12 Replies Latest reply: Sep 20, 2012 7:23 AM by Nikos Massios RSS

LdapExtLoginModule and jaasSecurityDomain

Chris Miles Newbie

Hello,

Has anyone got an example of how to setup encryption on the bindCredential of the LdapExtLoginModule?

After reading the wiki entries I'm a little fuzzy on the JaasSecurityDomain piece and where that gets defined etc. An example of how someone has done this would be nice.

Thanks

  • 1. Re: LdapExtLoginModule and jaasSecurityDomain
    Chris Miles Newbie

    So I think I've gotten further on this. I added the following into the jboss-service.xml:

     <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
     name="jboss.security:service=JaasSecurityDomain,domain=LdapPassword">
     <constructor>
     <arg type="java.lang.String" value="ServerMasterPassword"/>
     </constructor>
     <!-- The opaque master password file used to decrypt the encrypted
     database password key -->
     <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
     <attribute name="Salt">theSalt</attribute>
     <attribute name="IterationCount">13</attribute>
     </mbean>
    


    and added the following to the login-config.xml:

     <module-option name="bindCredential">OQQj2fCjjfoc8VaDLVKU7</module-option>
     <module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=LdapPassword</module-option>
    


    I created the ${jboss.server.home.dir}/conf/server.password file via the command:

    java -cp lib\jbosssx.jar org.jboss.security.plugins.FilePassword theSalt 13 password server.password

    Is the password specified above on the FilePassword arg list the password of the LDAP server bindDN?

    Then I use the command:

    java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils theSalt 13 domain-password data-source-password

    to generate the encrypted bindCredential.

    I'm a little confused on what domain-password and data-source-password should be. Should one of them be the bindDN password and if so what is the other one used for.

    Can anyone explain this in layman terms for me please as when I try all this the server comes up but authentication fails when I login to my app, so I must have something screwed up?


  • 2. Re: LdapExtLoginModule and jaasSecurityDomain
    Chris Miles Newbie

    OK, for the sake of someone else wanting to do this same thing I'm going to outline what I did to get this to work. The doc is very sparse on this stuff so this took me many fustrating days of trial and error until I got something working.....

    1) Added the following into jboss-service.xml. Please note that you cannot add this at the END of the file (it just does not work and I have no idea why). I stuck it as the first mbean entry though I have no idea how far down the file you can go. I just know it cannot be last:

     <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
     name="jboss.security:service=JaasSecurityDomain,domain=LdapPassword">
     <constructor>
     <arg type="java.lang.String" value="ServerMasterPassword"/>
     </constructor>
     <!-- The opaque master password file used to decrypt the encrypted
     database password key -->
     <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
     <attribute name="Salt">twsalt12</attribute>
     <attribute name="IterationCount">13</attribute>
     </mbean>
    


    2) Added the following into the login-config.xml for the LdapExtLoginModule:

     <module-option name="bindCredential">1q2vSZDcCkctsxrys110r3</module-option>
     <module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=LdapPassword</module-option>
    


    3) Created the server.password file with the following:

    java -cp jbosssx.jar org.jboss.security.plugins.FilePassword twsalt12 13 thePassword server.password

    4) Created the encrypted bindCredential with the following:

    java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils twsalt12 13 thePassword clearTextBindCredential

    Hopefully the above helps someone...

  • 3. Re: LdapExtLoginModule and jaasSecurityDomain
    Scott Stark Master

    Update the wiki with your results:
    http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapExtLoginModule

    The JaasSecurityDomain position is a function of its dependencies. Since it depends on the JaasSecurityManager, it either needs to be after that service, or use a dependency statement:

     <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
     name="jboss.security:service=JaasSecurityDomain,domain=LdapPassword">
     <constructor>
     <arg type="java.lang.String" value="ServerMasterPassword"/>
     </constructor>
     <!-- The opaque master password file used to decrypt the encrypted
     database password key -->
     <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
     <attribute name="Salt">twsalt12</attribute>
     <attribute name="IterationCount">13</attribute>
     <depends optional-attribute-name="ManagerServiceName">jboss.security:service=JaasSecurityManager</depends>
     </mbean>
    



  • 4. Re: LdapExtLoginModule and jaasSecurityDomain
    Andrew Lai Newbie

    Many thanks to cmiles123 for this post.

    Most helpful.

