How To Configure Identity Management
How To Configure Identity Management
How To Configure Identity Management
Platform 7.3
Instructions for managing user access to Red Hat JBoss Enterprise Application
Platform using LDAP directories and other identity stores.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons
Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is
available at
http://creativecommons.org/licenses/by-sa/3.0/
. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must
provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,
Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift,
Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States
and other countries.
Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States
and/or other countries.
MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and
other countries.
Node.js ® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the
official Joyent Node.js open source or commercial project.
The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marks
or trademarks/service marks of the OpenStack Foundation, in the United States and other
countries and are used with the OpenStack Foundation's permission. We are not affiliated with,
endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
Abstract
This guide explores how to use LDAP directories and other identity stores for use with JBoss EAP
management interfaces and security domains. This guide expands on the concepts provided in the
JBoss EAP Security Architecture guide, and should be reviewed after administrators have basic
knowledge of LDAP and a solid understanding of security concepts within JBoss EAP.
Table of Contents
Table of Contents
. . . . . . . . . . . 1.. .IDENTITY
CHAPTER . . . . . . . . . . MANAGEMENT
. . . . . . . . . . . . . . . . .OVERVIEW
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. . . . . . . . . . . . .
.CHAPTER
. . . . . . . . . . 2.
. . ELYTRON
. . . . . . . . . . . SUBSYSTEM
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5. . . . . . . . . . . . .
2.1. CONFIGURE AUTHENTICATION WITH A FILESYSTEM-BASED IDENTITY STORE 5
2.2. CONFIGURE AUTHENTICATION WITH A PROPERTIES FILE-BASED IDENTITY STORE 6
2.3. CONFIGURE AUTHENTICATION WITH A DATABASE-BASED IDENTITY STORE 7
2.4. CONFIGURE AUTHENTICATION WITH AN LDAP-BASED IDENTITY STORE 8
2.5. CONFIGURE AUTHENTICATION WITH CERTIFICATES 10
2.6. CONFIGURE AUTHENTICATION AND AUTHORIZATION USING MULTIPLE IDENTITY STORES 12
2.6.1. Aggregate Realm in Elytron 12
2.6.2. Configuring Authentication and Authorization Using an Aggregate Realm 13
2.6.3. Example Aggregate Realms 14
2.7. OVERRIDE AN APPLICATION’S AUTHENTICATION CONFIGURATION 14
2.8. SET UP CACHING FOR SECURITY REALMS 15
2.9. CONFIGURE APPLICATIONS TO USE CONTAINER-MANAGED SINGLE SIGN-ON 17
2.10. CONFIGURE AUTHENTICATION AND AUTHORIZATION WITH BEARER TOKENS 19
2.10.1. Bearer token authentication 19
2.10.2. Configuring JSON Web Tokens (JWTs) authentication 20
2.10.3. Configuring authentication with tokens issued by an OAuth2 compliant authorization server 21
2.10.4. Configuring bearer token authentication for an application 22
. . . . . . . . . . . 3.
CHAPTER . . LEGACY
. . . . . . . . . .SECURITY
. . . . . . . . . . .SUBSYSTEM
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
..............
3.1. CONFIGURE A SECURITY DOMAIN TO USE LDAP 24
3.1.1. LdapExtended Login Module 24
3.1.1.1. Configure a Security Domain to use the LdapExtended Login Module 24
3.1.1.1.1. Configure a Security Domain to use the LdapExtended Login Module for Active Directory 26
3.2. CONFIGURE A SECURITY DOMAIN TO USE A DATABASE 27
3.2.1. Database Login Module 27
3.2.1.1. Configure a Security Domain to use the Database Login Module 28
3.3. CONFIGURE A SECURITY DOMAIN TO USE A PROPERTIES FILE 28
3.3.1. UsersRoles Login Module 28
3.3.1.1. Configure a Security Domain to use the UsersRoles Login Module 29
3.4. CONFIGURE A SECURITY DOMAIN TO USE CERTIFICATE-BASED AUTHENTICATION 29
3.4.1. Creating a Security Domain with Certificate-Based Authentication 30
3.4.2. Configure an Application to use a Security Domain with Certificate-Based Authentication 31
3.4.3. Configure the Client 32
3.5. CONFIGURE CACHING FOR A SECURITY DOMAIN 32
3.5.1. Setting the Cache Type for a Security Domain 32
3.5.2. Listing and Flushing Principals 33
3.5.3. Disabling Caching for a Security Domain 33
.CHAPTER
. . . . . . . . . . 4.
. . .APPLICATION
. . . . . . . . . . . . . . .CONFIGURATION
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
..............
4.1. CONFIGURE WEB APPLICATIONS TO USE ELYTRON OR LEGACY SECURITY FOR AUTHENTICATION
35
Silent BASIC Authentication 36
Using Elytron and Legacy Security Subsystems in Parallel 36
4.2. CONFIGURE CLIENT AUTHENTICATION WITH ELYTRON CLIENT 37
4.2.1. The Configuration File Approach 38
4.2.2. The Programmatic Approach 40
4.2.3. The Default Configuration Approach 42
4.2.4. Using Elytron Client with Clients Deployed to JBoss EAP 43
4.2.5. Configuring a JMX Client Using the wildfly-config.xml File 44
1
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
. . . . . . . . . . . 5.
CHAPTER . . SECURING
. . . . . . . . . . . . THE
. . . . .MANAGEMENT
. . . . . . . . . . . . . . . . INTERFACES
. . . . . . . . . . . . . . WITH
. . . . . . LDAP
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
..............
5.1. USING ELYTRON 47
5.1.1. Using Elytron for Two-way SSL/TLS for the Outbound LDAP Connection 48
5.2. USING LEGACY CORE MANAGEMENT AUTHENTICATION 48
5.2.1. Using Two-way SSL/TLS for the Outbound LDAP Connection 53
5.3. LDAP AND RBAC 54
5.3.1. Using LDAP and RBAC Independently 54
5.3.2. Combining LDAP and RBAC for Authorization 54
5.3.2.1. Using group-search 55
5.3.2.2. Using username-to-dn 58
5.3.2.3. Mapping LDAP Group Information to RBAC Roles 61
5.4. ENABLING CACHING 64
5.4.1. Cache Configuration 64
5.4.2. Example 65
5.4.2.1. Reading the Current Cache Configuration 67
5.4.2.2. Enabling a Cache 68
5.4.2.3. Inspecting an Existing Cache 68
5.4.2.4. Testing an Existing Cache’s Contents 68
5.4.2.5. Flushing a Cache 69
5.4.2.6. Removing a Cache 69
. . . . . . . . . . . 6.
CHAPTER . . .CONFIGURE
. . . . . . . . . . . . .A. .SECURITY
. . . . . . . . . . .DOMAIN
. . . . . . . . . TO
. . . .USE
. . . . .A. .SECURITY
. . . . . . . . . . .MAPPING
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
..............
. . . . . . . . . . . 7.
CHAPTER . . STANDALONE
. . . . . . . . . . . . . . . .SERVER
. . . . . . . . .VS.
. . . .MANAGED
. . . . . . . . . . . DOMAIN
. . . . . . . . . .CONSIDERATIONS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
..............
. . . . . . . . . . . .A.
APPENDIX . . REFERENCE
. . . . . . . . . . . . . .MATERIAL
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
..............
A.1. EXAMPLE WILDFLY-CONFIG.XML 72
A.2. REFERENCE FOR SINGLE SIGN-ON ATTRIBUTES 73
A.2.1. Single Sign-on 73
A.3. PASSWORD MAPPERS 74
2
Table of Contents
3
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
NOTE
4
CHAPTER 2. ELYTRON SUBSYSTEM
/subsystem=elytron/filesystem-realm=exampleFsRealm:add(path=fs-realm-users,relative-
to=jboss.server.config.dir)
+ If your directory is located outside of jboss.server.config.dir, then you need to change the path and
relative-to values appropriately.
1. Add a user:
When using the filesystem-realm, you can add users using the management CLI.
/subsystem=elytron/filesystem-realm=exampleFsRealm:add-identity(identity=user1)
/subsystem=elytron/filesystem-realm=exampleFsRealm:set-password(identity=user1, clear=
{password="password123"})
/subsystem=elytron/filesystem-realm=exampleFsRealm:add-identity-attribute(identity=user1,
name=Roles, value=["Admin","Guest"])
2. Add a simple-role-decoder:
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
This simple-role-decoder decodes a principal’s roles from the Roles attribute. You can change
this value if your roles are in a different attribute.
3. Configure a security-domain:
/subsystem=elytron/security-domain=exampleFsSD:add(realms=
[{realm=exampleFsRealm,role-decoder=from-roles-attribute}],default-
realm=exampleFsRealm,permission-mapper=default-permission-mapper)
/subsystem=undertow/application-security-domain=exampleApplicationDomain:add(security-
domain=exampleFsSD)
NOTE
Your application is now using a file system-based identity store for authentication.
5
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
#$REALM_NAME=examplePropRealm$
user1=password123
user2=password123
user1=Admin
user2=Guest
/subsystem=elytron/properties-realm=examplePropRealm:add(groups-
attribute=groups,groups-properties={path=example-roles.properties,relative-
to=jboss.server.config.dir},users-properties={path=example-users.properties,relative-
to=jboss.server.config.dir,plain-text=true})
The name of the properties-realm is examplePropRealm, which is used in the previous step in
the example-users.properties file. Also, if your properties files are located outside of
jboss.server.config.dir, then you must change the path and relative-to values appropriately.
3. Configure a security-domain:
/subsystem=elytron/security-domain=exampleSD:add(realms=
[{realm=examplePropRealm,role-decoder=groups-to-roles}],default-
realm=examplePropRealm,permission-mapper=default-permission-mapper)
/subsystem=undertow/application-security-domain=exampleApplicationDomain:add(security-
domain=exampleSD)
NOTE
Your application’s web.xml and jboss-web.xml must be updated to use the application-
6
CHAPTER 2. ELYTRON SUBSYSTEM
Your application’s web.xml and jboss-web.xml must be updated to use the application-
security-domain you configured in JBoss EAP. An example of this is available in Configure Web
Applications to Use Elytron or Legacy Security for Authentication.
Your application is now using a properties file-based identity store for authentication.
