JBoss7 LDAP access by role with Guvnor 5.4 - jboss

I'm trying to enable access to Guvnor through LDAP defined roles. I've managed to get JBoss to connect to my LDAP server and authenticate by user, but I have no idea how to do that by role instead. What I want is to allow, for example, all users with the Role "Guvnor Administrator" to log into the Guvnor page.
Can anyone help me with this? I've tried several configurations, including modifying the web.xml in guvnor.war, but the closest I could get to role-based authorization was through configuring user permissions in the Guvnor administration page.
My standalone.xml:
<security-domain name="drools-guvnor" cache-type="default">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://myLDAPHost"/>
<module-option name="baseCtxDN" value="ou=Users,dc=proj,dc=com"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="ou=Roles, dc=flow,dc=com"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="searchScope" value="ONELEVEL_SCOPE"/>
</login-module>
</authentication>
</security-domain>
beans.xml:
<security:IdentityImpl> <s:modifies/>
<!-- JAAS based authentication -->
<security:authenticatorName>jaasAuthenticator</security:authenticatorName>
</security:IdentityImpl>
<security:jaas.JaasAuthenticator>
<s:modifies/>
<security:jaasConfigName>drools-guvnor</security:jaasConfigName>
</security:jaas.JaasAuthenticator>
<!-- SECURITY AUTHORIZATION CONFIGURATION --> <!-- This is used to enable or disable role-based authorization. By default it is disabled. -->
<guvnorSecurity:RoleBasedPermissionResolver>
<s:modifies/>
<guvnorSecurity:enableRoleBasedAuthorization>true</guvnorSecurity:enableRoleBasedAuthorization>
</guvnorSecurity:RoleBasedPermissionResolver>
<weld:scan>
<!-- Disable the seam-security by drools rules
<weld:exclude name="org.jboss.seam.security.permission.RuleBasedPermissionResolver"/>-->
<!-- TODO remove me when GUVNOR-1196 is fixed -->
<weld:exclude name="org.drools.guvnor.gwtutil.**"/>
<weld:exclude name="org.drools.guvnor.client.**"/>
</weld:scan>

Related

Can't enable jboss security

I practise sip scenarios based on mobicents sip servlets. I have Restcomm-JBoss-AS7-8.2.0.1221 and my own sip application deployed on it (restcomm app is disabled). I encountered a problem with enabling jboss security. What I did:
1.Create sip-servlets-roles.properties
admin=caller
2.Create sip-servlets-users.properties (for user alice, domain 192.168.56.101, password 1234)
admin=6f8002e56ee173a3a39144ea90d18a39
3.Put above files to ../Restcomm-JBoss-AS7-8.2.0.1221/standalone/configuration
4.Deploy sip application with sip.xml
<security-constraint>
<display-name>REGISTER Method Security Constraint</display-name>
<resource-collection>
<resource-name>SipServletApp</resource-name>
<description>Require authenticated REGSITER requests</description>
<servlet-name>SipServletApp</servlet-name>
<sip-method>REGISTER</sip-method>
</resource-collection>
<auth-constraint>
<role-name>caller</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>192.168.56.101</realm-name>
</login-config>
5.standalone-sip.xml is unchanged
<security-domain name="sip-servlets">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/sip-servlets-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/sip-servlets-roles.properties"/>
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="RFC2617"/>
<module-option name="hashUserPassword" value="false"/>
<module-option name="hashStorePassword" value="true"/>
<module-option name="passwordIsA1Hash" value="true"/>
<module-option name="storeDigestCallback" value="org.jboss.security.auth.callback.RFC2617Digest"/>
</login-module>
</authentication>
</security-domain>
6.Try to register user alice with zoiper
wireshark trace
7.Enabling trace level and got Error in jboss logs
14:14:10,140 DEBUG [org.jboss.security] (Restcomm-SIP-Servlets-UDPMessageChannelThread-44) PBOX000206: Login failure: javax.security.auth.login.LoginException: java.lang.NullPointerException
at org.jboss.security.auth.spi.Util.createPasswordHash(Util.java:424)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:450)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:280)
...
8.DAR is set to my sip app
So the question is what is wrong with this configuration?
Your storePassword, ie. admin=6f8002e56ee173a3a39144ea90d18a39 is already hashed. module-option name="hashStorePassword" value="true", should be value="false"

How to configure groups in Jboss EAP for Kerberos implementation?

