Tag: JBoss AS6

Database Authentication in JBoss for Web Applications In JBoss AS6

Hi,

Usually in production environments we don’t want to use the “$PROFILE/conf/props/jmx-console-users.properties” to place the user name and password of different users. So in that case we have different options to tell JBoss EAP on how to Authenticate and Authorize different users and where to store the username and password informations in more secured fashion.

In this example we are going to see how we can use the Database Authentication in order to perform jmx-console or any other deployed web applications security. This can be achieved using “org.jboss.security.auth.spi.DatabaseServerLoginModule”.

Step1). Add the following inside your “$PROFILE/conf/login-config.xml” file.

  <application-policy name="DBAuthTest">
  	<authentication>
  	<login-module  code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
  	      <module-option name="dsJndiName">java:/TestDS</module-option>
   	      <module-option name="principalsQuery">select password from  PRINCIPLES where principal_id=?</module-option>
    	      <module-option name="rolesQuery">select user_role, 'Roles' from  ROLES where  principal_id=?</module-option>
  	</login-module>

  	<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
	      <module-option name="rolesProperties">props/test-roles.properties</module-option>
	      <module-option name="replaceRole">false</module-option>
        </login-module>
  	</authentication>
  </application-policy>

Step2). Create a file “$PROFILE/conf/props/test-roles.properties” with the following line:

TestUserOneGroup=TestRoleOne

Step3). Now set up the Database by creating and inserting following records in the DB :

CREATE TABLE PRINCIPLES ( principal_id VARCHAR(64) primary key,password VARCHAR(64));
CREATE TABLE ROLES ( principal_id VARCHAR(64),user_role VARCHAR(64),role_group VARCHAR(64));

Insert into PRINCIPLES values('TestUserOne','PasswordOne');
Insert into PRINCIPLES values('TestUserTwo','PasswordTwo');

Insert into ROLES values('TestUserOne','TestRoleOne','TestUserOneGroup');
Insert into ROLES values('TestUserTwo','TestRoleTwo','TestUserTwoGroup');

Step4). Now create a DataSource file like “oracle-ds.xml” and then place it inside your “$PROFILE/deploy” directory:

<?xml version="1.0" encoding="UTF-8"?>
<datasources>
  <local-tx-datasource>
    <jndi-name>TestDS</jndi-name>
    <connection-url>jdbc:oracle:thin:@10.10.10.10:1521:xe</connection-url>
    <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
    <user-name>dbuser</user-name>
    <password>dbpassword</password>
    <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
      <metadata>
         <type-mapping>Oracle9i</type-mapping>
      </metadata>
  </local-tx-datasource>
</datasources>

Step5). Now place the “oracle6.jar” (Oracle Driver) inside your “$PROFILE/lib” directory. (You can choose whatever database and database driver you want to chose based on your requirement)

Step6). Make sure that your application has the following kind of tags written inside the  WEB-INF/”web.xml” file:

   <security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
       <role-name>TestRoleOne</role-name>
     </auth-constraint>
   </security-constraint>
   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>TestRealm</realm-name>
   </login-config>
   <security-role>
       <role-name>TestRoleOne</role-name>
   </security-role>

Step7). Make sure that your application has “jboss-web.xml” like following:

<!DOCTYPE jboss-web PUBLIC
   "-//JBoss//DTD Web Application 5.0//EN"
   "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
<jboss-web>
      <security-domain>java:/jaas/DBAuthTest</security-domain>
</jboss-web>

Step8). Restart your Server and then access the application. You can enter username as “TestUserOne” and password as “PasswordOne”.

NOTE: If you are facing any issue or authentication failure then please enable the following category in your “$PROFILE/conf/jboss-log4j.xml” file to get TRACE level informations related to security ….then check the “server.log” to find out why the authentication is failing :

   <category name="org.jboss.security">
      <priority value="TRACE"/>
   </category>

.
.
Thanks
Middleware Magic Team


Active Directory Authentication for Web Applications in JBoss AS6

Hi,

Usually in production environments we don’t want to use the “$PROFILE/conf/props/jmx-console-users.properties” to place the username and password of different users. So in that case we have different options to tell JBoss AS6 on how to Authenticate and Authorize different users and where to store the username and password informations in more secured fashion.

In this example we are going to see how we can use the Active Directory Authentication in order to perform jmx-console or any other deployed web applications security. This can be achieved using the “org.jboss.security.auth.spi.LdapExtLoginModule”.
Make sure that your Windows Active Directory is configured properly, for any issues related to Active Directory contact your Active Directory Administrator.

