Create a security realm in Wildfly - wildfly

I want to secure some ejb hosted on my Widlfly AS, so I start creating my security-domain. I don't want to authenticate on ApplicationRealm so I define my security-realm and point it in my security-domain. I want to store credentials in a text file. Here is the code:
<security-domain name="mydomain" cache-type="default">
<authentication>
<login-module code="RealmDirect" flag="required"/>
<module-option name="realm" value="myrealm"/>
<module-option name="userProperties" value="${jboss.server.config.dir}/myrealm-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/myrealm-roles.properties"/>
</authentication>
</security-domain>
still it look like my ejb are affected by ApplicationRealm by the "other" security-domain. Can I define a custom security realm and use it by security-domain in Wildfly? If yes how can I add users to it?

You need a file jboss-web.xml in WEB-INF to override the default other domain. For instance:
<jboss-web>
<security-domain>java:/jaas/mydomain</security-domain>
</jboss-web>
Then in the Wildfly config file (standalone.xml or the likes) you configure the mydomain Security Domain like you already showed. It can happily co-exist with the already present other domain.
There's an excellent post here: http://blog.eisele.net/2015/01/jdbc-realm-wildfly820-primefaces51.html

You can add users in management realm using add-user script. By default, users generated there are stored in file.
https://docs.jboss.org/author/display/WFLY8/Security+Realms provides information about how to create custom security realm.

Related

Wildfly 9 - Can Management Interface be secured with $local and LDAP?

I have a Wildfly 9 server with a management console secured with LDAP, but due to some shenanigans in integrating Azure Pipelines I'm also trying to allow the management console to connect automatically using the jboss-cli without a username/password prompt. To my knowledge, if you wanted a user to be able to connect via the jboss-cli on the same local network as the Wildfly server, you would have a security-realm defined as follows:
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local"/>
</authentication>
<authorization/>
</security-realm>
...And if you wanted a management interface secured with LDAP, you'd have a security-realm like this:
<security-realm name="ManagementRealm">
<server-identities>
<ssl protocol="TLSv1.2">
<keystore path="mykeystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" key-password="changeit"/>
</ssl>
</server-identities>
<authentication>
<ldap connection="LdapConnection" base-dn="OU=Users,DC=user">
<username-filter attribute="accountName"/>
</ldap>
</authentication>
<authorization>
<ldap connection="LdapConnection">
<username-to-dn>
<username-filter base-dn="OU=Users,DC=user" attribute="accountName"/>
</username-to-dn>
<group-search group-name="SIMPLE" iterative="true" group-dn-attribute="cn" group-name-attribute="cn">
<principal-to-group group-attribute="memberOf"/>
</group-search>
</ldap>
</authorization>
</security-realm>
I tried merging the two, putting <local> and <properties> tags alongside <ldap> tags, but whichever of <properties> and <ldap> that is listed second gets flagged as an unrecognized token. Is there a proper way to secure a management console with LDAP when using a web browser, but allow connections without a username or password when using the jboss-cli on the same local network in Wildfly 9?

Wildfly LDAPS Integration Failed

I am experiencing authentication issue after converting LDAP to LDAPS. Here is an excerpt from my standalone.xml file. As you can see, I've added a trusted store with LDAPS certs. I am just wondering if I have missed something. I am on Wildfly v10.
<security-realms>
<security-realm name="LdapUserRealm">
<server-identities>
<ssl>
<keystore path="identity.jks" relative-to="jboss.server.config.dir" keystore-password="xxxxx" alias="xxxxx"/>
</ssl>
</server-identities>
<authentication>
<truststore path="cacerts" relative-to="jboss.server.config.dir" keystore-password="xxxxx"/>
<ldap connection="LdapConnection" base-dn="dc=xxx,dc=ad,dc=xxx,dc=com" recursive="true">
<username-filter attribute="sAMAccountName"/>
</ldap>
</authentication>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="LdapConnection" search-credential="xxxxxx​​​​​​​​​​​​​​​" search-dn="cn=-svc-xxx-xxx,OU=Svc,OU=XTX,OU=Admin,dc=xxx,dc=ad,dc=xxx,dc=com" url="ldaps://xxx.xxx.xxx:636" />
</outbound-connections>
Any pointer or suggestion are appreciated. It will be greatly appreciated if there is a working config file I can compare to. Can someone please share a JBoss/Wildfly config file (specifically standalone.xml) which connects successfully using LDAPS?
You need to modify your LDAP outbound-connection to use the security-realm you created
<outbound-connections>
<ldap name="ldap_connection" ... security-realm="LdapUserRealm"/>
</outbound-connections>