I have configured my application with Kerberos authentication for a specific user in jboss-eap and it's working fine. But wants to configure the same on the basis of the group i.e users in a specific group will able to authenticate.
Standalone.xml configuration for user:-
<security-domains>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="required">
<module-option name="serverSecurityDomain" value="host"/>
</login-module>
</authentication>
<mapping>
<mapping-module code="SimpleRoles" type="role">
<module-option name="saurabhgupta#ECO.COM" value="User"/>
</mapping-module>
</mapping>
</security-domain>
My environment consists of:
linux server with JBoss EAP 6.2
client station with Windows 7 64bit + Chrome
Windows Server 2008 Active Directory (act as KDC)
Application War Location:- https://github.com/kwart/spnego-demo
Does anyone went all through this and solved it somehow?
Thank you in advance, Siddharth
You can pair the SPNEGO login-module with others so that you can assign users to roles. Below is an example of how to associate your users to LDAP roles via Standalone.xml:
<security-domain name="SPNEGO">
<authentication>
<login-module code="SPNEGOUsers" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
<module-option name="removeRealmFromPrincipal" value="true"/>
</login-module>
<login-module code="AdvancedAdLdap" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="bindDN" value="test"/>
<module-option name="bindCredential" value="test"/>
<module-option name="allowEmptyPassword" value="true"/>
<module-option name="java.naming.provider.url" value="ldap://test.jboss.redhat.com:389"/>
<module-option name="baseCtxDN" value="CN=Users,DC=jboss,DC=redhat,DC=com"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="recurseRoles" value="true"/>
</login-module>
</authentication>
</security-domain>

JBoss 7.1.0 Security Domain: Multiple LDAPs--sequential, not failover

So far, I am unable to find help for authenticating against multiple LDAP servers except where talking about failover.
We have an LDAP for internal users, and an LDAP for external users. Suddenly, our app needs to be available to both internal users and external users. How would I set this up?
Here is the current config for just internal users:
<security-domain name="dc-ldap-auth">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://dvldap-1.example.com:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="uid=someid,ou=People,ou=Intranet,o=example.com"/>
<module-option name="bindCredential" value="somecred"/>
<module-option name="baseCtxDN" value="ou=People,ou=Intranet,o=example.com"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="ou=Groups,ou=Intranet,o=example.com"/>
<module-option name="roleFilter" value="(uniqueMember={1})"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="searchScope" value="ONELEVEL_SCOPE"/>
</login-module>
</authentication>
</security-domain>
If you need simple configuration
Just use what JAAS offers. Add the two configurations to login module chain and set the flag on the first of them to sufficient value (look at Configuration class for all the options and their description).
For optimal performance: The first configuration should be the one to which users authenticate more often.
<security-domain name="dc-ldap-auth">
<authentication>
<login-module code="LdapExtended" flag="sufficient">
<module-option name="java.naming.provider.url"
value="ldap://internal-ldap.my-company.example"/>
<!-- add other options for the first LDAP server -->
</login-module>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.provider.url"
value="ldap://external-ldap.my-company.example"/>
<!-- add other options for the second LDAP server -->
</login-module>
</authentication>
</security-domain>
If you need great performance
If you are able to determine (from the loginname for instance) which LDAP you should search in, then I would suggest to implement your own login module. It can delegate the processing to LdapExtLoginModule instances.

javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.security.ClientLoginModule

