Hi,

Usually in production environments we don’t want to use the “$PROFILE/conf/props/jmx-console-users.properties” to place the username and password of different users. So in that case we have different options to tell JBoss AS6 on how to Authenticate and Authorize different users and where to store the username and password informations in more secured fashion.

In this example we are going to see how we can use the Active Directory Authentication in order to perform jmx-console or any other deployed web applications security. This can be achieved using the “org.jboss.security.auth.spi.LdapExtLoginModule”.
Make sure that your Windows Active Directory is configured properly, for any issues related to Active Directory contact your Active Directory Administrator.

Step1). Add the following entry inside your “$PROFILE/conf/login-config.xml” file

  <application-policy name="AD">
      <authentication>
          <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
              <module-option name="java.naming.provider.url">ldap://10.10.10.10:389</module-option>
              <module-option name="bindDN">cn=abc,cn=Users,dc=mydomain,dc=com</module-option>
              <module-option name="bindCredential">User@Password1</module-option>
              <module-option name="baseCtxDN">cn=Users,dc=mydomain,dc=com</module-option>
              <module-option name="baseFilter">(userPrincipalName={0})</module-option>

              <module-option name="rolesCtxDN">cn=Users,dc=mydomain,dc=com</module-option>
              <module-option name="roleFilter">(userPrincipalName={0})</module-option>
              <module-option name="roleAttributeID">memberOf</module-option>
              <module-option name="roleAttributeIsDN">true</module-option>
              <module-option name="roleNameAttributeID">cn</module-option>

              <module-option name="Context.REFERRAL">follow</module-option>
              <module-option name="throwValidateError">true</module-option>
              <module-option name="searchScope">SUBTREE_SCOPE</module-option>
              <module-option name="allowEmptyPasswords">true</module-option>
          </login-module>

          <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
	        <module-option name="rolesProperties">props/test-roles.properties</module-option>
	        <module-option name="replaceRole">false</module-option>
          </login-module>
      </authentication>
</application-policy>

In Above case the Active Directory address is “ldap://10.10.10.10:389” and a user created in the Active Directory as “abc@mydomain.com” with password “User@Password1”. This user “abc@mydomain.com” is a member of group “Administrators”. (These details can be retrieved from the Active directory administrator)

Step-2). Now in your Web Applications “WEB-INF/jboss-web.xml” file add the following :

<!DOCTYPE jboss-web PUBLIC
   "-//JBoss//DTD Web Application 5.0//EN"
   "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
<jboss-web>
      <security-domain>java:/jaas/AD</security-domain>
</jboss-web>

Step-3). Add the following kind of entry inside your web applications “WEB-INF/web.xml” file:

   <security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
       <role-name>Administrators</role-name>
     </auth-constraint>
   </security-constraint>

   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>JBoss JMX Console</realm-name>
   </login-config>

   <security-role>
      <role-name>Administrators</role-name>
   </security-role>

Step-4). Create a file “test-roles.properties” inside “$PROFILE/conf/props” directory

Administrators=TestRole

Step-5). Now you can restart your server and then try accessing your web application by passing the credentials as username “abc@mydomain.com” and password as “User@Password1”.

NOTE: If you are facing any issue or authentication failure then please enable the following category in your “$PROFILE/conf/jboss-log4j.xml” file to get TRACE level informations related to security ….then check the “server.log” to find out why the authentication is failing :

	<category name="org.jboss.security">
	   <priority value="TRACE"/>
	</category>

.
.
Thanks
Middleware Magic Team

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.