IMPORTANT
The properties files are only read when the server starts. Any users added after server
startup, either manually or by using an add-user script, requires a server reload. This
reload is accomplished by running the reload command from the management CLI.
reload
2. Configure a datasource:
To connect to a database from JBoss EAP, you must have the appropriate database driver
deployed, as well as a datasource configured. This example shows deploying the driver for
PostgreSQL and configuring a datasource in JBoss EAP:
deploy /path/to/postgresql-9.4.1210.jar
/subsystem=elytron/jdbc-realm=exampleDbRealm:add(principal-query=[{sql="SELECT
password,roles FROM eap_users WHERE username=?",data-
source=examplePostgresDS,clear-password-mapper={password-index=1},attribute-
mapping=[{index=2,to=groups}]}])
NOTE
7
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
NOTE
The above example shows how to obtain passwords and roles from a single
principal-query. You can also create additional principal-query with attribute-
mapping attributes if you require multiple queries to obtain roles or additional
authentication or authorization information.
4. Configure a security-domain:
/subsystem=elytron/security-domain=exampleDbSD:add(realms=
[{realm=exampleDbRealm,role-decoder=groups-to-roles}],default-
realm=exampleDbRealm,permission-mapper=default-permission-mapper)
/subsystem=undertow/application-security-domain=exampleApplicationDomain:add(security-
domain=exampleDbSD)
NOTE
dn: dc=wildfly,dc=org
dc: wildfly
objectClass: top
objectClass: domain
dn: ou=Users,dc=wildfly,dc=org
objectClass: organizationalUnit
objectClass: top
ou: Users
dn: uid=jsmith,ou=Users,dc=wildfly,dc=org
objectClass: top
objectClass: person
objectClass: inetOrgPerson
8
CHAPTER 2. ELYTRON SUBSYSTEM
dn: ou=Roles,dc=wildfly,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Roles
dn: cn=Admin,ou=Roles,dc=wildfly,dc=org
objectClass: top
objectClass: groupOfNames
cn: Admin
member: uid=jsmith,ou=Users,dc=wildfly,dc=org
2. Configure a dir-context:
To connect to the LDAP server from JBoss EAP, you need to configure a dir-context that
provides the URL as well as the principal used to connect to the server.
/subsystem=elytron/dir-
context=exampleDC:add(url="ldap://127.0.0.1:10389",principal="uid=admin,ou=system",credent
ial-reference={clear-text="secret"})
NOTE
/subsystem=elytron/ldap-realm=exampleLR:add(dir-context=exampleDC,identity-mapping=
{search-base-dn="ou=Users,dc=wildfly,dc=org",rdn-identifier="uid",user-password-mapper=
{from="userPassword"},attribute-mapping=[{filter-base-
dn="ou=Roles,dc=wildfly,dc=org",filter="(&(objectClass=groupOfNames)(member=
{0}))",from="cn",to="Roles"}]})
WARNING
4. Add a simple-role-decoder:
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
5. Configure a security-domain:
9
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
/subsystem=elytron/security-domain=exampleLdapSD:add(realms=[{realm=exampleLR,role-
decoder=from-roles-attribute}],default-realm=exampleLR,permission-mapper=default-
permission-mapper)
/subsystem=undertow/application-security-domain=exampleApplicationDomain:add(security-
domain=exampleLdapSD)
NOTE
IMPORTANT
In cases where the elytron subsystem uses an LDAP server to perform authentication,
JBoss EAP will return a 500, or internal server error, error code if that LDAP server is
unreachable. This behavior differs from previous versions of JBoss EAP using the legacy
security subsystem, which returned a 401, or unauthorized, error code under the same
conditions.
IMPORTANT
Before you can set up certificate-based authentication, you must have two-way SSL
configured. More details on configuring two-way SSL can be found in the Enable Two-
way SSL/TLS for Applications using the Elytron Subsystem section of the How to
Configure Server Security guide.
1. Configure a key-store-realm.
/subsystem=elytron/key-store-realm=ksRealm:add(key-store=twoWayTS)
You must configure this realm with a truststore that contains the client’s certificate. The
authentication process uses the same certificate presented by the client during the two-way
SSL handshake.
2. Create a decoder.
You need to create a x500-attribute-principal-decoder to decode the principal you get from
your certificate. The below example will decode the principal based on the first CN value.
/subsystem=elytron/x500-attribute-principal-
decoder=CNDecoder:add(oid="2.5.4.3",maximum-segments=1)
10
CHAPTER 2. ELYTRON SUBSYSTEM
IMPORTANT
The decoded principal MUST be the alias value you set in your server’s truststore
for the client’s certificate.
Optionally, you can configure an evidence decoder using a subject alternative name
extension to use a subject alternative name as the principal. For more information, see
Configuring Evidence Decoder for X.509 Certificate with Subject Alternative Name
Extension in the How to Configure Server Security guide.
/subsystem=elytron/constant-role-mapper=constantClientCertRole:add(roles=[Admin,Guest])
4. Configure a security-domain.
/subsystem=elytron/security-domain=exampleCertSD:add(realms=[{realm=ksRealm}],default-
realm=ksRealm,permission-mapper=default-permission-mapper,principal-
decoder=CNDecoder,role-mapper=constantClientCertRole)
/subsystem=undertow/application-security-domain=exampleApplicationDomain:add(security-
domain=exampleCertSD)
NOTE
6. Update server-ssl-context.
/subsystem=elytron/server-ssl-context=twoWaySSC:write-attribute(name=security-
domain,value=exampleCertSD)
/subsystem=elytron/server-ssl-context=twoWaySSC:write-attribute(name=authentication-
optional, value=true)
reload
In addition, you need to update your web.xml to use CLIENT-CERT as its authentication
method.
11
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>exampleApplicationDomain</realm-name>
</login-config>
Attribute values from each security realm configured for authorization are loaded.
If an attribute is defined in more than one authorization realm, the value of the first occurrence
of the attribute is used.
The following example illustrates how an identity is created when multiple authorization realms contain
definitions for the same identity attribute.
Example
Aggregate realm configuration:
authentication-realm=properties-realm,
authorization-realms=[jdbc-realm,ldap-realm]
e-mail: [email protected]
groups: Supervisor, User
e-mail: [email protected]
phone: 0000 0000 0000
e-mail: [email protected]
groups: Supervisor, User
phone: 0000 0000 0000
In the example, the attribute e-mail is defined in both the authorization realms. The value defined in
12
CHAPTER 2. ELYTRON SUBSYSTEM
JDBC realm gets used for the attribute e-mail in the resulting aggregate realm because the aggregate
realm was configured to aggregate the authorization realms as: authorization-realms=[jdbc-
realm,ldap-realm].
Prerequisites
Procedure
/subsystem=elytron/aggregate-realm=exampleAggregateRealm:add(authentication-
realm=__SECURITY_REALM_FOR_AUTHENTICATION__, authorization-
realm=__SECURITY_REALM_FOR_AUTHORIZATION__)
/subsystem=elytron/aggregate-realm=exampleAggregateRealm:add(authentication-
realm=__SECURITY_REALM_FOR_AUTHENTICATION__, authorization-realms=
[__SECURITY_REALM_FOR_AUTHORIZATION_1__,__SECURITY_REALM_FOR_AU
THORIZATION_2__,...,__SECURITY_REALM_FOR_AUTHORIZATION_N__])
2. Configure a security-domain:
/subsystem=elytron/security-domain=exampleAggregateRealmSD:add(realms=
[{realm=exampleAggregateRealm,role-decoder=__ROLE-DECODER__}],default-
realm=exampleAggregateRealm,permission-mapper=default-permission-mapper)
/subsystem=undertow/application-security-
domain=exampleAggregareRealmApplicationDomain:add(security-
domain=exampleAggregateRealmSD)
13
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
/subsystem=elytron/aggregate-realm:exampleSimpleAggregateRealm:add(authentication-
realm=examplPropertiesRealm,authorization-realm=exampleJdbcRealm)
/subsystem=elytron/aggregate-realm:exampleSimpleAggregateRealm:add(authentication-
realm=examplPropertiesRealm,authorization-realms=[exampleJdbcRealm,exampleLdapRealm])
/subsystem=undertow/application-security-domain=exampleApplicationDomain:write-
attribute(name=override-deployment-config,value=true)
NOTE
14
CHAPTER 2. ELYTRON SUBSYSTEM
Example jboss-web.xml
<login-config>
<auth-method>FORM</auth-method>
<realm-name>exampleApplicationDomain</realm-name>
</login-config>
Example http-authentication-factory
/subsystem=elytron/http-authentication-factory=exampleHttpAuth:read-resource()
{
"outcome" => "success",
"result" => {
"http-server-mechanism-factory" => "global",
"mechanism-configurations" => [{
"mechanism-name" => "BASIC",
"mechanism-realm-configurations" => [{"realm-name" => "exampleApplicationDomain"}]
}],
"security-domain" => "exampleSD"
}
}
This will override the authentication mechanism defined in the application’s jboss-web.xml and attempt
to authenticate a user using BASIC instead of FORM.
The caching-realm caches the PasswordCredential credential using a LRU or Least Recently Used
caching strategy, in which the least accessed entries are discarded when maximum number of entries is
reached.
filesystem-realm
jdbc-realm
ldap-realm
If you make changes to your credential source outside of JBoss EAP, those changes are only
propagated to a JBoss EAP caching realm if the underlying security realm supports listening. In
particular, an ldap-realm supports listening, however filtered attributes, such as roles, inside the ldap-
realm do not.
To ensure that your caching realm has a correct cache of user data, it is recommended that you modify
15
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
To ensure that your caching realm has a correct cache of user data, it is recommended that you modify
your user attributes through the caching realm rather than at your credential source. Alternatively, you
can clear the cache.
IMPORTANT
Making user changes through a caching realm is provided as Technology Preview only.
Technology Preview features are not supported with Red Hat production service level
agreements (SLAs), might not be functionally complete, and Red Hat does not
recommend to use them for production. These features provide early access to
upcoming product features, enabling customers to test functionality and provide
feedback during the development process.
See Technology Preview Features Support Scope on the Red Hat Customer Portal for
information about the support scope for Technology Preview features.