Its been more than 3 days couldn't figure out what is wrong with my Jenkins.
I have Jenkins job, which pull the source from Bitbucket and build and Deploy in Jboss 5.1.
But at the time of deployment I am getting the bellow exception tried multiple solution but I am getting the same annoying error.
Stack-trace
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.534 s
[INFO] Finished at: 2015-07-08T03:19:04+05:30
[INFO] Final Memory: 13M/176M
[INFO] ------------------------------------------------------------------------
[JENKINS] Archiving /var/lib/jenkins/jobs/SpringHelloWorld/workspace/pom.xml to com.programcreek/HelloWorld/0.0.1-SNAPSHOT/HelloWorld-0.0.1-SNAPSHOT.pom
[JENKINS] Archiving /var/lib/jenkins/jobs/SpringHelloWorld/workspace/target/HelloWorld.war to com.programcreek/HelloWorld/0.0.1-SNAPSHOT/HelloWorld-0.0.1-SNAPSHOT.war
channel stopped
Deploying /var/lib/jenkins/jobs/SpringHelloWorld/workspace/target/HelloWorld.war to container JBoss 5.x Remote
The undeployment phase of the redeploy action has failed: org.codehaus.cargo.util.CargoException: Cannot undeploy deployable org.codehaus.cargo.container.deployable.WAR[HelloWorld.war]
ERROR: Build step failed with exception
org.codehaus.cargo.util.CargoException: Cannot deploy deployable org.codehaus.cargo.container.deployable.WAR[HelloWorld.war]
at org.codehaus.cargo.container.jboss.JBoss5xRemoteDeployer.deploy(JBoss5xRemoteDeployer.java:216)
at org.codehaus.cargo.container.spi.deployer.AbstractDeployer.redeploy(AbstractDeployer.java:212)
at hudson.plugins.deploy.CargoContainerAdapter.deploy(CargoContainerAdapter.java:73)
at hudson.plugins.deploy.CargoContainerAdapter$1.invoke(CargoContainerAdapter.java:116)
at hudson.plugins.deploy.CargoContainerAdapter$1.invoke(CargoContainerAdapter.java:103)
at hudson.FilePath.act(FilePath.java:989)
at hudson.FilePath.act(FilePath.java:967)
at hudson.plugins.deploy.CargoContainerAdapter.redeploy(CargoContainerAdapter.java:103)
at hudson.plugins.deploy.DeployPublisher.perform(DeployPublisher.java:61)
at hudson.tasks.BuildStepMonitor$3.perform(BuildStepMonitor.java:45)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:761)
at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:721)
at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.post2(MavenModuleSetBuild.java:1053)
at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:670)
at hudson.model.Run.execute(Run.java:1766)
at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:537)
at hudson.model.ResourceController.execute(ResourceController.java:98)
at hudson.model.Executor.run(Executor.java:374)
Caused by: javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.security.ClientLoginModule
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:800)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
at org.codehaus.cargo.tools.jboss.JBossDeployer.getDeploymentManager(JBossDeployer.java:176)
at org.codehaus.cargo.tools.jboss.JBossDeployer.deploy(JBossDeployer.java:71)
at org.codehaus.cargo.container.jboss.JBoss5xRemoteDeployer.deploy(JBoss5xRemoteDeployer.java:212)
... 17 more
javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.security.ClientLoginModule
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:800)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
at org.codehaus.cargo.tools.jboss.JBossDeployer.getDeploymentManager(JBossDeployer.java:176)
at org.codehaus.cargo.tools.jboss.JBossDeployer.deploy(JBossDeployer.java:71)
at org.codehaus.cargo.container.jboss.JBoss5xRemoteDeployer.deploy(JBoss5xRemoteDeployer.java:212)
at org.codehaus.cargo.container.spi.deployer.AbstractDeployer.redeploy(AbstractDeployer.java:212)
at hudson.plugins.deploy.CargoContainerAdapter.deploy(CargoContainerAdapter.java:73)
at hudson.plugins.deploy.CargoContainerAdapter$1.invoke(CargoContainerAdapter.java:116)
at hudson.plugins.deploy.CargoContainerAdapter$1.invoke(CargoContainerAdapter.java:103)
at hudson.FilePath.act(FilePath.java:989)
at hudson.FilePath.act(FilePath.java:967)
at hudson.plugins.deploy.CargoContainerAdapter.redeploy(CargoContainerAdapter.java:103)
at hudson.plugins.deploy.DeployPublisher.perform(DeployPublisher.java:61)
at hudson.tasks.BuildStepMonitor$3.perform(BuildStepMonitor.java:45)
at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:761)
at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:721)
at hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.post2(MavenModuleSetBuild.java:1053)
at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:670)
at hudson.model.Run.execute(Run.java:1766)
at hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:537)
at hudson.model.ResourceController.execute(ResourceController.java:98)
at hudson.model.Executor.run(Executor.java:374)
Build step 'Deploy war/ear to a container' marked build as failure
Finished: FAILURE
I tried multiple ways.
After searching a lot what I found
jbossx/jbossx-security-client.jar.zip is missing in jboss lib, so
i downloaded the jar and pasted into the lib.
But the problem is still there
I tried to modify login-config.xml but this is also not working for me.
The content of login-config.xml look like this.
<?xml version='1.0'?>
<!-- The XML based JAAS login configuration read by the
org.jboss.security.auth.login.XMLLoginConfig mbean. Add
an application-policy element for each security domain.
The outline of the application-policy is:
<application-policy name="security-domain-name">
<authentication>
<login-module code="login.module1.class.name" flag="control_flag">
<module-option name = "option1-name">option1-value</module-option>
<module-option name = "option2-name">option2-value</module-option>
...
</login-module>
<login-module code="login.module2.class.name" flag="control_flag">
...
</login-module>
...
</authentication>
</application-policy>
$Id: login-config.xml 87078 2009-04-09 14:23:47Z bstansberry#jboss.com $
$Revision: 87078 $
-->
<policy>
<!-- Used by clients within the application server VM such as
mbeans and servlets that access EJBs.
-->
<application-policy name="client-login">
<authentication>
<login-module code="org.jboss.security.ClientLoginModule"
flag="required">
<!-- Any existing security context will be restored on logout -->
<module-option name="restore-login-identity">true</module-option>
</login-module>
</authentication>
</application-policy>
<!-- Security domains for testing new jca framework -->
<application-policy name="HsqlDbRealm">
<authentication>
<login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag="required">
<module-option name="principal">sa</module-option>
<module-option name="userName">sa</module-option>
<module-option name="password"></module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
</login-module>
</authentication>
</application-policy>
<application-policy name="JmsXARealm">
<authentication>
<login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag="required">
<module-option name="principal">guest</module-option>
<module-option name="userName">guest</module-option>
<module-option name="password">guest</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
</login-module>
</authentication>
</application-policy>
<!-- A template configuration for the jmx-console web application. This
defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name="jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag="required">
<module-option name="usersProperties">props/jmx-console-users.properties</module-option>
<module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
<!-- A template configuration for the web-console web application. This
defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name="web-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag="required">
<module-option name="usersProperties">web-console-users.properties</module-option>
<module-option name="rolesProperties">web-console-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
<!--
A template configuration for the JBossWS security domain.
This defaults to the UsersRolesLoginModule the same as other and should be
changed to a stronger authentication mechanism as required.
-->
<application-policy name="JBossWS">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag="required">
<module-option name="usersProperties">props/jbossws-users.properties</module-option>
<module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
<module-option name="unauthenticatedIdentity">anonymous</module-option>
</login-module>
</authentication>
</application-policy>
<!-- The default login configuration used by any security domain that
does not have a application-policy entry with a matching name
-->
<application-policy name="other">
<!-- A simple server login module, which can be used when the number
of users is relatively small. It uses two properties files:
users.properties, which holds users (key) and their password (value).
roles.properties, which holds users (key) and a comma-separated list of
their roles (value).
The unauthenticatedIdentity property defines the name of the principal
that will be used when a null username and password are presented as is
the case for an unuathenticated web client or MDB. If you want to
allow such users to be authenticated add the property, e.g.,
unauthenticatedIdentity="nobody"
-->
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag="required"/>
</authentication>
</application-policy>
</policy>
I am not sure what do I do with this file.
Does anybody have any clue regarding this ??
After searching a lot, what I found that Deploy plug-in it self has a problem. so I used another method to do so. Since, we are able to build the project, what are we left with is to only deploy the project in the Jboss. So instead of using deploy plug-in I am using shell script. "SCP" to copy the .war file in Jboss deploy folder and restart the jboss with shell script as well.
And its done

