UsersRolesLoginModule
Create users.properties file
* cd
* vi my-users.properties
user1=user1pass user2=user2pass
* chmod g-r my-users.properties
Create roles.properties file
* cd
* vi my-roles.properties
user1=admin user2=payroll
* chmod g-r my-users.properties
Setup login-config.xml
* cd
* Add to login-config.xml
<application-policy name="my"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="usersProperties"> props/my-users.properties </module-option> <module-option name="rolesProperties"> props/my-roles.properties </module-option> </login-module> </authentication> </application-policy>
LdapExtLoginModule
Setup login-config.xml
* cd
* Add to login-config.xml
<application-policy name="my"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > <module-option name="java.naming.provider.url">ldap://ad.my.com:389</module-option> <module-option name="bindDN">user1</module-option> <module-option name="bindCredential">password</module-option> <module-option name="baseCtxDN">CN=Users,DC=my,DC=com</module-option> <module-option name="baseFilter">(sAMAccountName={0})</module-option> <module-option name="rolesCtxDN">CN=Users,DC=my,DC=com</module-option> <module-option name="roleFilter">(member={1})</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="roleAttributeIsDN">false</module-option> <module-option name="roleRecursion">2</module-option> <module-option name="searchScope">ONELEVEL_SCOPE</module-option> <module-option name="allowEmptyPasswords">false</module-option> </login-module> </authentication> </application-policy>
LdapExtLoginModule with Secure LDAP
Create trust store
keytool -import -v -keystore mytruststore -alias ad-root -storepass changeit -file ad-root.cer keytool -import -v -keystore mytruststore -alias ad-box -storepass changeit -file ad-box.cer
Setup JBoss to use trust store
Use properties-service.xml
* cd
* edit properties-service.xml
<mbean code="org.jboss.varia.property.SystemPropertiesService" name="jboss:type=Service,name=SystemProperties"> <attribute name="Properties"> javax.net.ssl.trustStore=/absolute/path/to/mytruststore javax.net.ssl.trustStorePassword=changeit </attribute> </mbean>
Use run.conf
* cd
* Add to run.conf
# Set trust store file location JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/absolute/path/to/mytruststore" # Set trust store password JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=changeit" # Turn off host verification if needed. Turn off in production. #JAVA_OPTS="$JAVA_OPTS -Dorg.jboss.security.ignoreHttpsHost=true" # Turn on ssl handshake debugging if needed. Turn off in production. #JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=ssl,handshake"
Setup login-config.xml
* cd
* Add to login-config.xml
<application-policy name="my"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > <module-option name="password-stacking">useFirstPass</module-option> <module-option name="java.naming.provider.url">ldaps://ad.my.com:636</module-option> <module-option name="bindDN">user1</module-option> <module-option name="bindCredential">password</module-option> <module-option name="baseCtxDN">CN=Users,DC=my,DC=com</module-option> <module-option name="baseFilter">(sAMAccountName={0})</module-option> <module-option name="rolesCtxDN">CN=Users,DC=my,DC=com</module-option> <module-option name="roleFilter">(member={1})</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="roleAttributeIsDN">false</module-option> <module-option name="roleRecursion">2</module-option> <module-option name="searchScope">ONELEVEL_SCOPE</module-option> <module-option name="allowEmptyPasswords">false</module-option> </login-module> </authentication> </application-policy>
Stacking Multiple Login Modules
* Add to login-config.xml
<application-policy name="my"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="usersProperties"> props/my-users.properties </module-option> <module-option name="rolesProperties"> props/my-roles.properties </module-option> </login-module> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="optional" > <module-option name="password-stacking">useFirstPass</module-option> <module-option name="java.naming.provider.url">ldaps://ad.my.com:636</module-option> <module-option name="bindDN">user1</module-option> <module-option name="bindCredential">password</module-option> <module-option name="baseCtxDN">CN=Users,DC=my,DC=com</module-option> <module-option name="baseFilter">(sAMAccountName={0})</module-option> <module-option name="rolesCtxDN">CN=Users,DC=my,DC=com</module-option> <module-option name="roleFilter">(member={1})</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="roleAttributeIsDN">false</module-option> <module-option name="roleRecursion">2</module-option> <module-option name="searchScope">ONELEVEL_SCOPE</module-option> <module-option name="allowEmptyPasswords">false</module-option> </login-module> </authentication> </application-policy>
Use Login Modules in Web Applications
See this post for an example of using UsersRolesLoginModule to secure jmx-console and web-console.