Step1). Add the following entry inside your “$PROFILE/conf/login-config.xml” file

  <application-policy name="AD">
      <authentication>
          <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
              <module-option name="java.naming.provider.url">ldap://10.10.10.10:389</module-option>
              <module-option name="bindDN">cn=abc,cn=Users,dc=mydomain,dc=com</module-option>
              <module-option name="bindCredential">User@Password1</module-option>
              <module-option name="baseCtxDN">cn=Users,dc=mydomain,dc=com</module-option>
              <module-option name="baseFilter">(userPrincipalName={0})</module-option>

              <module-option name="rolesCtxDN">cn=Users,dc=mydomain,dc=com</module-option>
              <module-option name="roleFilter">(userPrincipalName={0})</module-option>
              <module-option name="roleAttributeID">memberOf</module-option>
              <module-option name="roleAttributeIsDN">true</module-option>
              <module-option name="roleNameAttributeID">cn</module-option>

              <module-option name="Context.REFERRAL">follow</module-option>
              <module-option name="throwValidateError">true</module-option>
              <module-option name="searchScope">SUBTREE_SCOPE</module-option>
              <module-option name="allowEmptyPasswords">true</module-option>
          </login-module>

          <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
	        <module-option name="rolesProperties">props/test-roles.properties</module-option>
	        <module-option name="replaceRole">false</module-option>
          </login-module>
      </authentication>
</application-policy>

In Above case the Active Directory address is “ldap://10.10.10.10:389” and a user created in the Active Directory as “abc@mydomain.com” with password “User@Password1”. This user “abc@mydomain.com” is a member of group “Administrators”. (These details can be retrieved from the Active directory administrator)

Step-2). Now in your Web Applications “WEB-INF/jboss-web.xml” file add the following :

<!DOCTYPE jboss-web PUBLIC
   "-//JBoss//DTD Web Application 5.0//EN"
   "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
<jboss-web>
      <security-domain>java:/jaas/AD</security-domain>
</jboss-web>

Step-3). Add the following kind of entry inside your web applications “WEB-INF/web.xml” file:

   <security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
       <role-name>Administrators</role-name>
     </auth-constraint>
   </security-constraint>

   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>JBoss JMX Console</realm-name>
   </login-config>

   <security-role>
      <role-name>Administrators</role-name>
   </security-role>

Step-4). Create a file “test-roles.properties” inside “$PROFILE/conf/props” directory

Administrators=TestRole

Step-5). Now you can restart your server and then try accessing your web application by passing the credentials as username “abc@mydomain.com” and password as “User@Password1”.

NOTE: If you are facing any issue or authentication failure then please enable the following category in your “$PROFILE/conf/jboss-log4j.xml” file to get TRACE level informations related to security ….then check the “server.log” to find out why the authentication is failing :

	<category name="org.jboss.security">
	   <priority value="TRACE"/>
	</category>

.
.
Thanks
Middleware Magic Team


How to configure mod_cluster with JBoss ?


Like mod_jk, mod_cluster is also a httpd based load balancer which uses a communication channel to forward requests from the httpd to one of a set of application server nodes. So the question comes Why mod_cluster ? To answer this question we will let you know few advantages of mod_cluster over mod_jk and other httpd-based load balancers.

Hence in this article we would share you why should one use mod_cluster ? and how to configure mod_cluster with JBoss ? Hopping all our subscribers would take the advantage of this article and would help them to choose which is the best option for httpd based load balancer for there requirement.

Why should one use mod_cluster ?

  • Dynamic configuration:
  • Server side load balance:
  • AJP is optional:
  • Web application lifecycle control:

To know all the Advantages and Great features of mod_cluster refer to :

Steps to configure mod_cluster with JBoss

I have divided this configuration into two parts to, so that it would be much more easier to understand follow the steps. Here the following are the two parts

  1. Apache side configuration
  2. JBoss side configuration

Apache side configuration

  1. Download the required binaries for your OS from below link, example for RHEL x64 bit its [dynamic libraries linux2-x64]
  2. http://www.jboss.org/mod_cluster/downloads/1-1-0.html

  3. Copy following .so files to your “<Apache_Home>/modules” folder.
  4. mod_proxy.so
    mod_proxy_ajp.so
    mod_slotmem.so
    mod_manager.so
    mod_proxy_cluster.so
    mod_advertise.so