Installing the Keycloak client adapter in Wildfly domain mode

I'm implementing keycloak as authentication administrator of my applications, I have followed the respective manuals
https://www.keycloak.org/docs/latest/getting_started/index.html#securing-a-jboss-servlet-application
In section 4.2 Installing the Client Adapter
My application server is a wildfly 17 and that documentation works well on standalone servers (full, ha)
The problem I have that my servers in Wildfly production are in domain mode (one master and two slaves), and the installation of those adapters does not work.
How can I install this adapter in domain mode on wildfly?
1 - download and extract keycloak adapter in domain controller and all host controllers
2 - manual config domain.xml "only in domain controller"
<domain xmlns="urn:jboss:domain:10.0">
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
.....
<profile name="full-ha">
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
.....
<subsystem xmlns="urn:jboss:domain:security:2.0">
<security-domains>
<security-domain name="keycloak">
<authentication>
<login-module
code="org.keycloak.adapters.jboss.KeycloakLoginModule"
flag="required"/>
</authentication>
</security-domain>
.......
</security-domains>
</subsystem>
.......
</profile>
sample domain.xml
result

Adding principalsQuery in webUI doesn't allow spaces

I'm currently doing a school assignment where we need to setup JAAS so it is import i use JAAS and not another security module.
When i'm trying to add: principalsQuery=select Password from Principals where PrincipalID=? to my authentication module in the WebUI I get invalid format error since it doesn't allow spaces(it accepts when there are no spaces).
Whenever i google the problem i see the standalone.xml configured with module options that include spaces. I've tried to include it in my standalone.xml (see below) but it won't work and the webUI keeps giving me the error.
<authentication>
<login-module code="test" flag="required">
<module-option name="dsJindiName" value="java:/MySqlDS"/>
<module-option name="principalQuery" value="SELECT password from user where username = ?" />
</login-module>
</authentication>
my datasource is configured as follows
<datasource jndi-name="java:/MySqlDS" pool-name="MySqlDS">
<connection-url>jdbc:mysql://localhost:3306/Kwetter</connection-url>
<driver-class>com.mysql.jdbc.Driver</driver-class>
<driver>mysql-connector-java-5.1.47.jar_com.mysql.jdbc.Driver_5_1</driver>
<security>
<user-name>root</user-name>
<password>root</password>
</security>
<validation>
<valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"/>
<background-validation>true</background-validation>
<exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"/>
</validation>
</datasource>
The DsJindiName works and is accepted by the login-module. But the principalQuery keeps giving me the error. My thinking is that the legacy security is not correctly support anymore any thoughts?
Solution:
I've figured out I needed to use Elytron to use JAAS. Using this guide
a problem occurs at the last step, the jbos-web.xml doesn't accept Elytron application security domains and errors at compiling. However, when you set the standard security domain in undertow it'll build and work like expected.

