JAAS login configuration on JBoss
See also DynamicLoginConfig
The default jboss-service configuration (conf/jboss-service.xml) sets up the following security related MBeans:
<mbean code=''org.jboss.security.plugins.SecurityConfig'' name=''jboss.security:service=SecurityConfig''> <attribute name=''LoginConfig''>jboss.security:service=XMLLoginConfig</attribute> </mbean> <mbean code=''org.jboss.security.auth.login.XMLLoginConfig'' name=''jboss.security:service=XMLLoginConfig''> <attribute name=''ConfigResource''>login-config.xml</attribute> </mbean> <!-- JAAS security manager and realm mapping --> <mbean code=''org.jboss.security.plugins.JaasSecurityManagerService'' name=''jboss.security:service=JaasSecurityManager''> <attribute name=''SecurityManagerClassName''> org.jboss.security.plugins.JaasSecurityManager </attribute> </mbean>
This sets up the security config service (jboss.security:service=SecurityConfig), which will use another service (jboss.security:service=XMLLoginConfig) defined below to manage login configuration.
The login config service loads a base set of configurations from the resource login-config.xml (resolved to conf/login-config.xml). XMLLoginConfig is not limited to this though and can load additional configuration files via the loadConfig method (this is done programmatically by DynamicLoginConfig).
The configuration files loaded may be either in XML (DTD or the sun JAAS configuration format.
Ths configuration specifies (and configures) a set of login modules for security domains eg:
<policy> <!-- Config for certificate authentication in servlet --> <application-policy name = ''client-cert''> <authentication> <login-module code=''org.jboss.security.auth.spi.CertRolesLoginModule'' flag = ''required''> <module-option name=''password-stacking''>useFirstPass</module-option> <module-option name=''securityDomain''>java:/jaas/client-cert</module-option> <module-option name=''unauthenticatedIdentity''>guest</module-option> <module-option name=''rolesProperties''>roles.properties</module-option> </login-module> </authentication> </application-policy> </policy>
NOTE: This specified a login using client certificate authentication over SSL (see BaseCertLoginModule); DR4 still has problems with CertRolesLoginModule, but the CVS version worked.
Comments