  • 5. Re: LdapExtLoginModule and jaasSecurityDomain
    Matias Carminatti Newbie

    Hello People,

     

     

    I have  tried to encrypt my bindCredential on Jboss 5.1 following the  instructions of Chris  Miles. But unfortunately I can not get  it yet.


    First of  all, I integrated the LdapExtLoginModule through the plainTextPassword  satisfactorily. After finished the first step, I configured my  jboss-service.xml and my login-config.xml to encrypt the bindCredential.  But, when my application tries to authenticate I have this message “Bad  Password for usernme=...”.


    I have followed exactly this procedure:

    a) I generate the server.password file, as shown:

    C:\jboss-5.1.0.GA\server\default\conf> java  -cp ../../../common/lib/jbosssx.jar   org.jboss.security.plugins.FilePassword 12345678 17 master server.password


    b) I generate the encrypt bindCredential, as shown:

    C:\jboss-5.1.0.GA\server\default\conf> java  -cp ../../../common/lib/jbosssx.jar org.jboss.security.plugins.PBEUtils 12345678 17 master theLDAPPassword

    Encoded password: 1iiUbPJv1Cwo77b2SigBpa


    c) Added the following into jboss-service.xml:

    <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
    name="jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword">
    <constructor>
    <arg type="java.lang.String" value="ServerMasterPassword"/>
    </constructor>          
    <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
    <attribute name="Salt">12345678</attribute>
    <attribute name="IterationCount">17</attribute>
    <depends optional-attribute-name="ManagerServiceName">jboss.security:service=JaasSecurityManager</depends>
    </mbean>


    d) And This is my config on login-config.xml:

    <application-policy name="myProject-domain">
    <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
    <module-option name="java.naming.provider.url">ldap://<LdapServer>:389/</module-option>
    <module-option name="java.naming.security.authentication">simple</module-option>
    <module-option name="bindDN">CN=LdapUser,OU=Usuarios,OU=Sistemas,OU=OU Sectores,OU=OU Administracion,OU=OU General,DC=<myCompany>,DC=com</module-option>                    
    <module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword</module-option>                     
    <module-option name="bindCredential">
    1iiUbPJv1Cwo77b2SigBpa</module-option>
    <module-option name="baseCtxDN">OU=OU General,DC=ad-fravega,DC=com</module-option>
    <module-option name="baseFilter">(sAMAccountName={0})</module-option>                     
    <module-option name="rolesCtxDN">OU=Grupos MyApplication,OU=Grupos,DC=<myCompany>,DC=com</module-option>
    <module-option name="roleFilter">(member={1})</module-option>
    <module-option name="roleAttributeID">CN</module-option>
    <module-option name="roleRecursion">-1</module-option>
    </login-module>                    
    </authentication>
    </application-policy>

     


    Additionally, they commented that:

    • I used the functionality of the jmx-console code64  and I obtained the same encryption from the command line.

    • But, when I used the  decode64 funcionality, I can  not get the original password.

     

    I really would appreciate your help with this issue.

  • 6. Re: LdapExtLoginModule and jaasSecurityDomain
    Ethan Stein Newbie

    This is a really old post, but it might be helpful to others. I got it to work with JBOSS 4.0.5.GA using the above instructions provided by Chris Miles.  However, there were some key important differences.

     

    1. In the mbean, the value for the constructor argument needs to be the same as the domain= value.  So in the Chris' example, I would expect that

     

    <arg type="java.lang.String" value="ServerMasterPassword"/>

     

    would instead be

     

    <arg type="java.lang.String" value="LdapPassword"/>

     

    This value also needs to be what is specified as the domain in the login-config.xml

     

    2. When running the java commands, the org.jboss.security.plugins.FilePassword "password" parameter needs to be the same as the org.jboss.security.plugins.PBEUtils "domain-password" parameter.  And the org.jboss.security.plugins.PBEUtils "data-source-password" parameter needs to be the Active Directory Bind DN password.

  • 7. Re: LdapExtLoginModule and jaasSecurityDomain
    Nikos Massios Novice

    We have encountered the same problem on jboss 5.1 GA. Has anybody found a solution?

     

    There is a similar thread connected to this

    http://community.jboss.org/thread/150593

     

    We are considering fixing it ourselves.

