Hi,

Usually in production environments we don’t want to use the properties files to place the username and password of different users. So in that case we have different options to tell JBoss AS7 on how to Authenticate and Authorize different users and where to store the username and password informations in more secured fashion.

In this example we are going to see how we can use the Active Directory Authentication in order to perform logging in a deployed web applications. This can be achieved using the “org.jboss.security.auth.spi.LdapExtLoginModule”.
Make sure that your Windows Active Directory is configured properly, for any issues related to Active Directory contact your Active Directory Administrator.

Step1). Add the following “test_ldap_security_domain” entry inside your “/home/userone/jboss-as-7.0.1.Final/standalone/standalone.xml” file as following:

        <subsystem xmlns="urn:jboss:domain:security:1.0">
            <security-domains>
                <security-domain name="other" cache-type="default">
                    <authentication>
                        <login-module code="Disabled" flag="required"/>
                    </authentication>
                </security-domain>
                <security-domain name="test_ldap_security_domain">
                    <authentication>
                        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                            <module-option name="java.naming.provider.url" value="ldap://10.10.10.10:389"/>
                            <module-option name="bindDN" value="cn=abc,cn=Users,dc=mydomain,dc=com"/>
                            <module-option name="bindCredential" value="Test@123"/>
                            <module-option name="baseCtxDN" value="cn=Users,dc=mydomain,dc=com"/>
                            <module-option name="baseFilter" value="(userPrincipalName={0})"/>
                            <module-option name="rolesCtxDN" value="cn=Users,dc=mydomain,dc=com"/>
                            <module-option name="roleFilter" value="(userPrincipalName={0})"/>
                            <module-option name="roleAttributeID" value="memberOf"/>
                            <module-option name="roleNameAttributeID" value="cn"/>
                            <module-option name="roleAttributeIsDN" value="true"/>
                            <module-option name="allowEmptyPasswords" value="false"/>
                            <module-option name="Context.REFERRAL" value="follow"/>
                            <module-option name="throwValidateError" value="true"/>
                            <module-option name="searchScope" value="SUBTREE_SCOPE"/>
                            <module-option name="allowEmptyPasswords" value="true"/>
                        </login-module>
                        <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
                            <module-option name="rolesProperties" value="/home/userone/jboss-as-7.0.1.Final/standalone/configuration/test-roles.properties"/>
                            <module-option name="replaceRole" value="false"/>
                        </login-module>
                    </authentication>
                </security-domain>
            </security-domains>
        </subsystem>

NOTE: In Above case the Active Directory address is “ldap://10.10.10.10:389” and a user created in the Active Directory as “abc@mydomain.com” with password “User@Password1”. This user “abc@mydomain.com” is a member of group “Administrators”. (These details can be retrieved from the Active directory administrator)
NOTE: A relative path of the properties file also can be used in the above section rather than using hard coded absolute path
<module-option name=”rolesProperties” value=”/home/userone/jboss-as-7.0.1.Final/standalone/configuration/test-roles.properties”/ >
OR
<module-option name=”rolesProperties” value=”../standalone/configuration/test-roles.properties”/>

Step-2). As “org.jboss.security.auth.spi.LdapExtLoginModule” requires “com.sun.jndi.ldap.LdapCtxFactory” class, so we need to make sure that we add the global module in “/home/userone/jboss-as-7.0.1.Final/standalone/standalone.xml” sothat the Jar which contains the above class will be added in the classpath. So in order to do that edit the following tag present inside the standalone.xml file as following to add the SUN APIs in the global module section:

        <subsystem xmlns="urn:jboss:domain:ee:1.0">
            <global-modules>
                <module name="sun.jdk" slot="main"/>
            </global-modules>
        </subsystem>

Step-3). Now in your Web Applications “WEB-INF/jboss-web.xml” file add the following :

<jboss-web>
    <security-domain>java:/jaas/test_ldap_security_domain</security-domain>
</jboss-web>

Step-3). Add the following kind of entry inside your web applications “WEB-INF/web.xml” file:

   <security-constraint>
        <display-name>Constraint-0</display-name>
        <web-resource-collection>
             <web-resource-name>Constraint-0</web-resource-name>
             <url-pattern>/protected/*</url-pattern>
        </web-resource-collection>

        <auth-constraint>
              <role-name>*</role-name>
        </auth-constraint>

        <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
  </security-constraint>

  <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/failedlogin.jsp</form-error-page>
        </form-login-config>
 </login-config>

  <security-role>
         <role-name>TestRole</role-name>
  </security-role>

Step-4). Create a file “test-roles.properties” inside “/home/userone/jboss-as-7.0.1.Final/standalone/configuration/” directory like following

Administrators=TestRole

Step-5). Now you can restart your server and then try accessing your web application by passing the credentials as username “abc@mydomain.com” and password as “User@Password1”.

NOTE: If you are facing any issue or authentication failure then please enable the following category in your “/home/userone/jboss-as-7.0.1.Final/standalone/configuration/standalone.xml” file to get TRACE level informations related to security ….then check the “server.log” to find out why the authentication is failing :

            <logger category="org.jboss.security">
                <level name="TRACE"/>
            </logger>

NOTE: If you face any exception or error while user authentication and if you are not able to findout the root cause of this failure then in Step1). you need to add the following module-option as well to see where exactly the it is failing:

.
<module-option name="throwValidateError" value="true"/>
.

.
.
Thanks
Middleware Magic Team

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.