed -->
<weld:exclude name="org.drools.guvnor.gwtutil.**"/>
<weld:exclude name="org.drools.guvnor.client.**"/>
</weld:scan>
Our network has a main Active Directory and a backup in case first one doesn't respond.
I want to configure the JBoss server to use the backup when this happens.
This is my current login-config.xml . I believe it is in this file where I have to do it..
<application-policy name="SiteCM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.provider.url">ldap://ldapserv-01.local.sitecm.com:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="bindDN">CN=Admin,OU=Site User,DC=local,DC=sitecm,DC=com</module-option>
<module-option name="bindCredential">password2011</module-option>
<module-option name="baseCtxDN">OU=Site User,DC=local,DC=sitecm,DC=com</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">OU=Site User,DC=local,DC=sitecm,DC=com</module-option>
<module-option name="roleFilter">(sAMAccountName={0})</module-option>
<module-option name="roleRecursion">-1</module-option>
</login-module>
</authentication>
</application-policy>
Our other LDAP server is: ldapserv-02.local.sitecm.com:389
Also, there is a Global Catalog on port 2836, but I don't see that in the Jboss conf, so I'm guessing it's somewhere by default.
If you use the domains DNS entry, you get a round robin DNS of the various DC's in the domain. Then you have a single IP to bind too?
you can just do <module-option name="java.naming.provider.url">ldap://ldapserv-01.local.sitecm.com:389 ldap://ldapserv-02.local.sitecm.com:389</module-option>