How to configure JAAS integration for JBoss Mail Server 1.0M3
versions: 1.0M3
Overview
The JBMS installer creates a default "Static User Repository" instance in the jboss-service.xml:
<!-- StaticUserRepository maintains the user account information as part of this configuration. You must specify the username and password below. Each user will be accepted as a local mailbox for any domain in the local domain group. --> <mbean code="org.jboss.mail.userrepository.StaticUserRepository" name="jboss.mail:type=MailServices,name=UserRepository,uimanageable=true"> <attribute name="Users"> <users> ... </users> </attribute> </mbean>
One problem with this is that you must restart the JBoss Mail Server services (not the entire underlying application server) defined in this file in order to change it. Another problem is that its not a very scalable solution for security and requires to to secure the deploy directory to avoid local users from reading everyone's mail password. Fortunately, since JBoss Mail Server is built upon JBoss Application Server, we have access to a much better alternative in JBAS's JAAS login modules.
JAAS stands for the Java Authentication and Authorization Service. JBoss Application Server allows you to plug in various JAAS login modules to use various services such as databases and LDAP for authentication. The configuration for these login modules is static and can be found in $JBOSS_HOME/server/$CONFIG/conf/login-config.xml.
Removing Static User Repository
Find the above StaticUserRepository XML section in the jboss-service.xml. For instance you can comment it out like this:
<!-- StaticUserRepository maintains the user account information as part of this configuration. You must specify the username and password below. Each user will be accepted as a local mailbox for any domain in the local domain group. COMMENTED OUT, we use JAAS because we're cool like that - SmartSysAdmin <mbean code="org.jboss.mail.userrepository.StaticUserRepository" name="jboss.mail:type=MailServices,name=UserRepository,uimanageable=true"> <attribute name="Users"> <users> ... </users> </attribute> </mbean -->
Notice that we moved the close comment from above, noted who did it and move the close comment into the close tag of the mbean.
Uncommenting the JAAS User Repository
Directly under the StaticUserRepository definition is a section that looks like this:
<!-- UserRepository implementation for JAAS Uncomment and comment StaticUserRepository above to enable A JAAS security domain must be configured in conf/login-config.xml Currently only authenticates a user, no roles are checked <mbean code="org.jboss.mail.userrepository.jaas.JaasUserRepository" name="jboss.mail:type=MailServices,name=UserRepository,uimanageable=true"> <xmbean state-action-on-update="restart"> <depends>jboss.security:service=JaasSecurityManager</depends> <description>JBossMail user repository for JAAS</description> ... </xmbean> </mbean-->
Uncomment this by doing the reverse and make it look this:
<!-- UserRepository implementation for JAAS Uncomment and comment StaticUserRepository above to enable A JAAS security domain must be configured in conf/login-config.xml Currently only authenticates a user, no roles are checked. Uncommented by Savvy D. Sysadmin, now we use JAAS. --> <mbean code="org.jboss.mail.userrepository.jaas.JaasUserRepository" name="jboss.mail:type=MailServices,name=UserRepository,uimanageable=true"> <xmbean state-action-on-update="restart"> <depends>jboss.security:service=JaasSecurityManager</depends> <description>JBossMail user repository for JAAS</description> ... </xmbean> </mbean>
Defining the security domain in login-config.xml
The above definition for the JAASSecurityRepository includes lines that look like this:
<attribute access="read-write" getMethod="getSecurityDomain" setMethod="setSecurityDomain"> <description>Security domain as configured in login-config.xml</description> <name>securityDomain</name> <type>java.lang.String</type> jboss-mail </attribute>
Notice the default security domain is "jboss-mail" you can change this to anything you like but it will need to be matched with the domain we define in login-config.
Open $JBOSS_HOME/server/$CONFIG/conf/login-config.xml in your favorite editor. It should be noted that changes to this file require a full JBAS restart (not just JBMS).
You should see a few examples in this file like the following:
<!-- Security domain for JBossMQ --> <application-policy name = "jbossmq"> <!-- this would say "jboss-mail" if we wanted to use it with the above! --> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "dsJndiName">java:/DefaultDS</module-option> <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option> <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option> </login-module> </authentication> </application-policy>
This defines a database server login module for the domain called "jbossmq" (rather than "jboss-mail") which uses the datasource called DefaultDS and the above queries for your principals and roles (we do not yet use the roles but will in a future release). The database server login module does not require a restart.
There are other options, such as simple text properties file (again requiring a restart):
<application-policy name = "jmx-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="usersProperties">props/jmx-console-users.properties</module-option> <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option> </login-module> </authentication> </application-policy>
Or an LDAP Login Module:
<application-policy name="testLDAP"> <!-- make this jboss-mail to use with the JAASUserRepository as defined above --> <authentication> <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required"> <module-option name="java.naming.factory.initial"> com.sun.jndi.ldap.LdapCtxFactory </module-option> <module-option name="java.naming.provider.url"> ldap://ldaphost.jboss.org:1389/ </module-option> <module-option name="java.naming.security.authentication"> simple </module-option> <module-option name="principalDNPrefix">uid=</module-option> <module-option name="principalDNSuffix"> ,ou=People,dc=jboss,dc=org </module-option> <module-option name="rolesCtxDN"> ou=Roles,dc=jboss,dc=org </module-option> <module-option name="uidAttributeID">member</module-option> <module-option name="matchOnUserDN">true</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="roleAttributeIsDN">false </module-option> </login-module> </authentication> </application-policy>
The LDAP Login Module also doesn't require restart.
We'll need to define one of these with the "application policy" name (aka security domain name) called "jboss-mail" or whatever we redefined as security domain name in our jboss-service.xml descriptor.
Options
There are specific instructions for the most common of the various login modules:
Comments