Dynamic configuration of JAAS login

org.jboss.security.auth.login.DynamicLoginConfig

A security config mbean that loads an xml login configuration using the

XMLLoginConfig.loadConfig(URL config) operation on start, and unloads

the contained login module configurations on stop.

This allows you to specify JAAS login configuration as part of a deployment (or just as a standalone service) rather than having to edit the static conf/login-config.xml.

The service supports the following attributes:

• AuthConfig: the resource path to the JAAS login configuration file to use. This defaults to login-config.xml

• LoginConfigService: the XMLLoginConfig service name to use for loading. This service must support a String{FOOTNOTE DEF  } loadConfig(URL) operation to load the configurations.

• SecurityManagerService: (3.2.6+) the SecurityManagerService name used to flush the registered security domains. This service must support an flushAuthenticationCache(String) operation to flush the case for the argument security domain. Setting this triggers the flush of the authentication caches when the service is stopped.

All you have to do is set up a service containing MBean that will load the login-config when the application is deployed:

 <server>
   <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
      name="jboss:service=DynamicLoginConfig">
      <attribute name="AuthConfig">META-INF/login-config.xml</attribute>
      <!-- The service which supports dynamic processing of login-config.xml
         configurations.
      -->
      <depends optional-attribute-name="LoginConfigService">
         jboss.security:service=XMLLoginConfig
      </depends>
      <!-- Optionally specify the security mgr service to use when
         this service is stopped to flush the auth caches of the domains
         registered by this service.
      -->
      <depends optional-attribute-name="SecurityManagerService">
         jboss.security:service=JaasSecurityManager
      </depends>
   </mbean>
 </server>

Basically, this will load the specified (AuthConfig) resource using the specified LoginConfigService MBean (the name here is the default, but it is configurable) by invoking loadConfig with the apropriate resource URL. When the service is stopped the configurations are removed.

The resource specified is loaded in the same way as the server login-config: it may be either an xml file, or a sun JAAS login configuration.  This example loads it from the META-INF of your SAR file.

Caution:

• If you specify "login-config.xml" and don't have this file at the root of your SAR, the classloader will find and load the global login-config.xml without a warning(Ideally, specify META-INF/login-config.xml to be safe).  Your application appear as if you didn't specify the DynamicLoginConfig.  This is important because if you stop or undeploy the  DynamicLoginConfig service (with the global login-config.xml), then you will lose the jaas configuration for the security layer and security checks may fail. (Moral: It is better to specify a login-config.xml as part of your archive rather than defaulting to the global login-config.xml). This has been solved for

JBoss 4.0.5, 5.0 and 3.2.8.SP2  JBAS-3422

See also LoginConfiguration

Embedded Login Configuration

As of 4.0.3 there is support for embedding alernate xml documents as attribute values, and the DynamicLoginConfig has been updated to support an embedded configuration via the PolicyConfig attribute:

<?xml version="1.0" encoding="UTF-8"?>

<server>
   <!-- The custom JAAS login configuration that installs 
       a Configuration capable of dynamically updating the
       config settings
   -->
   <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
      name="jboss.security.tests:service=LoginConfig">
      <attribute name="PolicyConfig" serialDataType="jbxb">
         <jaas:policy
            xsi:schemaLocation="urn:jboss:security-config:4.1 resource:security-config_4_1.xsd"
            xmlns:jaas="urn:jboss:security-config:4.1"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            >
            <jaas:application-policy name="userinrole">
               <jaas:authentication>
                  <jaas:login-module code="org.jboss.security.auth.spi.XMLLoginModule"
                     flag="required">
                     <jaas:module-option name="userInfo">
                        <ur:users
                           xsi:schemaLocation="urn:jboss:user-roles:1.0 resource:user-roles_1_0.xsd"
                           xmlns:ur="urn:jboss:user-roles:1.0">
                           <ur:user name="jduke" password="theduke">
                              <ur:role name="ServletUserRole"></ur:role>
                              <ur:role name="AnotherUserRole"></ur:role>
                              <ur:role name="AuthorizedUser"></ur:role>
                              <ur:role name="callerJduke" group="CallerPrincipal"></ur:role>
                           </ur:user>
                        </ur:users>
                     </jaas:module-option>
                     <jaas:module-option name="unauthenticatedIdentity">guest</jaas:module-option>
                  </jaas:login-module>
               </jaas:authentication>
            </jaas:application-policy>
         </jaas:policy>         
      </attribute>
      <depends optional-attribute-name="LoginConfigService">
         jboss.security:service=XMLLoginConfig
      </depends>
      <depends optional-attribute-name="SecurityManagerService">
         jboss.security:service=JaasSecurityManager
      </depends>
   </mbean>

</server>

Better solution in JBoss Application Server v5.0 and Beyond

The old way of using the DynamicLoginConfig is still supported in JBAS5+.  A better alternative

solution is to create a deployment descriptor file of pattern xxx-jboss-beans.xml and have the

application policy definitions (primarily the authentication element) defined as shown in

Specifying Security Domain Configuration.

Referenced by: