3

I have a security domain defined in jboss-web.xml as below

<jboss-web>
    <security-domain>java:/jaas/my_ldap_security_domain</security-domain>
    <disable-audit>true</disable-audit>
</jboss-web>

I also have defined inside my standalone.xml

<subsystem xmlns="urn:jboss:domain:security:1.2">
    <security-domains>
        <security-domain name="my_ldap_security_domain" cache-type="default">
            <authentication>
                <login-module code="LdapExtended" flag="sufficient">
                    <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                    <module-option name="java.naming.provider.url" value="ldaps://xxx.xxx.xxx.xxx:yyyy"/>
                    <module-option name="java.naming.security.authentication" value="simple"/>
                    <module-option name="bindDN" value="temp@my.domain"/>
                    <module-option name="bindCredential" value="mypass"/>
                    <module-option name="baseCtxDN" value="DC=my,DC=domain"/>
                    <module-option name="baseFilter" value="(uid={0})"/>
                    <module-option name="rolesCtxDN" value="DC=my,DC=domain"/>
                    <module-option name="roleFilter" value="(uniquemember={1})"/>
                    <module-option name="roleAttributeID" value="cn"/>
                    <module-option name="searchScope" value="SUBTREE_SCOPE"/>
                    <module-option name="roleRecursion" value="0"/>
                    <module-option name="allowEmptyPasswords" value="true"/>
                </login-module>
            </authentication>
        </security-domain>
    </security-domains>
</subsystem>

My only realms present on my standalone.xml are

<security-realms>
    <security-realm name="ManagementRealm">
        <authentication>
            <local default-user="$local" skip-group-loading="true"/>
            <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
        </authentication>
        <authorization map-groups-to-roles="false">
            <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
        </authorization>
    </security-realm>
    <security-realm name="ApplicationRealm">
        <authentication>
            <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
            <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
        </authentication>
        <authorization>
            <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
        </authorization>
    </security-realm>
</security-realms>

I did not mention it before because i presumed that this security realms were meant to authenticate the application server console access. Sorry for that.

My doubt is how to create a jsf2 login page to authenticate against what is defined above. I read a lot of articles about but still in the same place beacause most articles use a fake authentication as example (comparing with static strings instead of showing how to consult LDAP server).

Can anyone help me?

Daniel Ferreira Castro
  • 324
  • 3
  • 22

1 Answers1

2

i presumed that this security realms were meant to authenticate the application server console access

You're partially correct there. The name="ManagementRealm" does indeed specify a realm config for accessing admin functions. name="ApplicationRealm" would be the attribute to specify for securing a web application

Your current realm config is missing some things necessary for LDAP authentication. I presume you're already familiar with the login-form configuration in web.xml. Your realm configuration should look something like the following, an excerpt from the Wildfly 8 Realm Configuration Manual:

<management>
  <security-realms>
    <security-realm name="ApplicationRealm">
      <authentication>
        <ldap connection="EC2" base-dn="CN=Users,DC=darranl,DC=jboss,DC=org">
          <username-filter attribute="sAMAccountName" />
        </ldap>
      </authentication>
    </security-realm>
 
  </security-realms>
</management>

Where the <ldap> tag specifies that your lookup is against an LDAP server. Beyond this, you only need follow the standard auth methods for a JavaEE application.

The takeaway from this should be that web application security within JavaEE generally takes the same approach of

  1. Setting up a realm (App-server specific)
  2. Setting up security constraints in web.xml (uniform across all JavaEE applications)
  3. Implementing a login method (Configuration or Programmatic)

Related

Community
  • 1
  • 1
kolossus
  • 20,559
  • 3
  • 52
  • 104
  • Sorry for only being able to answer almost a month after your post. I really like what you said but I am still insecure with the 3 steps approach you just mention before. The realm I think it is fine, although I still have lots of doubts about ApplicationRealm, authentication, authorization and outbound-connections that you did not mention in your answer. I have no idea what would it be using my scenario as an example. The security constraints I am reading here - http://docs.oracle.com/javaee/6/tutorial/doc/gkbaa.html about form based. But what about login method by Configuration? – Daniel Ferreira Castro Mar 25 '15 at 21:23
  • I didn't talk about any of that in my answer, because your question was not about any of that. You haven't actually asked a question about any of that even now. What do you mean by "doubts"? If you ask a specific question, I'll be able to give a specific answer. My answer was posted with the presumption that you have a basic understanding of authentication and authorization in a javaee webapp. You should get that sorted first @DanielFerreiraCastro – kolossus Mar 27 '15 at 18:05
  • See, I am not complaining at all. What you just wrote helped me a lot. But regarding the doubts I wrote before what would be the best way you could help? Do you think that another post making my points clearer would be the way? Could you answer there? – Daniel Ferreira Castro Mar 31 '15 at 11:48
  • You're better off asking a whole, separate question @DanielFerreiraCastro – kolossus Mar 31 '15 at 18:33
  • @DanielFerreiraCastro did you manage to resolve? I have the same doubt and I'm running in a authentication trouble. Could you please post what was the specific parts of your standalone.xml or domain.xml realm/ldap configuration? – andresmafra Jun 26 '15 at 12:58
  • Not yet. But I had to stop my studies for this particular case. – Daniel Ferreira Castro Aug 26 '15 at 09:28