Hi,
Usually in production environments we don’t want to use the properties files to place the username and password of different users. So in that case we have different options to tell JBoss AS7 on how to Authenticate and Authorize different users and where to store the username and password informations in more secured fashion.
In this example we are going to see how we can use the Active Directory Authentication in order to perform logging in a deployed web applications. This can be achieved using the “org.jboss.security.auth.spi.LdapExtLoginModule”.
Make sure that your Windows Active Directory is configured properly, for any issues related to Active Directory contact your Active Directory Administrator.
Step1). Add the following “test_ldap_security_domain” entry inside your “/home/userone/jboss-as-7.0.1.Final/standalone/standalone.xml” file as following:
<subsystem xmlns="urn:jboss:domain:security:1.0"> <security-domains> <security-domain name="other" cache-type="default"> <authentication> <login-module code="Disabled" flag="required"/> </authentication> </security-domain> <security-domain name="test_ldap_security_domain"> <authentication> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required"> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/> <module-option name="java.naming.provider.url" value="ldap://10.10.10.10:389"/> <module-option name="bindDN" value="cn=abc,cn=Users,dc=mydomain,dc=com"/> <module-option name="bindCredential" value="Test@123"/> <module-option name="baseCtxDN" value="cn=Users,dc=mydomain,dc=com"/> <module-option name="baseFilter" value="(userPrincipalName={0})"/> <module-option name="rolesCtxDN" value="cn=Users,dc=mydomain,dc=com"/> <module-option name="roleFilter" value="(userPrincipalName={0})"/> <module-option name="roleAttributeID" value="memberOf"/> <module-option name="roleNameAttributeID" value="cn"/> <module-option name="roleAttributeIsDN" value="true"/> <module-option name="allowEmptyPasswords" value="false"/> <module-option name="Context.REFERRAL" value="follow"/> <module-option name="throwValidateError" value="true"/> <module-option name="searchScope" value="SUBTREE_SCOPE"/> <module-option name="allowEmptyPasswords" value="true"/> </login-module> <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional"> <module-option name="rolesProperties" value="/home/userone/jboss-as-7.0.1.Final/standalone/configuration/test-roles.properties"/> <module-option name="replaceRole" value="false"/> </login-module> </authentication> </security-domain> </security-domains> </subsystem>
NOTE: In Above case the Active Directory address is “ldap://10.10.10.10:389” and a user created in the Active Directory as “abc@mydomain.com” with password “User@Password1”. This user “abc@mydomain.com” is a member of group “Administrators”. (These details can be retrieved from the Active directory administrator)
NOTE: A relative path of the properties file also can be used in the above section rather than using hard coded absolute path
<module-option name=”rolesProperties” value=”/home/userone/jboss-as-7.0.1.Final/standalone/configuration/test-roles.properties”/ >
OR
<module-option name=”rolesProperties” value=”../standalone/configuration/test-roles.properties”/>
Step-2). As “org.jboss.security.auth.spi.LdapExtLoginModule” requires “com.sun.jndi.ldap.LdapCtxFactory” class, so we need to make sure that we add the global module in “/home/userone/jboss-as-7.0.1.Final/standalone/standalone.xml” sothat the Jar which contains the above class will be added in the classpath. So in order to do that edit the following tag present inside the standalone.xml file as following to add the SUN APIs in the global module section:
<subsystem xmlns="urn:jboss:domain:ee:1.0"> <global-modules> <module name="sun.jdk" slot="main"/> </global-modules> </subsystem>
Step-3). Now in your Web Applications “WEB-INF/jboss-web.xml” file add the following :
<jboss-web> <security-domain>java:/jaas/test_ldap_security_domain</security-domain> </jboss-web>
Step-3). Add the following kind of entry inside your web applications “WEB-INF/web.xml” file:
<security-constraint> <display-name>Constraint-0</display-name> <web-resource-collection> <web-resource-name>Constraint-0</web-resource-name> <url-pattern>/protected/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/failedlogin.jsp</form-error-page> </form-login-config> </login-config> <security-role> <role-name>TestRole</role-name> </security-role>
Step-4). Create a file “test-roles.properties” inside “/home/userone/jboss-as-7.0.1.Final/standalone/configuration/” directory like following
Administrators=TestRole
Step-5). Now you can restart your server and then try accessing your web application by passing the credentials as username “abc@mydomain.com” and password as “User@Password1”.
NOTE: If you are facing any issue or authentication failure then please enable the following category in your “/home/userone/jboss-as-7.0.1.Final/standalone/configuration/standalone.xml” file to get TRACE level informations related to security ….then check the “server.log” to find out why the authentication is failing :
<logger category="org.jboss.security"> <level name="TRACE"/> </logger>
NOTE: If you face any exception or error while user authentication and if you are not able to findout the root cause of this failure then in Step1). you need to add the following module-option as well to see where exactly the it is failing:
. <module-option name="throwValidateError" value="true"/> .
.
.
Thanks
Middleware Magic Team
May 30th, 2013 on 6:23 am
Hi,
nice writuep!
one question, can we externalize the active directory configuration out of standalone.xml and possibly include it as some other xml configuration so that it can be included in my deployment? Basically, so I can configure it at build time based on my build environment(developmet, test etc)
Thanks
October 25th, 2013 on 12:26 pm
Hello sir,
i have understood what you have done exactly,but i wan a take bindCredential from user instead of hardcoding… i mean i have one login page with username and password.when i enter the password that value should be taken for bindCredential.
thank you
October 30th, 2014 on 8:12 pm
Cool, but it would be great if there is an article with the artifacts to download instructing how to do witha Role Mapping also inside Active Directory or LDAP. The actual example shows the roles inside a property file.