Example filesystem-realm
/subsystem=elytron/filesystem-realm=exampleFsRealm:add(path=fs-realm-users, relative-
to=jboss.server.config.dir)
/subsystem=elytron/filesystem-realm=exampleFsRealm:add-identity(identity=user1)
/subsystem=elytron/filesystem-realm=exampleFsRealm:set-password(identity=user1, clear=
{password="password123"})
/subsystem=elytron/filesystem-realm=exampleFsRealm:add-identity-
attribute(identity=user1,name=Roles,value=["Admin","Guest"])
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
2. Create a caching-realm.
Once you have an existing realm you want to cache, create a caching-realm that references it.
/subsystem=elytron/caching-realm=exampleCacheRealm:add(realm=exampleFsRealm)
/subsystem=elytron/security-domain=exampleFsSD:add(realms=
[{realm=exampleCacheRealm, role-decoder=from-roles-attribute}], default-
16
CHAPTER 2. ELYTRON SUBSYSTEM
realm=exampleCacheRealm, permission-mapper=default-permission-mapper)
/subsystem=elytron/http-authentication-factory=example-fs-http-auth:add(http-server-
mechanism-factory=global, security-domain=exampleFsSD, mechanism-configurations=
[{mechanism-name=BASIC, mechanism-realm-configurations=[{realm-
name=exampleApplicationDomain}]}])
You can control the cache size as well as item expiration by using maximum-entries and maximum-age
attributes of the caching-realm. For more details on those attributes, see the Elytron Subsystem
Components Reference section in How to Configure Server Security .
/subsystem=elytron/caching-realm=exampleCacheRealm:clear-cache
IMPORTANT
You can use single sign-on across applications deployed on different JBoss EAP
instances as long as these instances are in a cluster.
1. Create a key-store.
A key-store is necessary in order to configure a secure communication channel between the
different servers participating in the SSO. This channel is used to exchange messages about
events that occur when single sign-on sessions are created or destroyed, during log in and log
out respectively.
To create a key-store in the elytron subsystem, first create a Java KeyStore as follows:
keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore
keystore.jks -dname "CN=localhost" -keypass secret -storepass secret
Once the keystore.jks file is created, execute the following management CLI command to
create a key-store definition in Elytron:
/subsystem=elytron/key-store=example-keystore:add(path=keystore.jks, relative-
to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=JKS)
17
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
/subsystem=elytron/filesystem-realm=example-realm:add(path=/tmp/example-realm)
/subsystem=elytron/security-domain=example-domain:add(default-realm=example-
realm,permission-mapper=default-permission-mapper,realms=[{realm=example-realm,role-
decoder=groups-to-roles}]
NOTE
Applications using SSO should use HTTP FORM authentication as they usually
need to provide a login page for the users.
NOTE
/subsystem=undertow/application-security-domain=other:add(security-domain=example-
domain)
NOTE
By default, if your application does not define any specific security-domain in the
jboss-web.xml file, the application server will choose one with a name other.
5. Update the undertow subsystem to enable single sign-on and use the keystore.
Single sign-on is enabled to a specific application-security-domain definition in the undertow
subsystem. It is important that the servers you are using to deploy the applications are using the
same configuration.
/subsystem=undertow/application-security-domain=other/setting=single-sign-on:add(key-
store=example-keystore, key-alias=localhost, domain=localhost, credential-reference={clear-
text=secret})
NOTE
For more information on the SSO attributes and their definitions, see Reference for Single
18
CHAPTER 2. ELYTRON SUBSYSTEM
For more information on the SSO attributes and their definitions, see Reference for Single
Sign-on Attributes.
JBoss EAP provides out-of-the-box support for clustered and non-clustered SSO using the undertow
and infinispan subsystems.
Elytron supports authentication by using bearer tokens in JWT format, such as OpenID Connect ID
tokens, or by using opaque tokens issued by the OAuth2 compliant authorization server. See the
additional resources section.
The following example shows that the Authorization HTTP header contains the mF_9.B5f-4.1JqM
bearer token:
The BEARER_TOKEN mechanism can now extract the bearer token string and pass it to the token-
realm implementation for validation. If the implementation successfully validates the bearer token,
Elytron creates a security context based on the information represented by the token. The application
can use this security context to obtain information about the requester. It can then decide whether to
fulfill the request by providing the requester access to the HTTP resource.
The BEARER_TOKEN mechanism returns a 401 HTTP status code if the requester does not provide a
bearer token. For example:
The BEARER_TOKEN mechanism returns a 403 HTTP status code if a requester is not authorized to
access a resource.
Additional resources
For information about the JWT validation, see Configuring JSON Web Tokens (JWTs)
authentication.
For information about the OAuth2 validation, see Configuring authentication with tokens issued
19
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
For information about the OAuth2 validation, see Configuring authentication with tokens issued
by an OAuth2 compliant authorization server.
For more information about attributes that you can use with the token-realm, see Table
A.93.token-realm Attributes in the How to Configure Server Security guide.
Within the token-realm, you can specify attributes and a jwt token validator. Elytron completes the
following checks:
Automatic expiration checks on the values specified in the exp claim and nbf claim.
Optional: Signature checks based on a public key that is provided by one of the following
methods:
Using the client-ssl-context attribute to retrieve a remote JSON Web Key (JWK) set from
the URL specified in jku claim.
Optional: Checks on a JWT to ensure it contains only supported values in iss and aud claims.
You can use issuer and audience attributes to perform these checks.
The following example shows token-realm as the security realm and principal-claim as the attribute.
The principal-claim attribute defines the name of a claim that elytron uses to obtain a principal’s name.
The jwt element specifies that the token must be validated as a JWT.
You can define a key map for your token-realm. You can then use different key pairs for signature
verification and easily rotate these key pairs. Elytron takes a kid claim from the token and uses the
corresponding public key for verification.
If a kid claim is not present in JWT, the token-realm uses the value specified in the public-key
attribute of jwt to verify the signature.
If a kid claim is not present in JWT and you have not configured the public-key then the token-
realm invalidates the token.
20
CHAPTER 2. ELYTRON SUBSYSTEM
Procedure
/subsystem=elytron/key-store=<key_store_name>:add(path=<key_store_path> , credential-
reference={clear-text=<key_store_password>}, type=<keystore_type>)
2. Create your token-realm in the elytron subsystem, and specify attributes and a jwt token
validator for your token-realm.
/subsystem=elytron/token-realm=<token_realm_name>:add(jwt={issuer=
[<issuer_name>],audience=[<audience_name>],key-
store=<key_store_name>,certificate=<alias_name>},principal-claim=<principal_claim_key>)
Next steps
Additional resources
For more information about token-realm jwt attributes, see Table A.94. token-realm jwt
Attributes in the How to Configure Server Security guide.
Procedure
21
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
/subsystem=elytron/token-realm=<token_realm_name>:add(principal-
claim=<principal_claim_key>, oauth2-introspection={client-id=<client_id>, client-
secret=<client_secret>, introspection-url=<introspection_URL>})
Next steps
Additional resources
For more information about the token introspection endpoint, see Table A.95. token-realm
oauth2-introspection Attributes.
Prerequisites
Depending on the authentication method you require, create a token-realm by completing one
of the following procedures:
Procedure
1. Create a security domain in the elytron subsystem. Ensure you specify your token security realm
in the security domain.
/subsystem=elytron/security-domain=<security_domain_name>:add(realms=
[{realm=<token_realm_name>,role-decoder=<role_decoder_name>}],permission-
mapper=<permission_mapper_name>,default-realm=<token_realm_name>)
22
CHAPTER 2. ELYTRON SUBSYSTEM
/subsystem=elytron/http-authentication-factory=<authentication_factory_name>:add(security-
domain=<security_domain_name>,http-server-mechanism-factory=global,mechanism-
configurations=[{mechanism-name=BEARER_TOKEN,mechanism-realm-configurations=
[{realm-name=<token_realm_name>}]}])
/subsystem=undertow/application-security-
domain=<application_security_domain_name>:add(http-authentication-
factory=<authentication_factory_name>)
4. Configure your application’s web.xml and jboss-web.xml files. You must ensure your
application’s web.xml specifies the BEARER_TOKEN authentication method. Additionally,
ensure jboss-web.xml uses the application-security-domain you configured in JBoss EAP.
Additional resources
For more information about the BEARER_TOKEN authentication mechanism, see Bearer
token authentication.
For more information about token-realm jwt attributes, see Table A.94. token-realm jwt
Attributes in the How to Configure Server Security guide.
For more information about attributes that you can use with the OAuth2 token endpoint, see
Table A.95. token-realm oauth2-introspection Attributes.
For more information about configuring your application’s web.xml and jboss-web.xml, see
Configure Web Applications to Use Elytron or Legacy Security for Authentication in the How to
Configure Identity Management guide.
23
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
IMPORTANT
In cases where the legacy security subsystem uses an LDAP server to perform
authentication, JBoss EAP will return a 500, or internal server error, error code if that
LDAP server is unreachable. This behavior differs from previous versions of JBoss EAP
which returned a 401, or unauthorized, error code under the same conditions.
1. An initial bind to the LDAP server is done using the bindDN and bindCredential options. The
bindDN is a LDAP user with the ability to search both the baseCtxDN and rolesCtxDN trees
for the user and roles. The user DN to authenticate against is queried using the filter specified
by the baseFilter attribute.
