JBoss AS7 : Security Domain Model

<< Back to JBossAS7: Security Design One Stop Article

 

JBoss AS 7.0 and beyond come with a new domain model where the configuration for the entire Application Server is centralized. This article will highlight the domain model settings for Security.  We also give links to other areas of security that may be relevant to the awesome JBoss AS users.

 

Locations of the domain model

Standalone Configuration

 

standalone/configuration/standalone.xml

Domain Configuration

 

domain/configuration/domain.xml

 

Example of the security domain model

 

<subsystem xmlns="urn:jboss:domain:security:1.0">
    <security-domains>
        <security-domain name="other">
            <authentication>
                <login-module code="UsersRoles" flag="required" />
            </authentication>
        </security-domain>

       <security-domain name="form-auth" cache-type="default">
                    <authentication>
                       <login-module code="UsersRoles" flag="required">
                            <module-option name="usersProperties" value="users.properties"/>
                            <module-option name="rolesProperties" value="roles.properties"/>
                        </login-module>
                    </authentication>
                </security-domain>
    </security-domains>
    <security-properties>
      <property name="a" value="b" />
      <property name="c" value="d" />
    </security-properties>
</subsystem>

 

In the above example, we are defining a block for Security Domains.  In this case, we define a security domain "other". Underneath, we define the login module (UsersRolesLoginModule). Remember, we do not need to specify the fully qualified name of the login module.

 

We also define a block for properties that are set on java.security.Security.

Security Domains

 

The mapping of shortened names for login modules to the standard login modules available in JBoss AS is provided below.  The latest is always available in the class org.jboss.as.security.ModulesMap

 

NameActual Login Module
Client

org.jboss.security.ClientLoginModule

Certificate

org.jboss.security.auth.spi.BaseCertLoginModule

CertificateRolesorg.jboss.security.auth.spi.CertRolesLoginModule
DatabaseCertificate

org.jboss.security.auth.spi.DatabaseCertLoginModule

Databaseorg.jboss.security.auth.spi.DatabaseServerLoginModule
Identity

org.jboss.security.auth.spi.IdentityLoginModule

Ldap

org.jboss.security.auth.spi.LdapLoginModule

LdapExtended

org.jboss.security.auth.spi.LdapExtLoginModule

RoleMapping

org.jboss.security.auth.spi.RoleMappingLoginModule

RunAs

org.jboss.security.auth.spi.RunAsLoginModule

Simple


org.jboss.security.auth.spi.SimpleServerLoginModule

UsersRoles

org.jboss.security.auth.spi.UsersRolesLoginModule


CallerIdentity

org.jboss.resource.security.CallerIdentityLoginModule


ConfiguredIdentity

org.jboss.resource.security.ConfiguredIdentityLoginModule

JaasSecurityDomainIdentity

org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule


PBEIdentity

org.jboss.resource.security.PBEIdentityLoginModule


SecureIdentity


org.jboss.resource.security.SecureIdentityLoginModule

 

Using custom login module

Just write the FQCN in the code attribute and it should work out of the box.

 

To place the custom login module class files, you can place them in a jar and put it either:

  • application classpath of your web archive (war) or ejb jar or enterprise archive (ear)  OR
  • separate module under the modules directory.

Read http://community.jboss.org/wiki/JBossAS7SecurityCustomLoginModules

 

Deploying dynamic security domains

 

Marcus Moyses talks about it here.  You have to use the CLI.

 

You can add it via CLI using:
/subsystem=security/security-domain=MyEncryptedDS:add(cache-type=default,authentication=[{"code"=>"SecureIdentity","flag"=>"required","module-options"=>[("username"=>"sa"),("password"=>"encryptedPassword")]}])

Deploying Custom Tomcat Authenticators in AS7

 

Thanks to Darran Lofthouse for the sample. Add the valve configuration into the jboss-web.xml of your web archive.

<jboss-web>
  <security-domain>SPNEGO</security-domain>
    <valve>
        <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>
    </valve>
</jboss-web>

 

Note that this is a general pattern to configure tomcat valves in JBoss AS7. Configure them in jboss-web.xml

 

One more example:

 

<jboss-web>
  <security-domain>idp</security-domain>
  <valve>
     <class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>
     <param>
        <param-name>signOutgoingMessages</param-name>
        <param-value>false</param-value>
     </param>
     <param>
        <param-name>ignoreIncomingSignatures</param-name>
        <param-value>true</param-value>
     </param>
   </valve>
</jboss-web>

JCA - Datasource Security

Historically, the JCA login modules in JBoss AS have been described here: https://community.jboss.org/wiki/ConfigJCALoginModule  [This information is primarily for JBoss AS5/6]  But you can get an idea on the login modules.

 

Here is an example of a security domain that is referenced by a data source:

 

 <security-domain name="DsRealm" cache-type="default">
    <authentication>
            <login-module code="ConfiguredIdentity" flag="required">
                 <module-option name="userName" value="sa"/>
                 <module-option name="principal" value="sa"/>
                 <module-option name="password" value="sa"/>
        </login-module>
    </authentication>
</security-domain>

Remember, you can mask the password by using the vault facility in AS71.

 

How would this get used?  Example security-ds.xml is below.

 

<?xml version="1.0" encoding="UTF-8"?>

 

<datasources>

     <datasource jndi-name="java:jboss/datasources/securityDs"

          pool-name="securityDs">

          <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url>

          <driver>h2</driver>

          <new-connection-sql>select current_user()</new-connection-sql>

          <security>

               <security-domain>DsRealm</security-domain>

          </security>

     </datasource>

</datasources>

 

 

Security Auditing

 

JBossAS7SecurityAuditing

 

JACC (JSR-115) on JBoss AS7.1

http://community.jboss.org/wiki/JACCOnJBossAS7

 

Primers/Tutorials/CheatSheets

http://community.jboss.org/wiki/PrimerOnWebSecurityInJBossAS

http://community.jboss.org/wiki/CheatSheetForPicketLinkOnRedHatOpenShift/

http://community.jboss.org/wiki/SAMLWebBrowserSSOOnJBossAS70

http://community.jboss.org/wiki/JBossAS7SecureMyWebAppHowDoI

 

 

Where is JaasSecurityDomain in AS7?

It has been replaced by the jsse xml element in the security subsystem configuration. https://docs.jboss.org/author/display/AS7/Security+subsystem+configuration

 

Additional Reference

 

JBoss AS Security Subsystem Configuration

 

 

JBossAS7SecurityAuditing

 

 

Running JBoss AS7 under a Java Security Manager

 

 

Choosing SSO for your JBoss Application Server