JBoss authentication issue

I am newbie to JBoss and I have the application running in JBoss 6.2.
We usually have the login set up using JSF. It's showing a screen with username and password (created by JSF) and that's an internal part of the application and that works fine.
But I came to know there is basic authentication setup available in JBoss. We can configure it in a way that it requires to pass through authentication.
I searched on the internet and I found a way to introduce it like below:
D:\workspace_Csmart\jboss-eap-6.2\bin>add-user
What type of user do you wish to add?
a) Management User (mgmt-users.properties)
b) Application User (application-users.properties)
(a): b
Enter the details of the new user to add.
Using realm 'ApplicationRealm' as discovered from the existing property files.
Username : prabhu
User 'prabhu' already exits, would you like to update the existing user password and roles
Is this correct yes/no? yes
Password :
Re-enter Password :
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[user]: prabhu
Updated user 'prabhu' to file 'D:\workspace_Csmart\jboss-eap-
6.2\standalone\configuration\application-users.properties'
Updated user 'prabhu' to file 'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-users.properties'
Updated user 'prabhu' with groups prabhu to file 'D:\workspace_Csmart\jboss-eap-6.2\standalone\configuration\application-roles.prope
Updated user 'prabhu' with groups prabhu to file 'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-roles.propertie
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? yes
To represent the user add the following to the server-identities definition <secret value="cHJhYmh1QDEyMw==" />
And you see the user and password is updated in properties, so I ran the server with my local setup and it's up and running. But I didn't see any popup asking JBoss basic credentials. It's just directly going to the login page: http://10.17.195.15:8080/Proj/home.xhtml
Do I have to do anything with standalone.xml? security tag?
I would really appreciate it if anyone can point out what I am missing here? What do I need to do to make it work for JBoss Basic Authentication? Thanks!
1) First you need to move all your jsf files (that need protection) in some folder, for example secured folder.
2) Create index.jsf that redirects to protected start page and place it outside secured folder.
3) Create logout.jsf which does session.invalidate() and redirects to index.jsf page.
<html>
<body>
<%
if(session!=null)
{
session.invalidate();%>
<jsp:forward page="index.jsp" />
<%
} else{
%>
Logged Out Successfully....
<% }%>
</body>
</html>
4) Add security constraints to web.xml.
<security-constraint>
<web-resource-collection>
<web-resource-name>MySecureResources</web-resource-name>
<description>Some Description</description>
<url-pattern>/secured/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>TestRole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>TestRole</role-name>
</security-role>
5) Create jboss-web.xml file inside projects WEB_INF folder.
<?xml version="1.0"?>
<!DOCTYPE jboss-web PUBLIC
"-//JBoss//DTD Web Application 5.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
<jboss-web>
<security-domain>java:/jaas/BasicAuthWebAppPolicy</security-domain>
<context-root>/basicSecurityWebApp</context-root>
</jboss-web>
6) Create a file with some name like basicSecurityWebApp-roles.properties. and place it in WEB_INF/classes folder. Define role there and assign that role to some user.
TestUserOne=TestRole
7) Create another file with some name like basicSecurityWebApp-users.properties and place it in WEB-INF/classes folder and define username and password.
TestUserOne=TestPassword
8) Now you should modify login-config.xml in $PROFILE/conf/ folder. Add application-policy with the same name as BasicSecurityWebApp.
<application-policy name="BasicAuthWebAppPolicy">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties">basicSecurityWebApp-users.properties</module-option>
<module-option name="rolesProperties">basicSecurityWebApp-roles.properties</module-option>
</login-module>
</authentication>
9) Deploy application to JBoss.
10) Now every time you have to access our website you have to enter user and password you provided in credentials file (username as “TestUserOne” and password as “TestPassword”).
For more details see This
Yes. This somehow helped me to solve this I just did following things:
Under WebContent folder:
step1: change in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<description>Protects all resources</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>prabhu</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>prabhu</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name></realm-name>
</login-config>
step2 : change in jboss-web.xml
<jboss-web>
<context-root>C-SMART</context-root>
<security-domain>java:/jaas/other</security-domain>
</jboss-web>
step 3 : creating user and password for jboss basic authentication
D:\workspace_Csmart\jboss-eap-6.2\bin>add-user
What type of user do you wish to add?
a) Management User (mgmt-users.properties)
b) Application User (application-users.properties)
(a): b
Enter the details of the new user to add.
Using realm 'ApplicationRealm' as discovered from the existing property files.
Username : prabhu
User 'prabhu' already exits, would you like to update the existing user password and roles
Is this correct yes/no? yes
Password :
Re-enter Password :
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[prabhu]: prabhu
Updated user 'prabhu' to file 'D:\workspace_Csmart\jboss-eap-6.2\standalone\configuration\application-users.properties'
Updated user 'prabhu' to file 'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-users.properties'
Updated user 'prabhu' with groups prabhu to file 'D:\workspace_Csmart\jboss-eap-6.2\standalone\configuration\application-roles.properties'
Updated user 'prabhu' with groups prabhu to file 'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-roles.properties'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? yes
To represent the user add the following to the server-identities definition <secret value="cHJhYmh1QDEyMw==" />
Press any key to continue . . .
Step 4: verified above user changes reflected in following files
'D:\workspace_Csmart\jboss-eap-6.2\standalone\configuration\application-users.properties'
'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-users.properties'
'D:\workspace_Csmart\jboss-eap-6.2\standalone\configuration\application-roles.properties'
'D:\workspace_Csmart\jboss-eap-6.2\domain\configuration\application-roles.properties'
And its worked fine for me.. Thanks all your help..