2. The resulting user DN is authenticated by binding to the LDAP server using the user DN as the
InitialLdapContext environment Context.SECURITY_PRINCIPAL. The
Context.SECURITY_CREDENTIALS property is set to the String password obtained by the
callback handler.
dn: uid=jduke,ou=Users,dc=jboss,dc=org
objectClass: inetOrgPerson
objectClass: person
objectClass: top
cn: Java Duke
sn: duke
uid: jduke
24
CHAPTER 3. LEGACY SECURITY SUBSYSTEM
userPassword: theduke
# =============================
dn: uid=hnelson,ou=Users,dc=jboss,dc=org
objectClass: inetOrgPerson
objectClass: person
objectClass: top
cn: Horatio Nelson
sn: Nelson
uid: hnelson
userPassword: secret
# =============================
dn: ou=groups,dc=jboss,dc=org
objectClass: top
objectClass: organizationalUnit
ou: groups
# =============================
dn: uid=ldap,ou=Users,dc=jboss,dc=org
objectClass: inetOrgPerson
objectClass: person
objectClass: top
cn: LDAP
sn: Service
uid: ldap
userPassword: randall
# =============================
dn: ou=Users,dc=jboss,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Users
# =============================
dn: dc=jboss,dc=org
objectclass: top
objectclass: domain
dc: jboss
# =============================
dn: uid=GroupTwo,ou=groups,dc=jboss,dc=org
objectClass: top
objectClass: groupOfNames
objectClass: uidObject
cn: GroupTwo
member: uid=jduke,ou=Users,dc=jboss,dc=org
uid: GroupTwo
# =============================
dn: uid=GroupThree,ou=groups,dc=jboss,dc=org
objectClass: top
objectClass: groupOfUniqueNames
objectClass: uidObject
cn: GroupThree
uid: GroupThree
uniqueMember: uid=GroupOne,ou=groups,dc=jboss,dc=org
# =============================
dn: uid=HTTP,ou=Users,dc=jboss,dc=org
objectClass: inetOrgPerson
objectClass: person
objectClass: top
cn: HTTP
25
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
sn: Service
uid: HTTP
userPassword: httppwd
# =============================
dn: uid=GroupOne,ou=groups,dc=jboss,dc=org
objectClass: top
objectClass: groupOfUniqueNames
objectClass: uidObject
cn: GroupOne
uid: GroupOne
uniqueMember: uid=jduke,ou=Users,dc=jboss,dc=org
uniqueMember: uid=hnelson,ou=Users,dc=jboss,dc=org
/subsystem=security/security-domain=testLdapExtendedExample:add(cache-type=default)
/subsystem=security/security-domain=testLdapExtendedExample/authentication=classic:add
/subsystem=security/security-domain=testLdapExtendedExample/authentication=classic/login-
module=LdapExtended:add(code=LdapExtended, flag=required, module-options=[
("java.naming.factory.initial"=>"com.sun.jndi.ldap.LdapCtxFactory"),
("java.naming.provider.url"=>"ldap://localhost:10389"),
("java.naming.security.authentication"=>"simple"),
("bindDN"=>"uid=ldap,ou=Users,dc=jboss,dc=org"), ("bindCredential"=>"randall"),
("baseCtxDN"=>"ou=Users,dc=jboss,dc=org"), ("baseFilter"=>"(uid={0})"),
("rolesCtxDN"=>"ou=groups,dc=jboss,dc=org"), ("roleFilter"=>"(uniqueMember={1})"),
("roleAttributeID"=>"uid")])
reload
NOTE
The management CLI commands shown assume that you are running a JBoss EAP
standalone server. For more details on using the management CLI for a JBoss EAP
managed domain, see the JBoss EAP Management CLI Guide.
3.1.1.1.1. Configure a Security Domain to use the LdapExtended Login Module for Active Directory
For Microsoft Active Directory, the LdapExtended login module can be used.
The example below represents the configuration for a default Active Directory configuration. Some
Active Directory configurations may require searching against the Global Catalog on port 3268 instead
of the usual port 389. This is most likely when the Active Directory forest includes multiple domains.
Example Configuration for the LdapExtended Login Module for a Default AD Configuration
/subsystem=security/security-domain=AD_Default:add(cache-type=default)
/subsystem=security/security-domain=AD_Default/authentication=classic:add
/subsystem=security/security-domain=AD_Default/authentication=classic/login-
module=LdapExtended:add(code=LdapExtended,flag=required,module-options=[
("java.naming.provider.url"=>"ldap://ldaphost.jboss.org"),("bindDN"=>"JBOSSsearchuser"),
26
CHAPTER 3. LEGACY SECURITY SUBSYSTEM
reload
The example below implements a recursive role search within Active Directory. The key difference
between this example and the default Active Directory example is that the role search has been
replaced to search the member attribute using the DN of the user. The login module then uses the DN
of the role to find groups of which the group is a member.
Example Configuration for the LdapExtended Login Module for a Default AD Configuration
with Recursive Search
/subsystem=security/security-domain=AD_Recursive:add(cache-type=default)
/subsystem=security/security-domain=AD_Recursive/authentication=classic:add
/subsystem=security/security-domain=AD_Recursive/authentication=classic/login-
module=LdapExtended:add(code=LdapExtended,flag=required,module-options=
[("java.naming.provider.url"=>"ldap://ldaphost.jboss.org"), ("java.naming.referral"=>"follow"),
("bindDN"=>"JBOSSsearchuser"), ("bindCredential"=>"password"),
("baseCtxDN"=>"CN=Users,DC=jboss,DC=org"), ("baseFilter"=>"(sAMAccountName={0})"),
("rolesCtxDN"=>"CN=Users,DC=jboss,DC=org"), ("roleFilter"=>"(member={1})"),
("roleAttributeID"=>"cn"), ("roleAttributeIsDN"=>"false"), ("roleRecursion"=>"2"),
("searchScope"=>"ONELEVEL_SCOPE"), ("allowEmptyPasswords"=>"false")])
reload
This works by providing a reference to logical tables containing principals and roles in the expected
format. For example:
Table Principals(PrincipalID text, Password text) Table Roles(PrincipalID text, Role text, RoleGroup
text)
The Principals table associates the user PrincipalID with the valid password, and the Roles table
associates the user PrincipalID with its role sets. The roles used for user permissions must be contained
in rows with a RoleGroup column value of Roles.
The tables are logical in that users can specify the SQL query that the login module uses. The only
requirement is that the java.sql.ResultSet has the same logical structure as the Principals and Roles
27
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
tables described previously. The actual names of the tables and columns are not relevant as the results
are accessed based on the column index.
To clarify this concept, consider a database with two tables, Principals and Roles, as already declared.
The following statements populate the tables with the following data:
PrincipalID java with a role named Echo in the RolesRoleGroup in the Roles table
PrincipalID java with a role named caller-java in the CallerPrincipalRoleGroup in the Roles
table
For a full list of configuration options for the Database login module, see the Database login module
section in the JBoss EAP Login Module Reference.
Before configuring a security domain to use the Database login module, a datasource must be properly
configured.
For more information on creating and configuring datasources in JBoss EAP, see the Datasource
Management section of the JBoss EAP Configuration Guide.
Once a datasource has been properly configured, a security domain can be configured to use the
Database login module. The below example assumes a datasource named MyDatabaseDS has been
created and properly configured with a database that is constructed with the following:
/subsystem=security/security-domain=testDB:add
/subsystem=security/security-domain=testDB/authentication=classic:add
/subsystem=security/security-domain=testDB/authentication=classic/login-
module=Database:add(code=Database,flag=required,module-options=
[("dsJndiName"=>"java:/MyDatabaseDS"),("principalsQuery"=>"select passwd from Users where
username=?"),("rolesQuery"=>"select role, 'Roles' from UserRoles where username=?")])
reload
28
CHAPTER 3. LEGACY SECURITY SUBSYSTEM
password mapping filename is users.properties and the default username-to-roles mapping filename is
roles.properties.
NOTE
This login module supports password stacking, password hashing, and unauthenticated
identity.
The properties files are loaded during initialization using the initialize method thread context class
loader. This means that these files can be placed on the classpath of the Jakarta EE deployment (for
example, into the WEB-INF/classes folder in the WAR archive), or into any directory on the server
classpath.
For a full list of configuration options for the UsersRoles login module, see the UsersRoles login module
section in the JBoss EAP Login Module Reference.
The below example assumes the following files have been created and are available on the application’s
classpath:
sampleapp-users.properties
sampleapp-roles.properties
/subsystem=security/security-domain=sampleapp:add
/subsystem=security/security-domain=sampleapp/authentication=classic:add
/subsystem=security/security-domain=sampleapp/authentication=classic/login-
module=UsersRoles:add(code=UsersRoles,flag=required,module-options=
[("usersProperties"=>"sampleapp-users.properties"),("rolesProperties"=>"sampleapp-
roles.properties")])
reload
IMPORTANT
29
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
IMPORTANT
Before you can configure certificate-based authentication, you need to have Two-Way
SSL/TLS for Applications enabled and configured, which requires X509 certificates
configured for both the JBoss EAP instance as well as any clients accessing the web
application or EJB secured by the security domain.
Once the certificates, truststores, and two-way SSL/TLS are configured, you then can
proceed with configuring a security domain that uses certificate-based authentication,
configuring an application to use that security domain, and configuring your client to use
the client certificate.
The truststore must contain any trusted client certificates used for authentication, or it must contain the
certificate of the certificate authority used to sign the client’s certificate. The login module is used to
authenticate the certificate presented by the client using the configured truststore. The security domain
as a whole also must provide a way to map a role to the principal once it is authenticated. The Certificate
login module itself will not map any role information to the principal, but it may be combined with
another login module to do so. Alternatively, two subclasses of the Certificate login module,
CertificateRoles and DatabaseCertificate, do provide a way to map roles to a principal after it is
authenticated. The below example shows how to configure a security domain with certificate-based
authentication using the CertificateRoles login module.
WARNING
When performing authentication, the security domain will use the same certificate
presented by the client when establishing two-way SSL/TLS. As a result, the client
must use the same certificate for BOTH two-way SSL/TLS and the certificate-
based authentication with the application or EJB.
/subsystem=security/security-domain=cert-roles-domain:add
/subsystem=security/security-domain=cert-roles-domain/jsse=classic:add(truststore=
{password=secret, url="/path/to/server.truststore.jks"}, keystore={password=secret,
url="/path/to/server.keystore.jks"}, client-auth=true)
/subsystem=security/security-domain=cert-roles-domain/authentication=classic:add
/subsystem=security/security-domain=cert-roles-domain/authentication=classic/login-
module=CertificateRoles:add(code=CertificateRoles, flag=required, module-options=[
securityDomain="cert-roles-domain", rolesProperties="${jboss.server.config.dir}/cert-
roles.properties",password-stacking="useFirstPass",
verifier="org.jboss.security.auth.certs.AnyCertVerifier"])
NOTE
30
CHAPTER 3. LEGACY SECURITY SUBSYSTEM
NOTE
The above example uses the CertificateRoles login module to handle authentication and
map roles to authenticated principals. It does so by referencing a properties file using the
rolesProperties attribute. This file lists usernames and roles using the following format:
user1=roleA
user2=roleB,roleC
user3=
Since usernames are presented as the DN from the provided certificate, for example
CN=valid-client, OU=JBoss, O=Red Hat, L=Raleigh, ST=NC, C=US, you have to
escape special characters such as = and spaces when using a properties file:
For jboss-web.xml, add a reference to the security domain you configured for certificate-based
authentication.
Example jboss-web.xml
<jboss-web>
<security-domain>cert-roles-domain</security-domain>
</jboss-web>
For web.xml, set the <auth-method> attribute in <login-config> to CLIENT-CERT. You also need
define <security-constraint> as well as <security-roles>.
Example web.xml
<web-app>
<!-- URL for secured portion of application-->
<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>All</role-name>
31
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>cert-roles-domain</realm-name>
</login-config>
</web-app>
Prerequisites
If you are configuring a security domain to use an Infinispan cache, you must first create an
Infinispan cache container named security that contains a default cache that the security
domain will use.
IMPORTANT
You can only define one Infinispan cache configuration for use with security
domains. Although you can have multiple security domains that use an Infinispan
cache, each security domain creates its own cache instance from the one
Infinispan cache configuration.
See the JBoss EAP Configuration Guide for more information on creating a cache container.
You can use either the management console or management CLI to set a security domain’s cache type.
2. Select the security domain from the list and click View.
32
CHAPTER 3. LEGACY SECURITY SUBSYSTEM
3. Click Edit, and for the Cache Type field, select either default or infinspan.
4. Click Save.
/subsystem=security/security-domain=SECURITY_DOMAIN_NAME:write-
attribute(name=cache-type,value=CACHE_TYPE)
For example, to set the other security domain to use an Infinispan cache:
/subsystem=security/security-domain=other:write-attribute(name=cache-
type,value=infinispan)
/subsystem=security/security-domain=SECURITY_DOMAIN_NAME:list-cached-principals
/subsystem=security/security-domain=SECURITY_DOMAIN_NAME:flush-
cache(principal=USERNAME)
To flush all principals from the cache, use the following management CLI command:
/subsystem=security/security-domain=SECURITY_DOMAIN_NAME:flush-cache
2. Select the security domain from the list and click View.
3. Click Edit and select the blank value for the Cache Type.
4. Click Save.
33
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
/subsystem=security/security-domain=SECURITY_DOMAIN_NAME:undefine-
attribute(name=cache-type)
34
CHAPTER 4. APPLICATION CONFIGURATION
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>The role that is required to log in to /secure/*</description>
<role-name>Admin</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>exampleApplicationDomain</realm-name>
</login-config>
</web-app>
Example jboss-web.xml
<jboss-web>
<security-domain>exampleApplicationDomain</security-domain>
</jboss-web>
Using jboss-web.xml allows you to configure the security domain for a single application only.
Alternatively, you can specify a default security domain for all applications using the undertow
subsystem. This allows you to omit using jboss-web.xml to configure a security domain for an
individual application.
35
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
/subsystem=undertow:write-attribute(name=default-security-domain,
value="exampleApplicationDomain")
IMPORTANT
NOTE
The security domain for EJBs is defined in the EJB configuration, either in the
ejb3 subsystem, the descriptor for EJBs in the jboss-ejb3.xml file, or by using
the @SecurityDomain annotation.
For more information, see EJB Application Security in the Developing EJB
Applications guide.
To enable the silent BASIC authentication, set the value of auth-method attribute as the following:
<auth-method>BASIC?silent=true</auth-method>
NOTE
36
CHAPTER 4. APPLICATION CONFIGURATION
NOTE
If you have a web servlet defined using one security domain and you are calling EJB from
another EAR module, which uses EJB specific security domain, one of the following might
happen:
If the WAR and the EJB are mapped to different Elytron security domains, you
need to configure the outflow or the trusted security domains so that their
identities propagate from one deployment domain to the next one. Unless this is
done, once the call reaches the EJB, the identity becomes anonymous. For more
information on how to configure security identities for authentication, see
Configuring Trusted Security Domain Outflows .
If the WAR and the EJB references different security domain names but they are
mapped to the same Elytron security domain, their identity will propagate
without requiring any additional steps.
When migrating, it is best to migrate the entire application. Migrating the EJB and WAR
separately and using both elytron and legacy security subsystems in parallel is not
suggested. For more information on how to migrate your application to use Elytron, see
Migrating to Elytron in the JBoss EAP Migration Guide.
Authentication Configuration
The authentication configuration contains authentication information such as usernames, passwords,
allowed SASL mechanisms, as well as which security realm to use during digest authentication. The
connection information specified in the authentication configuration overrides any values that are
specified in the PROVIDER_URL of the initial context.
MatchRule
A rule used for deciding which authentication configuration to use.
Authentication Context
A set of rules and authentication configurations to use with a client for establishing a connection.
When a connection is established, the client makes use of an authentication context. This authentication
context contains rules to choose which authentication configuration to use for each outbound
connection. For example, you could have rules that use one authentication configuration when
connecting to server1 and another authentication configuration when connecting with server2. The
authentication context is comprised of a set of authentication configurations and a set of rules that
define how they are selected when establishing a connection. An authentication context can also
reference ssl-context and can be matched with rules.
37
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
When you establish your connection, Elytron Client will use the set of rules provided by the
authentication context to match the correct authentication configuration to use during authentication.
You can use one of the following approaches to use security information when establishing a client
connection.
IMPORTANT
When using Elytron Client to make EJB calls, any hard-coded programmatic
authentication information, such as setting Context.SECURITY_PRINCIPAL in the
javax.naming.InitialContext, will override the Elytron Client configuration.
Example: custom-config.xml
<configuration>
<authentication-client xmlns="urn:elytron:client:1.2">
<authentication-rules>
<rule use-configuration="monitor">
<match-host name="127.0.0.1" />
</rule>
<rule use-configuration="administrator">
<match-host name="localhost" />
</rule>
</authentication-rules>
<authentication-configurations>
<configuration name="monitor">
<sasl-mechanism-selector selector="DIGEST-MD5" />
<providers>
<use-service-loader />
</providers>
<set-user-name name="monitor" />
<credentials>
<clear-password password="password1!" />
</credentials>
<set-mechanism-realm name="ManagementRealm" />
</configuration>
<configuration name="administrator">
<sasl-mechanism-selector selector="DIGEST-MD5" />
<providers>
<use-service-loader />
</providers>
<set-user-name name="administrator" />
<credentials>
<clear-password password="password1!" />
</credentials>
<set-mechanism-realm name="ManagementRealm" />
</configuration>
38
CHAPTER 4. APPLICATION CONFIGURATION
</authentication-configurations>
</authentication-client>
</configuration>
You can then reference that file in your client’s code by setting a system property when running your
client.
IMPORTANT
If you use the programmatic approach, it will override any provided configuration files
even if the wildfly.config.url system property is set.
When creating rules, you can look for matches on various parameters, such as hostname, port, protocol,
or user-name. A full list of options for MatchRule are available in the Javadocs. Rules are evaluated in
the order in which they are configured.
When no match settings are included in a rule, then the whole rule matches and the authentication
configuration is chosen. If more than one match setting is included in a rule, then all must match for the
authentication configuration to be chosen.
Attribute Description
39
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
Attribute Description
An example wildfly-config.xml file can be found in Example wildfly-config.xml. For more information
about how to configure the wildfly-config.xml file, see Client Configuration Using the wildfly-
config.xml File in the Development Guide for JBoss EAP.
40
CHAPTER 4. APPLICATION CONFIGURATION
AuthenticationConfiguration administrator =
commonConfig
.useName("administrator")
.usePassword("password1!");
AuthenticationConfiguration monitor =
commonConfig
.useName("monitor")
.usePassword("password1!");
Rule Description
matchPurpose(String purpose) Create a new rule which is the same as this rule, but also matches
the given purpose name.
Also, instead of starting with an empty authentication configuration, you can start with the currently
configured one by using captureCurrent().
Using captureCurrent() will capture any previously established authentication context and use it as your
41
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
Using captureCurrent() will capture any previously established authentication context and use it as your
new base configuration. An authentication context is established once it has been activated by calling
run(). If captureCurrent() is called and no context is currently active, it will try and use the default
authentication if available. You can find more details about this in the following sections:
When creating an authentication context, using the context.with(…) will create a new context that
merges the rules and authentication configuration from the current context with the provided rule and
authentication configuration. The provided rule and authentication configuration will appear after the
ones in the current context.
To provide a default configuration, Elytron Client tries to auto-discover a wildfly-config.xml file on the
filesystem. It looks in the following locations:
The location specified by the wildfly.config.url system property set outside of the client code.
You can use the following example as the basic configuration for your client wildfly-config.xml file.
42
CHAPTER 4. APPLICATION CONFIGURATION
Basic wildfly-config.xml
<configuration>
<authentication-client xmlns="urn:elytron:client:1.2">
<authentication-rules>
<rule use-configuration="default" />
</authentication-rules>
<authentication-configurations>
<configuration name="default">
<sasl-mechanism-selector selector="#ALL" />
<set-mechanism-properties>
<property key="wildfly.sasl.local-user.quiet-auth" value="true" />
</set-mechanism-properties>
<providers>
<use-service-loader/>
</providers>
</configuration>
</authentication-configurations>
</authentication-client>
</configuration>
NOTE
/subsystem=elytron/authentication-context=AUTH_CONTEXT:add
/subsystem=elytron:write-attribute(name=default-authentication-context,value=AUTH_CONTEXT)
To load a configuration file outside of the deployment, you can use the
parseAuthenticationClientConfiguration(URI) method. This method returns an
AuthenticationContext that you can then use in your client code using the programmatic approach.
Additionally, clients will also automatically parse and create an AuthenticationContext from the client
configuration provided by the elytron subsystem. The client configuration in the elytron subsystem can
also take advantage of other components defined in the elytron subsystem, such as credential stores. If
the client configuration is provided by both the deployment and the elytron subsystem, the elytron
subsystem’s configuration is used.
NOTE
43
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
NOTE
The AuthenticationContext from the elytron subsystem can only be used when this
authentication-context is set as the default for the elytron subsystem.
