JBossAS7: Security Design One Stop Article

Version 12

Created by anil.saldhana on Oct 10, 2013 6:24 PM. Last modified by anil.saldhana on Oct 23, 2013 2:08 PM.

This is the one stop article for security design in JBoss AS7/EAP6+.

Architecture

This architecture diagram is a rough diagram which depicts the various subsystems and interfaces used in JBossAS7/JBossEAP6.

The "AS Platform Security Component" depicts the security integration code that exists in JBossAS7+/JBoss EAP6. This integration layer may use the security functionality provided by the PicketBox library.

Domain Model

JBoss AS7 : Security Domain Model

Securing Passwords

JBoss AS7 Securing Passwords

Management Layer Security

Default HTTP Interface Security

Default Native Interface Security

Security Realms

Access control notes

RBAC Usecases

Security Domains

The mapping of shortened names for login modules to the standard login modules available in JBoss AS is provided below. The latest is always available in the class

org.jboss.as.security.ModulesMap

Name	Actual Login Module
Client	org.jboss.security.ClientLoginModule
Certificate	org.jboss.security.auth.spi.BaseCertLoginModule
CertificateRoles	org.jboss.security.auth.spi.CertRolesLoginModule
DatabaseCertificate	org.jboss.security.auth.spi.DatabaseCertLoginModule
Database	org.jboss.security.auth.spi.DatabaseServerLoginModule
Identity	org.jboss.security.auth.spi.IdentityLoginModule
Ldap	org.jboss.security.auth.spi.LdapLoginModule
LdapExtended	org.jboss.security.auth.spi.LdapExtLoginModule
RoleMapping	org.jboss.security.auth.spi.RoleMappingLoginModule
RunAs	org.jboss.security.auth.spi.RunAsLoginModule
Simple	org.jboss.security.auth.spi.SimpleServerLoginModule
UsersRoles	org.jboss.security.auth.spi.UsersRolesLoginModule
CallerIdentity	org.jboss.resource.security.CallerIdentityLoginModule
ConfiguredIdentity	org.jboss.resource.security.ConfiguredIdentityLoginModule
JaasSecurityDomainIdentity	org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule
PBEIdentity	org.jboss.resource.security.PBEIdentityLoginModule
SecureIdentity	org.jboss.resource.security.SecureIdentityLoginModule

Using custom login module

Just write the FQCN in the code attribute and it should work out of the box.

To place the custom login module class files, you can place them in a jar and put it either:

application classpath of your web archive (war) or ejb jar or enterprise archive (ear) OR
separate module under the modules directory.

Read http://community.jboss.org/wiki/JBossAS7SecurityCustomLoginModules

Deploying dynamic security domains

Marcus Moyses talks about it here. You have to use the CLI. The command is one line.

You can add it via CLI using:
/subsystem=security/security-domain=MyEncryptedDS:add(cache-type=default,
authentication=[{"code"=>"SecureIdentity","flag"=>"required","module-options"=>[("username"=>"sa"),("password"=>"encryptedPassword")]}])

Deploying Custom Tomcat Authenticators in AS7

Thanks to Darran Lofthouse for the sample. Add the valve configuration into the jboss-web.xml of your web archive.

<jboss-web>
  <security-domain>SPNEGO</security-domain>
    <valve>
        <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>
    </valve>
</jboss-web>

Note that this is a general pattern to configure tomcat valves in JBoss AS7. Configure them in jboss-web.xml

One more example:

<jboss-web>
  <security-domain>idp</security-domain>
  <valve>
     <class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>
     <param>
        <param-name>signOutgoingMessages</param-name>
        <param-value>false</param-value>
     </param>
     <param>
        <param-name>ignoreIncomingSignatures</param-name>
        <param-value>true</param-value>
     </param>
   </valve>
</jboss-web>

JCA - Datasource Security

Historically, the JCA login modules in JBoss AS have been described here: https://community.jboss.org/wiki/ConfigJCALoginModule [This information is primarily for JBoss AS5/6]

But you can get an idea on the login modules.

Here is an example of a security domain that is referenced by a data source:

 <security-domain name="DsRealm" cache-type="default">
    <authentication>
            <login-module code="ConfiguredIdentity" flag="required">
                 <module-option name="userName" value="sa"/>
                 <module-option name="principal" value="sa"/>
                 <module-option name="password" value="sa"/>
        </login-module>
    </authentication>
</security-domain>

Remember, you can mask the password by using the vault facility in AS71.

How would this get used? Example security-ds.xml is below.

<?xml version="1.0" encoding="UTF-8"?>

<datasources>
     <datasource jndi-name="java:jboss/datasources/securityDs"
          pool-name="securityDs">
          <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url>
          <driver>h2</driver>
          <new-connection-sql>select current_user()</new-connection-sql>
          <security>
               <security-domain>DsRealm</security-domain>
          </security>
     </datasource>
</datasources>

Security Auditing

JBossAS7SecurityAuditing

JACC (JSR-115) on JBoss AS7.1

http://community.jboss.org/wiki/JACCOnJBossAS7

Java Security Manager

JBoss AS7: Security : Running under a Java Security Manager

HornetQ (Messaging) Security

http://docs.jboss.org/hornetq/2.2.5.Final/user-manual/en/html/security.html

Web Security

http://community.jboss.org/wiki/PrimerOnWebSecurityInJBossAS

http://community.jboss.org/wiki/JBossAS7SecureMyWebAppHowDoI

Web Services Security

JBossWS Authentication

JBossWS Secure Transport

JAXR Security

Please see http://docs.oracle.com/cd/E17802_01/webservices/webservices/docs/1.6/tutorial/doc/JAXR-ebXML2.html for an overview of JAXR.

JBoss AS7+/EAP do not carry any UDDI registries. We provide JAXR Client API and Provider. Use JSSE settings to communicate with the external UDDI registry over X509.