Version 9

    JCA Login Modules

     

    The JCA login modules are used for injecting Subjects into the connection creation

     

    They are referenced in your -ds.xml file

        <security-domain>JmsXARealm</security-domain>
    

    or if there are additional pooling parameters like Queue/Topic connections

        <security-domain-and-application>JmsXARealm</security-domain-and-application>
    

     

    ConnectionManager names

     

    The ConnectionManager internal names take the following general format:

     

    jboss.jca:service={type},name={jndiName}
    

     

    • type - is one of:

      • NoTxCM

        - for no-tx-datasource or no-tx-connection-factory

      • LocalTxCM

        - for local-datasoure

      • TxCM

        - for tx-connection-factory (local or xa)

      • XATxCM

        - for xa-datasoure

    • jndiName - the JNDI binding of your DataSource or ConnectionFactory

     

    Configured Identity

     

    The configured identity login module is used to configure a single fixed identity for connection creation

     

    In conf/login-module.xml

        <application-policy name = "JmsXARealm">
           <authentication>
              <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
                 <module-option name = "principal">guest</module-option>
                 <module-option name = "userName">guest</module-option>
                 <module-option name = "password">guest</module-option>
                 <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
              </login-module>
           </authentication>
        </application-policy>
    

     

    • name - the name of the policy from the -ds.xml

    • principal - the principal to pass

    • userName - the user used to construct the subject

    • password - the credential used to construct the subject

    • managedConnectionFactoryName - the internal mbean name of the ConnectionManager for your ConnectionFactory

     

    Secured Identity

     

    An extension to configured identity that uses a credential that is encrypted using a cipher

     

    In conf/login-module.xml

    <application-policy name = "HsqlDbRealm">
       <authentication>
          <login-module code = "org.jboss.resource.security.SecureIdentityLoginModule" flag = "required">
             <module-option name = "username">sa</module-option>
             <module-option name = "password">-207a6df87216de44</module-option>
             <module-option name = "managedConnectionFactoryName">jboss.jca:servce=LocalTxCM,name=DefaultDS</module-option>
          </login-module>
       </authentication>
    </application-policy> 
    

     

    • name - the name of the policy from the -ds.xml

    • principal - the principal to pass

    • userName - the user used to construct the subject

    • password - the encrypted credential used to construct the subject

    • managedConnectionFactoryName - the internal mbean name of the ConnectionManager for your ConnectionFactory

     

    A complete description of this simple login module along with a more flexible keystore based login module are described in EncryptingDataSourcePasswords.

     

    Configured Identity with Password Based Encryption

     

    An extension to configured identity that uses a credential that is encrypted using a PBE cipher.

     

    Example login-module.xml entries are:

       <application-policy name = "testPBEIdentityLoginModule">
          <authentication>
             <login-module code = "org.jboss.resource.security.PBEIdentityLoginModule"
                flag = "required">
                <module-option name = "principal">sa</module-option>
                <module-option name = "userName">sa</module-option>
                <!--
                output from:
                   org.jboss.resource.security.PBEIdentityLoginModule
                   thesecret testPBEIdentityLoginModule abcdefgh 19 PBEWithMD5AndDES 
                -->
                <module-option name = "password">3fp7R/7TMjyTTxhmePdJVk</module-option>
                <module-option name = "ignoreMissigingMCF">true</module-option>
                <module-option name = "pbealgo">PBEWithMD5AndDES</module-option>
                <module-option name = "pbepass">testPBEIdentityLoginModule</module-option>
                <module-option name = "salt">abcdefgh</module-option>
                <module-option name = "iterationCount">19</module-option>
                <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
             </login-module>
          </authentication>
       </application-policy>
       <application-policy name = "testPBEIdentityLoginModuleTmpFilePassword">
          <authentication>
             <login-module code = "org.jboss.resource.security.PBEIdentityLoginModule"
                flag = "required">
                <module-option name = "principal">sa</module-option>
                <module-option name = "userName">sa</module-option>
                <!--
                   output from:
                   org.jboss.resource.security.PBEIdentityLoginModule
                   thesecret2 testPBEIdentityLoginModuleTmpFilePassword abcdefgh 19 PBEWithMD5AndDES 
                -->
                <module-option name = "password">2zff525DS/OgTuWuJtHYHa</module-option>
                <module-option name = "ignoreMissigingMCF">true</module-option>
                <module-option name = "pbealgo">PBEWithMD5AndDES</module-option>
                <module-option name = "pbepass">{CLASS}org.jboss.security.plugins.TmpFilePassword:${java.io.tmpdir}/tmp.password,5000</module-option>
                <module-option name = "salt">abcdefgh</module-option>
                <module-option name = "iterationCount">19</module-option>
                <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
             </login-module>
          </authentication>
       </application-policy> 
    

     

    This uses password based encryption (PBE) with algorithm parameters dervived from pbealgo, pbepass, salt, iterationCount options:

    • pbealgo - the PBE algorithm to use. Defaults to PBEwithMD5andDES.

    • pbepass - the PBE password to use. Can use the JaasSecurityDomain

    and syntax to obtain the password from outside of the configuration.

    Defaults to "jaas is the way".

    • salt - the PBE salt as a string. Defaults to {1, 7, 2, 9, 3, 11, 4, 13}.

    • iterationCount - the PBE iterationCount. Defaults to 37.

     

     

    Caller Identity

     

    This uses the caller's identity, i.e. the identiy used to authenticate in EJB or Servlet land

     

    In conf/login-module.xml

    <application-policy name = "HsqlDbRealm">
       <authentication>
          <login-module code = "org.jboss.resource.security.CallerIdentityLoginModule" flag = "required">
              <module-option name = "userName">sa</module-option>
              <module-option name = "password"></module-option>
             <module-option name = "managedConnectionFactoryName">jboss.jca:servce=LocalTxCM,name=DefaultDS</module-option>
          </login-module>
       </authentication>
    </application-policy> 
    

     

    • name - the name of the policy from the -ds.xml

    • userName - the user to use when the EJB or Servlet is not secured and has no Principal

    • password - the credential to use when the EJB or Servlet is not secured and has no Principal

    • managedConnectionFactoryName - the internal mbean name of the ConnectionManager for your ConnectionFactory