-Dwildfly.config.url=path/to/wildfly-config.xml
NOTE
When using JConsole, the -Dwildfly.config.url system property must be prefixed with -J,
for example:
-J-Dwildfly.config.url=path/to/wildfly-config.xml
For more information, see Client Configuration Using the wildfly-config.xml File in the JBoss EAP
Development Guide.
WARNING
Security identity propagation does not work for calls to protected servlets
due to Java 8 design limitations.
JBoss EAP 7.1 introduced the ElytronAuthenticator class, which uses the current security context to
perform the authentication. The org.wildfly.security.auth.util.ElytronAuthenticator class is an
implementation of java.net.Authenticator.
The following is an example of client code that creates and uses the ElytronAuthenticator class to
44
CHAPTER 4. APPLICATION CONFIGURATION
The following is an example of client code that creates and uses the ElytronAuthenticator class to
propagate an identity to the server.
Within the application server, there can be multiple SecurityDomain instances for a single invocation or
thread. Each SecurityDomain instance can be associated with a different SecurityIdentity. The correct
security identity is returned when you call that security domain’s getCurrentSecurityIdentity() method.
Deployments can invoke other deployments during request handling. Each deployment is associated
with a single security domain. If the invoked deployments use the same security domain, then the notion
of a single security domain with a current security identity remains. However, each deployment can
reference its own security domain.
It is possible to import a security identity that is associated with a security domain into another security
domain, as described in the next section.
If the identity is successfully mapped but there is no common security realm, the security domain
45
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
If the identity is successfully mapped but there is no common security realm, the security domain
handling the import is tested to see if it trusts the original security domain. If it does, the import is
accepted.
NOTE
The identity must exist in the security domain handling the import. The security identity is
never trusted in its entirety.
Outflow
A security domain can be configured to automatically outflow its security identities to a different
security domain.
In the security domain, if the security identity is established and used for the current invocation, the list
of outflow security domains is iterated and the security identity is imported for each of them.
This model is more appropriate where multiple invocations to a deployment using a different security
domain are likely to occur, for example, when a web application calls five different EJBs using a common
security domain.
46
CHAPTER 5. SECURING THE MANAGEMENT INTERFACES WITH LDAP
NOTE
Securing the management interfaces with LDAP changes the authentication from digest
to BASIC/Plain, which by default, will cause usernames and passwords to be sent
unencrypted over the network. SSL/TLS can be enabled on the outbound connection to
encrypt this traffic and avoid sending this information in the clear.
IMPORTANT
In cases where a legacy security realm uses an LDAP server to perform authentication,
such as securing the management interfaces using LDAP, JBoss EAP will return a 500, or
internal server error, error code if that LDAP server is unreachable. This behavior differs
from previous versions of JBoss EAP which returned a 401, or unauthorized, error code
under the same conditions.
NOTE
If the JBoss EAP server does not have permissions to read the password, such as when an
Active Directory LDAP server is used, it is necessary to set direct-verification to true on
the defined LDAP realm. This attribute allows verification to be directly performed on the
LDAP server instead of the JBoss EAP server.
/subsystem=elytron/dir-
context=exampleDC:add(url="ldap://127.0.0.1:10389",principal="uid=admin,ou=system",credential-
reference={clear-text="secret"})
/subsystem=elytron/ldap-realm=exampleLR:add(dir-context=exampleDC,identity-mapping={search-
base-dn="ou=Users,dc=wildfly,dc=org",rdn-identifier="uid",user-password-mapper=
{from="userPassword"},attribute-mapping=[{filter-base-dn="ou=Roles,dc=wildfly,dc=org",filter="(&
(objectClass=groupOfNames)(member={0}))",from="cn",to="Roles"}]})
/subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
47
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
/subsystem=elytron/security-domain=exampleLdapSD:add(realms=[{realm=exampleLR,role-
decoder=from-roles-attribute}],default-realm=exampleLR,permission-mapper=default-permission-
mapper)
/subsystem=elytron/http-authentication-factory=example-ldap-http-auth:add(http-server-mechanism-
factory=global,security-domain=exampleLdapSD,mechanism-configurations=[{mechanism-
name=BASIC,mechanism-realm-configurations=[{realm-name=exampleApplicationDomain}]}])
/core-service=management/management-interface=http-interface:write-attribute(name=http-
authentication-factory, value=example-ldap-http-auth)
reload
5.1.1. Using Elytron for Two-way SSL/TLS for the Outbound LDAP Connection
When using LDAP to secure the management interfaces, you can configure the outbound LDAP
connection to use two-way SSL/TLS. To do this, create an ssl-context and add it to the dir-context
used by your ldap-realm. Creating a two-way SSL/TLS ssl-context is covered in the Enable Two-way
SSL/TLS for Applications using the Elytron Subsystem section of How to Configure Server Security .
WARNING
Red Hat recommends that SSLv2, SSLv3, and TLSv1.0 be explicitly disabled in favor
of TLSv1.1 or TLSv1.2 in all affected packages.
48
CHAPTER 5. SECURING THE MANAGEMENT INTERFACES WITH LDAP
clear-text - Instead of
referencing a credential store,
this attribute can be used to
specify a clear text password.
49
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
NOTE
50
CHAPTER 5. SECURING THE MANAGEMENT INTERFACES WITH LDAP
NOTE
search-dn and search-credential are different from the username and password
provided by the user. The information provided here is specifically for
establishing an initial connection between the JBoss EAP instance and the LDAP
server. This connection allows JBoss EAP to perform a subsequent search for the
DN of the user trying to authenticate. The DN of the user, which is a result of the
search, that is trying to authenticate and the password they provided are used to
establish a separate second connection for completing the authentication
process.
Given the following example LDAP server, below are the management CLI commands for
configuring an outbound LDAP connection:
Attribute Value
url 127.0.0.1:389
search-credential myPass
search-dn cn=search,dc=acme,dc=com
/core-service=management/ldap-connection=ldap-connection/:add(search-
credential=myPass,url=ldap://127.0.0.1:389,search-dn="cn=search,dc=acme,dc=com")
reload
NOTE
This creates an unencrypted connection between the JBoss EAP instance and
the LDAP server. For more details on setting up an encrypted connection using
SSL/TLS, see Using SSL/TLS for the Outbound LDAP Connection .
Attribute Description
51
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
Attribute Description
user-dn The attribute of the user that holds the DN. This
is subsequently used to test authentication as
the user can complete. Defaults to dn.
WARNING
It is important to ensure that empty LDAP passwords are not allowed since
it is a serious security concern. Unless this behavior is specifically desired in
the environment, ensure empty passwords are not allowed and allow-
empty-passwords remains false.
Below are the management CLI commands for configuring an LDAP-enabled security realm
using the ldap-connection outbound LDAP connection.
/core-service=management/security-realm=ldap-security-realm:add
/core-service=management/security-realm=ldap-security-
realm/authentication=ldap:add(connection="ldap-connection", base-
52
CHAPTER 5. SECURING THE MANAGEMENT INTERFACES WITH LDAP
dn="cn=users,dc=acme,dc=com",username-attribute="sambaAccountName")
reload
3. Reference the new security realm in the management interface. Once a security realm has been
created and is using the outbound LDAP connection, that new security realm must be
referenced by the management interfaces.
/core-service=management/management-interface=http-interface/:write-
attribute(name=security-realm,value="ldap-security-realm")
NOTE
The management CLI commands shown assume that you are running a JBoss
EAP standalone server. For more details on using the management CLI for a
JBoss EAP managed domain, see the JBoss EAP Management CLI Guide.
WARNING
Red Hat recommends that SSLv2, SSLv3, and TLSv1.0 be explicitly disabled in favor
of TLSv1.1 or TLSv1.2 in all affected packages.
2. Create an outbound LDAP connection with the SSL/TLS URL and security realm.
Similar to the process defined in Using Legacy Core Management Authentication , an outbound
LDAP connection should be created, but using the SSL/TLS URL for the LDAP server and the
SSL/TLS security realm.
Once the outbound LDAP connection and SSL/TLS security realm for the LDAP server have
been created, the outbound LDAP connection needs to be updated with that information.
Example CLI for Adding the Outbound Connection with an SSL/TLS URL
/core-service=management/ldap-connection=ldap-connection/:add(search-
credential=myPass, url=ldaps://LDAP_HOST:LDAP_PORT, search-
dn="cn=search,dc=acme,dc=com")
53
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
/core-service=management/ldap-connection=ldap-connection:write-attribute(name=security-
realm,value="CertificateRealm")
reload
3. Create a new security realm that uses the outbound LDAP connection for use by the
management interfaces.
Follow the steps Create a new LDAP-Enabled Security Realm and Reference the new security
realm in the Management Interface from the procedure in Using Legacy Core Management
Authentication.
NOTE
The management CLI commands shown assume that you are running a JBoss
EAP standalone server. For more details on using the management CLI for a
JBoss EAP managed domain, see the JBoss EAP Management CLI Guide.
RBAC is used only for authorization, with authentication being handled separately. Since LDAP can be
used for authentication as well as authorization, JBoss EAP can be configured in the following ways:
Use RBAC for authorization only, and use LDAP, or another mechanism, only for authentication.
Use RBAC combined with LDAP for making authorization decisions in the management
interfaces.
For more details on using just RBAC as an authorization mechanism for the management interfaces, see
How to Configure Server Security for JBoss EAP. For more details on configuring LDAP for
authentication with the management interfaces, see the previous section.
An LDAP directory contains entries for user accounts and groups, cross referenced by attributes.
54
CHAPTER 5. SECURING THE MANAGEMENT INTERFACES WITH LDAP
An LDAP directory contains entries for user accounts and groups, cross referenced by attributes.
Depending on the LDAP server configuration, a user entity can map the groups the user belongs to
through memberOf attributes; a group entity can map which users belong to it through uniqueMember
attributes; or a combination of the two. Once a user is successfully authenticated to the LDAP server, a
group search is performed to load that user’s group information. Depending on the directory server in
use, group searches can be performed using their SN, which is usually the username used in
authentication, or by using the DN of the user’s entry in the directory. Group searches (group-search)
as well as mapping between a username and a distinguished name (username-to-dn) are configured
when setting up LDAP as an authorization mechanism in a security realm.