     

    Nikos

  • 8. Re: LdapExtLoginModule and jaasSecurityDomain
    Nikos Massios Novice

    I added logging to the decoder action class

    http://www.docjar.com/html/api/org/jboss/security/auth/spi/DecodeAction.java.html

     

    This is the exception.

    package access decode caught an exception
    java.security.PrivilegedActionException:
    java.security.NoSuchAlgorithmException: No transformation given
           at java.security.AccessController.doPrivileged(Native Method)
           at org.jboss.security.auth.spi.DecodeAction.decode(DecodeAction.java:84)
           at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:326)
           at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:276)
           at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:249)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:597)
           at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
           at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
           at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
           at java.security.AccessController.doPrivileged(Native Method)
           at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
           at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
           at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
           at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
           at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
           at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
           at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
           at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)
           at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)
           at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
           at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
           at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
           at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
           at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
           at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
           at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
           at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
           at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
           at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
           at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
           at java.lang.Thread.run(Thread.java:619)
    Caused by: java.security.NoSuchAlgorithmException: No transformation given
           at javax.crypto.Cipher.a(DashoA13*..)
           at javax.crypto.Cipher.b(DashoA13*..)
           at javax.crypto.Cipher.getInstance(DashoA13*..)
           at org.jboss.security.auth.spi.DecodeAction.decode(DecodeAction.java:72)
           at org.jboss.security.auth.spi.DecodeAction.decode64(DecodeAction.java:54)
           at org.jboss.security.auth.spi.DecodeAction.run(DecodeAction.java:43)
           ... 34 more

  • 9. Re: LdapExtLoginModule and jaasSecurityDomain
    Nikos Massios Novice

    The problem was with

    The DecodeAction class that is called by both the LdapExtLoginModule and the LdapLoginModule classes

     

    The original code can be found here

    http://www.docjar.com/docs/api/org/jboss/security/auth/spi/DecodeAction.html

     

    I rewrote parts of it to make it look like this. I tried it on JBoss 5.1GA with both the LdapLoginModule and the LdapExtLoginModule and it now works

     

     

    package org.jboss.security.auth.spi;

     

    import java.security.AccessController;
    import java.security.PrivilegedActionException;
    import java.security.PrivilegedExceptionAction;

     

    import javax.management.MBeanServer;
    import javax.management.ObjectName;

     

    import org.apache.log4j.Logger;
    import org.jboss.mx.util.MBeanServerLocator;

     

    class DecodeAction implements PrivilegedExceptionAction<Object> {
        protected static Logger _logger = Logger.getLogger(DecodeAction.class);
       

     

        String password;
        ObjectName serviceName;

     

        DecodeAction(String password, ObjectName serviceName) {
            _logger.debug("DecodeAction password " + password + " serviceName " +serviceName);
            this.password = password;
            this.serviceName = serviceName;

        }

     

        /**
         *
         * @return
         * @throws Exception
         */
        public Object run() throws Exception {
            _logger.debug("DecodeAction run fixedDecode64 " + password );

     

            // Invoke the decodeb64 op
            byte[] secret = decode64(password);

     

            // Convert to UTF-8 base char array
            String secretPassword = new String(secret, "UTF-8");
           
            //_logger.debug( " secretPassword " +secretPassword);
            return secretPassword.toCharArray();
        }

     

     

        private byte[] decode64(String secret) throws Exception {

     

           
            MBeanServer server = MBeanServerLocator.locateJBoss();
            Object[] params = {secret};
            String[] signature = {"java.lang.String"};
             byte[] decoded = ( byte[]) server.invoke(serviceName, "decode64",
                                              params, signature);

     

             return decoded;
        }

     

        static char[] decode(String password, ObjectName serviceName)

                throws Exception {
            DecodeAction action = new DecodeAction(password, serviceName);
            try {
                char[] decode = (char[]) AccessController.doPrivileged(action);
                return decode;
            } catch (PrivilegedActionException e) {
                _logger.debug("package access decode caught an exception ",e );
                throw e.getException();
            }
        }
    }

  • 10. Re: LdapExtLoginModule and jaasSecurityDomain
    Vítězslav T Newbie

    Good day,

    how can I migrate this solution on jboss 7 (if it's possible). Thanks for reply.

  • 11. Re: LdapExtLoginModule and jaasSecurityDomain
    Gavin Lam Newbie

    Has anyone found a solution for JBoss 5.1? I tried Nikos's solution but I can't get the code to compile.

  • 12. Re: LdapExtLoginModule and jaasSecurityDomain
    Nikos Massios Novice

    Hello Gavin,

     

    I am uploading the file that works in our workspace with JBoss 5.1GA. What problem do you have with the compilation?

     

    Nikos