7 Replies Latest reply: Aug 23, 2013 2:52 PM by Joshua Davis RSS

Disable security during development

Stian Thorgersen Newbie

I have a web application that uses the 'other' security domain for authentication. Is there a way I can specify a default user during developement (without modifying the web.xml file) so I don't have to login all the time when I'm trying out changes to the web app? Ideal would be if its possible to edit the 'other' domain so it just defaults to a user without requiring any login.

  • 1. Re: Disable security during development
    Justin Bertram Master

    Try adding this to the "RealmUsersRoles" login-module in the "other" <security-domain>:

     

      <module-option name="unauthenticatedIdentity" value="guest"/>

     

    Of course, you'll need to ensure this identity has a valid role in application-roles.properties.

  • 2. Re: Disable security during development
    Stian Thorgersen Newbie

    That didn't make any difference, have you tried this yourself?

  • 3. Re: Disable security during development
    Justin Bertram Master

    Yes, I did try this myself in the past, and I just tried it again.  In both cases it worked as expected.  However, my use-case was JMS (which also uses the "other" security domain) so maybe there's a slight difference that causes it not to work with your use-case.  I wouldn't have suspected that though so my money is still on a configuration issue somewhere.

  • 4. Re: Disable security during development
    Stian Thorgersen Newbie

    I added the unauthenticatedIdentity option to RealmUsersRoles:

     

    <login-module code="RealmUsersRoles" flag="required">
                                <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
                                <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
                                <module-option name="realm" value="ApplicationRealm"/>
                                <module-option name="password-stacking" value="useFirstPass"/>
                                <module-option name="unauthenticatedIdentity" value="guest"/>
    </login-module>
    

     

    And added a group for the user in application-roles.properties. When I tried to open a secured page the login form was shown. To check that the guest user would actually work I added the guest user with a password, and I could succesfully login as that user. However, the login form is always shown, with or without the user specified in application-users.properties.

  • 5. Re: Disable security during development
    Justin Bertram Master

    The configuration looks fine.  It must be related to something web-specific since my JMS use-case works fine.

  • 6. Re: Disable security during development
    Hubert Cumberdale Newbie

    I have a similar problem with a remote client. Is there any solution? In standalone.xml i got:

     

    <security-domain name="other" cache-type="default">

      <authentication>

        <login-module code="Remoting" flag="optional">

          <module-option name="password-stacking" value="useFirstPass"/>

        </login-module>

        <login-module code="RealmUsersRoles" flag="required">

          <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>

          <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>

          <module-option name="realm" value="ApplicationRealm"/>

          <module-option name="password-stacking" value="useFirstPass"/>

          <module-option name="unauthenticatedIdentity" value="guest"/>

        </login-module>

      </authentication>

    </security-domain>

     

    and

     

    <security-realm name="ApplicationRealm">

      <authentication>

        <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

      </authentication>

    </security-realm>

     

    My jboss-ejb-client.properties looks like:

     

    remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false

    remote.connections=default

    remote.connection.default.host=localhost

    remote.connection.default.port=4447

    remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false

     

    When I remove the credential and principal from jndi.properties like this:

     

    java.naming.factory.url.pkgs=org.jboss.ejb.client.naming

    java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory

    java.naming.provider.url=remote://localhost:4447

    #java.naming.security.principal=user1

    #java.naming.security.credentials=pass1

     

    and call an unprotected method from a class that doesn't even have a SecurityDomain I get " javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed". So it seems like the client has not automatically been authenticated as guest.

  • 7. Re: Disable security during development
    Joshua Davis Expert

    Here is how to disable the security for remote EJB calls in AS 7: JBoss AS 7.1 - Disable Remote EJB Security Realm