Once a user’s group membership information is determined from the LDAP server, a mapping within the
RBAC configuration is used to determine what roles a user has. This mapping is configured to explicitly
include or exclude groups as well as individual users.
NOTE
The authentication step of a user connecting to the server always happens first. Once the
user is successfully authenticated the server loads the user’s groups. The authentication
step and the authorization step each require a connection to the LDAP server. The
security realm optimizes this process by reusing the authentication connection for the
group loading step.
There are two different styles that can be used when searching for group membership information:
Principal to Group and Group to Principal. Principal to Group has the user’s entry containing references
to the groups it is a member of, using the memberOf attribute. Group to Principal has the group’s entry
contain the references to the users who are members of it, using the uniqueMember attribute.
NOTE
JBoss EAP supports both Principal to Group as well as Group to Principal searches, but
Principal to Group is recommended over Group to Principal. If Principal to Group is used,
group information can be loaded directly by reading attributes of known distinguished
names without having to perform any searches. Group to Principal requires extensive
searches to identify the all groups that reference a user.
Both Principal to Group and Group to Principal use group-search which contains the following
attributes:
Attribute Description
55
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
Attribute Description
NOTE
Cyclic group membership is not a problem. A record of each search is kept to prevent
groups that have already been searched from being searched again.
IMPORTANT
For iterative searching to work, the group entries need to look the same as user entries.
The same approach used to identify the groups a user is a member of is then used to
identify the groups of which the group is a member. This would not be possible if, for
group to group membership, the name of the attribute used for the cross reference
changes, or if the direction of the reference changes.
To use this type of searching, the principal-to-group element is added to the group-search element:
/core-service=management/security-realm=ldap-security-realm:add
batch
/core-service=management/security-realm=ldap-security-
realm/authorization=ldap:add(connection=ldap-connection)
/core-service=management/security-realm=ldap-security-realm/authorization=ldap/group-
search=principal-to-group:add(group-attribute="memberOf",iterative=true,group-dn-attribute="dn",
group-name="SIMPLE",group-name-attribute="cn")
run-batch
56
CHAPTER 5. SECURING THE MANAGEMENT INTERFACES WITH LDAP
IMPORTANT
The above example assumes you already have ldap-connection defined. You also need
to configure the authentication mechanism which is covered earlier in this section .
Notice that the group-attribute attribute is used with the group-search=principal-to-group. For
reference:
Attribute Description
To use this type of searching, the group-to-principal element is added to the group-search element:
/core-service=management/security-realm=ldap-security-realm:add
batch
/core-service=management/security-realm=ldap-security-
realm/authorization=ldap:add(connection=ldap-connection)
/core-service=management/security-realm=ldap-security-realm/authorization=ldap/group-
search=group-to-principal:add(iterative=true, group-dn-attribute="dn", group-name="SIMPLE", group-
name-attribute="uid", base-dn="ou=groups,dc=group-to-principal,dc=example,dc=org", principal-
attribute="uniqueMember", search-by="DISTINGUISHED_NAME")
run-batch
IMPORTANT
57
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
IMPORTANT
The above example assumes you already have ldap-connection defined. You also need
to configure the authentication mechanism which is covered earlier in this section .
For reference:
Attribute Description
Attribute Description
It is possible to define rules within the authorization section to convert a user’s simple user name to their
distinguished name. The username-to-dn element specifies how to map the user name to the
distinguished name of their entry in the LDAP directory. This element is optional and only required when
both of the following are true:
The authentication and authorization steps are against different LDAP servers.
NOTE
58
CHAPTER 5. SECURING THE MANAGEMENT INTERFACES WITH LDAP
NOTE
This could also be applicable in instances where the security realm supports both LDAP
and Kerberos authentication and a conversion is needed for Kerberos, if LDAP
authentication has been performed the DN discovered during authentication can be
used.
Attribute Description
username-is-dn
This specifies that the user name entered by the remote user is the user’s distinguished name.
username-is-dn Example
/core-service=management/security-realm=ldap-security-realm:add
batch
/core-service=management/security-realm=ldap-security-
realm/authorization=ldap:add(connection=ldap-connection)
/core-service=management/security-realm=ldap-security-realm/authorization=ldap/group-
search=group-to-principal:add(iterative=true, group-dn-attribute="dn", group-name="SIMPLE",
group-name-attribute="uid", base-dn="ou=groups,dc=group-to-principal,dc=example,dc=org",
principal-attribute="uniqueMember", search-by="DISTINGUISHED_NAME")
/core-service=management/security-realm=ldap-security-realm/authorization=ldap/username-to-
dn=username-is-dn:add(force=false)
run-batch
username-filter
A specified attribute is searched for a match against the supplied user name.
username-filter Example
/core-service=management/security-realm=ldap-security-realm:add
59
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
batch
/core-service=management/security-realm=ldap-security-
realm/authorization=ldap:add(connection=ldap-connection)
/core-service=management/security-realm=ldap-security-realm/authorization=ldap/group-
search=group-to-principal:add(iterative=true, group-dn-attribute="dn", group-name="SIMPLE",
group-name-attribute="uid", base-dn="ou=groups,dc=group-to-principal,dc=example,dc=org",
principal-attribute="uniqueMember", search-by="DISTINGUISHED_NAME")
/core-service=management/security-realm=ldap-security-realm/authorization=ldap/username-to-
dn=username-filter:add(force=false, base-dn="dc=people,dc=harold,dc=example,dc=com",
recursive="false", attribute="sn", user-dn-attribute="dn")
run-batch
Attribute Description
advanced-filter
This option uses a custom filter to locate the user’s distinguished name.
advanced-filter Example
/core-service=management/security-realm=ldap-security-realm:add
batch
/core-service=management/security-realm=ldap-security-
realm/authorization=ldap:add(connection=ldap-connection)
/core-service=management/security-realm=ldap-security-realm/authorization=ldap/group-
search=group-to-principal:add(iterative=true, group-dn-attribute="dn", group-name="SIMPLE",
group-name-attribute="uid", base-dn="ou=groups,dc=group-to-principal,dc=example,dc=org",
principal-attribute="uniqueMember", search-by="DISTINGUISHED_NAME")
/core-service=management/security-realm=ldap-security-realm/authorization=ldap/username-to-
dn=advanced-filter:add(force=true, base-dn="dc=people,dc=harold,dc=example,dc=com",
60
CHAPTER 5. SECURING THE MANAGEMENT INTERFACES WITH LDAP
recursive="false", user-dn-attribute="dn",filter="sAMAccountName={0}")
run-batch
For the attributes that match those in the username-filter example, the meaning and default values
are the same. There is one additional attribute:
Attribute Description
IMPORTANT
This must remain valid after the filter is defined so if any special characters are used
(such as &) ensure the proper form is used. For example & for the & character.
Once the connection to the LDAP server has been created and the group searching has been properly
configured, a mapping needs to be created between the LDAP groups and RBAC roles. This mapping
can be both inclusive as well as exclusive, and enables users to be automatically assigned one or more
roles based on their group membership.
WARNING
If RBAC is not already configured, pay close attention when doing so, especially if
switching to a newly-created LDAP-enabled realm. Enabling RBAC without having
users and roles properly configured could result in administrators being unable to
login to the JBoss EAP management interfaces.
NOTE
The management CLI commands shown assume that you are running a JBoss EAP
standalone server. For more details on using the management CLI for a JBoss EAP
managed domain, see the JBoss EAP Management CLI Guide.
/core-service=management/access=authorization:read-attribute(name=provider)
61
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
For more information on enabling and configuring RBAC, see Enabling Role-Based Access Control in
How to Configure Server Security for JBoss EAP.
/core-service=management/access=authorization:read-children-names(child-type=role-mapping)
{
"outcome" => "success",
"result" =>
[ "Administrator", "Deployer", "Maintainer", "Monitor", "Operator", "SuperUser" ]
}
/core-service=management/access=authorization/role-mapping=Administrator:read-
resource(recursive=true)
{
"outcome" => "success",
"result" =>
{
"include-all" => false,
"exclude" => undefined,
"include" => {
"user-theboss" => {
"name" => "theboss",
"realm" => undefined,
"type" => "USER"
},
"user-harold" => {
"name" => "harold",
"realm" => undefined,
"type" => "USER"
},
"group-SysOps" => {
"name" => "SysOps",
"realm" => undefined,
"type" => "GROUP"
}
}
}
}
62
CHAPTER 5. SECURING THE MANAGEMENT INTERFACES WITH LDAP
/core-service=management/access=authorization/role-mapping=Auditor:read-resource()
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0216: Management resource '[ (\"core-service\" =>
\"management\"), (\"access\" => \"authorization\"), (\"role-mapping\" => \"Auditor\") ]' not found"
}
/core-service=management/access=authorization/role-mapping=Auditor:add()
{
"outcome" => "success"
}
To verify:
/core-service=management/access=authorization/role-mapping=Auditor:read-resource()
{
"outcome" => "success",
"result" => {
"include-all" => false,
"exclude" => undefined,
"include" => undefined
}
}
NOTE
/core-service=management/access=authorization/role-mapping=Auditor/include=group-
GroupToInclude:add(name=GroupToInclude, type=GROUP)
/core-service=management/access=authorization/role-mapping=Auditor/exclude=group-
GroupToExclude:add(name=GroupToExclude, type=GROUP)
/core-service=management/access=authorization/role-mapping=Auditor:read-
resource(recursive=true)
63
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
{
"outcome" => "success",
"result" => {
"include-all" => false,
"exclude" => {
"group-GroupToExclude" => {
"name" => "GroupToExclude",
"realm" => undefined,
"type" => "GROUP"
}
},
"include" => {
"group-GroupToInclude" => {
"name" => "GroupToInclude",
"realm" => undefined,
"type" => "GROUP"
}
}
}
}
/core-service=management/access=authorization/role-mapping=Auditor/include=group-
GroupToInclude:remove
/core-service=management/access=authorization/role-mapping=Auditor/exclude=group-
GroupToExclude:remove
authentication
group-to-principal
username-to-dn
64
CHAPTER 5. SECURING THE MANAGEMENT INTERFACES WITH LDAP
Attribute Description
type This defines the eviction strategy that the cache will
adhere to. Options are by-access-time and by-
search-time. by-access-time evicts items from the
cache after a certain period of time has elapsed since
their last access. by-search-time evicts items based
on how long they have been in the cache regardless
of their last access.
eviction-time This defines the time (in seconds) used for evictions
depending on the strategy.