  5. Edit your httpd.conf (i.e. /conf/http.conf) and add following lines at the bottom of the file. However this virtualhost setting is a sample, you might have to make some changes as per your own environment.
  6. ############### mod_cluster Setting - STARTED ###############
    LoadModule slotmem_module modules/mod_slotmem.so
    LoadModule manager_module modules/mod_manager.so
    LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
    LoadModule advertise_module modules/mod_advertise.so
    <VirtualHost *:80>
    	<Directory />
    		Order deny,allow
    		Allow from all
    	</Directory>
    	<Location /mod_cluster_manager>
    		SetHandler mod_cluster-manager
    		Order deny,allow
    		Allow from all
    	</Location>
    	KeepAliveTimeout 60
    	MaxKeepAliveRequests 0
    	ManagerBalancerName testcluster
    	AdvertiseFrequency 5
    </VirtualHost>
    ############### mod_cluster Setting - ENDED ###############
    

    NOTE:

    You have to COMMENT the follwoing module (i.e. mod_proxy_balancer.so) in “httpd.conf” file, or else you would get error while starting your Apache, this is been done because we are now using mod_proxy_cluster.so instead of mod_proxy_balancer.so

    #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
    
  7. Restart Apache.
  8. NOTE:

    You have to do the following things before starting the APACHE

    Command:

    setenforce 0
    

    The above command will disable SE Linux for your current running session. However if you want to disable it permanently then follow the below steps

    vi /etc/selinux/config
    
    #SELINUX=enforcing (comment this line and add the below line)
    SELINUX=disabled
    
    

    May be this would need to restart your system, this way you will be sure that the changes have taken place.

JBoss side configuration

  1. Copy “mod-cluster.sar” from “/home/testusr/AS6/mod_cluster” to “/server/cluster_node1/deploy”
  2. Edit “mod-cluster-jboss-beans.xml” from “<JBOSS_HOME>/server/cluster_node1/deploy/mod-cluster.sar/META-INF/mod-cluster-jboss-beans.xml” so that it has following.
  3. BELOW

    <bean name="HAModClusterConfig" class="org.jboss.modcluster.config.ha.HAModClusterConfig" mode="On Demand">
    
    <!-- START Comma separated list of address:port listing the httpd servers where mod_cluster is running. -->
        <property name="proxyList">${jboss.modcluster.proxyList:localhost:80}</property>
        <property name="domain">${jboss.Domain:DefaultDomain}</property>
    <!-- END Comma separated list of address:port listing the httpd servers where mod_cluster is running. -->
    
  4. Edit “server.xml” from “/server/all/deploy/jbossweb.sar/server.xml” so that it has following lines.
  5. <!-- START mod_cluster setting -->
         <Listener  className="org.jboss.web.tomcat.service.deployers.MicrocontainerIntegrationLifecycleListener" delegateBeanName="HAModClusterService"/>
    <!-- END mod_cluster setting -->
    

    NOTE:
    Make sure you add above line BEFORE/ABOVE

       <Service name="jboss.web">
    

    and

    <!-- START mod_cluster setting -->
         <Engine name="jboss.web" defaultHost="localhost" jvmRoute="${jboss.jvmRoute}">
    <!-- END mod_cluster setting -->
    

    NOTE:
    Make sure you replace above line instead of this line

          <Engine name="jboss.web" defaultHost="localhost">
    
  6. Edit “jboss-beans.xml” (/server/all/deploy/jbossweb.sar/META-INF/jboss-beans.xml) and add the below line in “bean” element
  7. <depends>HAModClusterService</depends>
    

Command to start the servers

Below is the command to start the serves in a cluster which are on the same Box/Physical Machine

NODE-1:

./run.sh -c cluster_node1 -g ClusterA -u 239.255.100.101 -b localhost -Djboss.Domain=test -Djboss.messaging.ServerPeerID=1 -Djboss.service.binding.set=ports-01 -Djboss.jvmRoute="node1"

NODE-2:

./run.sh -c cluster_node2 -g ClusterA -u 239.255.100.101 -b localhost -Djboss.Domain=test -Djboss.messaging.ServerPeerID=2 -Djboss.service.binding.set=ports-02 -Djboss.jvmRoute="node2"

URL to hit

http://localhost/mod_cluster_manager

Regards,

Middleware Magic


Copyright © 2010-2012 Middleware Magic. All rights reserved. |