LDAP authentication with JBoss 7

I want to develop a simple java web application with JBoss 7 server to enable login from username/password entered by the user and authenticate with ldap.
So this is what i wrote in web.xml placed in WEB-INF/
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Enter user name and password</realm-name>
</login-config>
then added jboss-web.xml in same folder
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/website-domain</security-domain>
</jboss-web>
Then I added the website-domain realm in standalone.xml
<security-domain name="website-domain" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
<module-option name="bindDN" value="ou=people,dc=mycompany,dc=com" />
<module-option name="bindCredential" value="shad"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="Context.REFERRAL" value="follow"/>
<module-option name="throwValidateError" value="true"/>
<module-option name="allowEmptyPasswords" value="true"/>
</login-module>
</authentication>
</security-domain>
So how the username and password entered will be sent to these modules ? Or do I have to write a custom JAAS realm ? Is their any working example you guys can share me??
I wrote a post in portuguese...
http://jbossdivers.wordpress.com/2012/02/12/utilizando-ldap-login-module-no-jboss-as-7-1/
Your webapp needs to point to your security domain website-domain by adding a line in WEB-INF/jboss-web.xml
<security-domain flushOnSessionInvalidation="true">java:/jaas/website-domain</security-domain>
I believe in Jboss 7 you need to only specify website-domain (no java:/jaas/ prefix)