Setup JBoss Login Modules

UsersRolesLoginModule

Create users.properties file

* cd /server/myserver/conf/props
* vi my-users.properties

user1=user1pass
user2=user2pass

* chmod g-r my-users.properties

Create roles.properties file

* cd /server/myserver/conf/props
* vi my-roles.properties

user1=admin
user2=payroll

* chmod g-r my-users.properties

Setup login-config.xml

* cd /server/myserver/conf
* Add to login-config.xml

<application-policy name="my">
  <authentication>
    <login-module
      code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag="required">
      <module-option name="usersProperties">
        props/my-users.properties
      </module-option>
      <module-option name="rolesProperties">
        props/my-roles.properties
      </module-option>
    </login-module>
  </authentication>
</application-policy>

LdapExtLoginModule

Setup login-config.xml

* cd /server/myserver/conf
* Add to login-config.xml

<application-policy name="my">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > 
      <module-option name="java.naming.provider.url">ldap://ad.my.com:389</module-option>
      <module-option name="bindDN">user1</module-option>
      <module-option name="bindCredential">password</module-option>
      <module-option name="baseCtxDN">CN=Users,DC=my,DC=com</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">CN=Users,DC=my,DC=com</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
    </login-module>
  </authentication>
</application-policy>

LdapExtLoginModule with Secure LDAP

Create trust store

keytool -import -v -keystore mytruststore -alias ad-root -storepass changeit -file ad-root.cer
keytool -import -v -keystore mytruststore -alias ad-box -storepass changeit -file ad-box.cer

Setup JBoss to use trust store

Use properties-service.xml

* cd /server/myserver/deploy
* edit properties-service.xml

<mbean code="org.jboss.varia.property.SystemPropertiesService" 
 name="jboss:type=Service,name=SystemProperties">
  <attribute name="Properties">
    javax.net.ssl.trustStore=/absolute/path/to/mytruststore
    javax.net.ssl.trustStorePassword=changeit
  </attribute>
</mbean>

Use run.conf

* cd /bin
* Add to run.conf

# Set trust store file location
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/absolute/path/to/mytruststore"
 
# Set trust store password
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=changeit"
 
# Turn off host verification if needed. Turn off in production.
#JAVA_OPTS="$JAVA_OPTS -Dorg.jboss.security.ignoreHttpsHost=true"
 
# Turn on ssl handshake debugging if needed. Turn off in production.
#JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=ssl,handshake"

Setup login-config.xml

* cd /server/myserver/conf
* Add to login-config.xml

<application-policy name="my">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > 
      <module-option name="password-stacking">useFirstPass</module-option>
      <module-option name="java.naming.provider.url">ldaps://ad.my.com:636</module-option>
      <module-option name="bindDN">user1</module-option>
      <module-option name="bindCredential">password</module-option>
      <module-option name="baseCtxDN">CN=Users,DC=my,DC=com</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">CN=Users,DC=my,DC=com</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
    </login-module>
  </authentication>
</application-policy>

Stacking Multiple Login Modules

* Add to login-config.xml

<application-policy name="my">
  <authentication>
    <login-module
      code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag="required">
      <module-option name="password-stacking">useFirstPass</module-option>
      <module-option name="usersProperties">
        props/my-users.properties
      </module-option>
      <module-option name="rolesProperties">
        props/my-roles.properties
      </module-option>
    </login-module>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="optional" > 
      <module-option name="password-stacking">useFirstPass</module-option>
      <module-option name="java.naming.provider.url">ldaps://ad.my.com:636</module-option>
      <module-option name="bindDN">user1</module-option>
      <module-option name="bindCredential">password</module-option>
      <module-option name="baseCtxDN">CN=Users,DC=my,DC=com</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">CN=Users,DC=my,DC=com</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
    </login-module>
  </authentication>
</application-policy>

Use Login Modules in Web Applications

See this post for an example of using UsersRolesLoginModule to secure jmx-console and web-console.

References

LdapLoginModule
LdapExtLoginModule
Stacking Login Modules

This entry was posted in jboss. Bookmark the permalink.