5.4.2. Example
NOTE
This example assumes a security realm, named LDAPRealm, has been created. It
connects to an existing LDAP server and is configured for authentication and
authorization. The commands to display the current configuration are detailed in Reading
the Current Cache Configuration. More details on creating a security realm that uses
LDAP can be found in Using Legacy Core Management Authentication .
"core-service" : {
"management" : {
"security-realm" : {
"LDAPRealm" : {
"authentication" : {
"ldap" : {
"allow-empty-passwords" : false,
"base-dn" : "...",
"connection" : "MyLdapConnection",
"recursive" : false,
65
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
"user-dn" : "dn",
"username-attribute" : "uid",
"cache" : null
}
},
"authorization" : {
"ldap" : {
"connection" : "MyLdapConnection",
"group-search" : {
"group-to-principal" : {
"base-dn" : "...",
"group-dn-attribute" : "dn",
"group-name" : "SIMPLE",
"group-name-attribute" : "uid",
"iterative" : true,
"principal-attribute" : "uniqueMember",
"search-by" : "DISTINGUISHED_NAME",
"cache" : null
}
},
"username-to-dn" : {
"username-filter" : {
"attribute" : "uid",
"base-dn" : "...",
"force" : false,
"recursive" : false,
"user-dn-attribute" : "dn",
"cache" : null
}
}
}
},
}
}
}
}
Authentication
During authentication, the user’s distinguished name is discovered using this definition and an
attempt to connect to the LDAP server and verify their identity is made using these credentials.
A group-search definition
There is the group search definition. In this case it is an iterative search because iterative is set to
true in the sample configuration above. First, a search will be performed to find all groups the user is
a direct member of. After that, a search will be performed for each of those groups to identify if they
have membership to other groups. This process continues until either a cyclic reference is detected
or the final groups are not members of any further groups.
A username-to-dn definition in group search
Group searching relies on the availability of the user’s distinguished name. This section is not used in
all situations, but it can be used as a second attempt to discover a user’s distinguished name. This can
be useful, or even required, when a second form of authentication is supported, for example local
authentication.
66
CHAPTER 5. SECURING THE MANAGEMENT INTERFACES WITH LDAP
NOTE
The CLI commands used in this and subsequent sections use LDAPRealm for the name
of the security realm. This should be substituted for the name of the actual realm being
configured.
/core-service=management/security-realm=LDAPRealm:read-resource(recursive=true)
Output
{
"outcome" => "success",
"result" => {
"map-groups-to-roles" => true,
"authentication" => {
"ldap" => {
"advanced-filter" => undefined,
"allow-empty-passwords" => false,
"base-dn" => "dc=example,dc=com",
"connection" => "ldapConnection",
"recursive" => true,
"user-dn" => "dn",
"username-attribute" => "uid",
"cache" => undefined
}
},
"authorization" => {
"ldap" => {
"connection" => "ldapConnection",
"group-search" => {
"principal-to-group" => {
"group-attribute" => "description",
"group-dn-attribute" => "dn",
"group-name" => "SIMPLE",
"group-name-attribute" => "cn",
"iterative" => false,
"prefer-original-connection" => true,
"skip-missing-groups" => false,
"cache" => undefined
}
},
"username-to-dn" => {
"username-filter" => {
"attribute" => "uid",
"base-dn" => "ou=Users,dc=jboss,dc=org",
"force" => true,
"recursive" => false,
"user-dn-attribute" => "dn",
"cache" => undefined
}
67
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
}
}
},
"plug-in" => undefined,
"server-identity" => undefined
}
}
NOTE
The management CLI commands used in this and subsequent sections configure the
cache in the authentication section of the security realm, in other words
authentication=ldap/. Caches in the authorization section can also be configured in a
similar manner by updating the path of the command.
/core-service=management/security-realm=LDAPRealm/authentication=ldap/cache=by-access-
time:add(eviction-time=300, cache-failures=true, max-cache-size=100)
This commands adds a by-access-time cache for authentication with an eviction time of 300 seconds
(5 minutes) and a maximum cache size of 100 items. In addition, failed searches will be cached.
Alternatively, a by-search-time cache could also be configured:
/core-service=management/security-realm=LDAPRealm/authentication=ldap/cache=by-search-
time:add(eviction-time=300, cache-failures=true, max-cache-size=100)
/core-service=management/security-realm=LDAPRealm/authentication=ldap/cache=by-access-
time:read-resource(include-runtime=true)
{
"outcome" => "success",
"result" => {
"cache-failures" => true,
"cache-size" => 1,
"eviction-time" => 300,
"max-cache-size" => 100
}
}
The include-runtime attribute adds cache-size, which displays the current number of items in the
cache. It is 1 in the above output.
68
CHAPTER 5. SECURING THE MANAGEMENT INTERFACES WITH LDAP
/core-service=management/security-realm=LDAPRealm/authentication=ldap/cache=by-access-
time:contains(name=TestUserOne)
{
"outcome" => "success",
"result" => true
}
This shows that an entry for TestUserOne exists the in the cache.
You can flushing a single item from a cache, or flush the entire cache.
/core-service=management/security-realm=LDAPRealm/authentication=ldap/cache=by-access-
time:flush-cache(name=TestUserOne)
/core-service=management/security-realm=LDAPRealm/authentication=ldap/cache=by-access-
time:flush-cache()
/core-service=management/security-realm=LDAPRealm/authentication=ldap/cache=by-access-
time:remove()
reload
69
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
To add a security mapping to an existing security domain, a code, type, and relevant module options
must be configured. The code field is the short name, for example SimpleRoles, PropertiesRoles,
DatabaseRoles, or class name of the security mapping module. The type field refers to the type of
mapping this module performs, and the allowed values are principal, role, attribute, or credential. For a
full list of the available security mapping modules and their module options, see the Security Mapping
Modules section of the JBoss EAP Login Module Reference.
/subsystem=security/security-domain=sampleapp/mapping=classic:add
/subsystem=security/security-domain=sampleapp/mapping=classic/mapping-
module=SimpleRoles:add(code=SimpleRoles,type=role,module-options=[("user1"=>"specialRole")])
reload
70
CHAPTER 7. STANDALONE SERVER VS. MANAGED DOMAIN CONSIDERATIONS
71
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
Example: custom-config.xml
<configuration>
<authentication-client xmlns="urn:elytron:client:1.2">
<authentication-rules>
<rule use-configuration="monitor">
<match-host name="127.0.0.1" />
</rule>
<rule use-configuration="administrator">
<match-host name="localhost" />
</rule>
</authentication-rules>
<authentication-configurations>
<configuration name="monitor">
<sasl-mechanism-selector selector="DIGEST-MD5" />
<providers>
<use-service-loader />
</providers>
<set-user-name name="monitor" />
<credentials>
<clear-password password="password1!" />
</credentials>
<set-mechanism-realm name="ManagementRealm" />
</configuration>
<configuration name="administrator">
<sasl-mechanism-selector selector="DIGEST-MD5" />
<providers>
<use-service-loader />
</providers>
<set-user-name name="administrator" />
<credentials>
<clear-password password="password1!" />
</credentials>
<set-mechanism-realm name="ManagementRealm" />
</configuration>
</authentication-configurations>
<net-authenticator/>
72
APPENDIX A. REFERENCE MATERIAL
<default-ssl-context name="mycorp-context"/>
<ssl-context name="mycorp-context">
<key-store-ssl-certificate key-store-name="store1" alias="mycorp-client-certificate"/>
<!-- This is an OpenSSL-style cipher suite selection string; this example is the expanded form of
DEFAULT to illustrate the format -->
<cipher-suite selector="ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"/>
<protocol names="TLSv1.2"/>
</ssl-context>
</ssl-contexts>
</authentication-client>
</configuration>
For more information about how to configure clients using the wildfly-config.xml file, see Client
Configuration Using the wildfly-config.xml File in the Development Guide for JBoss EAP.
Attribute Description
key-alias The alias of the private key entry used for signing and verifying
back-channel logout connection.
73
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
Attribute Description
Clear text
Simple digest
bcrypt
SCRAM
Modular crypt
NOTE
clear-password- No encryption.
password-index
mapper
The index of the column containing the clear
text password.
74
APPENDIX A. REFERENCE MATERIAL
algorithm
The hashing algorithm used. The following
values are supported:
simple-digest-md2
simple-digest-md5
simple-digest-sha-1
simple-digest-sha-256
simple-digest-sha-384
simple-digest-sha-512
hash-encoding
Specify the representation hash. Permitted
values:
base64 (default)
hex
75
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
algorithm
The hashing algorithm used. The following
values are supported:
password-salt-digest-md5
password-salt-digest-sha-1
password-salt-digest-sha-256
password-salt-digest-sha-384
password-salt-digest-sha-512
salt-password-digest-md5
salt-password-digest-sha-1
salt-password-digest-sha-256
salt-password-digest-sha-384
salt-password-digest-sha-512
salt-index
Index of the column containing the salt used
for hashing.
hash-encoding
Specify the representation for the hash.
Permitted values:
base64 (default)
hex
salt-encoding
Specify the representation for the salt.
Permitted values:
base64 (default)
hex
76
APPENDIX A. REFERENCE MATERIAL
salt-index
Index of the column containing the salt used
for hashing.
iteration-count-index
Index of the column containing the number
of iterations used.
hash-encoding
Specify the representation for the hash.
Permitted values:
base64 (default)
hex
salt-encoding
Specify the representation for the salt.
Permitted values:
base64 (default)
hex
77
Red Hat JBoss Enterprise Application Platform 7.3 How to Configure Identity Management
scram-sha-1
scram-sha-256
scram-sha-384
scram-sha-512
salt-index
Index of the column containing the salt is
used for hashing.
iteration-count-index
Index of the column containing the number
of iterations used.
hash-encoding
Specify the representation for the hash.
Permitted values:
base64 (default)
hex
salt-encoding
Specify the representation for the salt.
Permitted values:
base64 (default)
hex
78
APPENDIX A. REFERENCE MATERIAL
79