12 Replies Latest reply: Sep 20, 2012 7:23 AM by Nikos Massios RSS

    LdapExtLoginModule and jaasSecurityDomain

    Chris Miles Newbie

      Hello,

      Has anyone got an example of how to setup encryption on the bindCredential of the LdapExtLoginModule?

      After reading the wiki entries I'm a little fuzzy on the JaasSecurityDomain piece and where that gets defined etc. An example of how someone has done this would be nice.

      Thanks

        • 1. Re: LdapExtLoginModule and jaasSecurityDomain
          Chris Miles Newbie

          So I think I've gotten further on this. I added the following into the jboss-service.xml:

           <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
           name="jboss.security:service=JaasSecurityDomain,domain=LdapPassword">
           <constructor>
           <arg type="java.lang.String" value="ServerMasterPassword"/>
           </constructor>
           <!-- The opaque master password file used to decrypt the encrypted
           database password key -->
           <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
           <attribute name="Salt">theSalt</attribute>
           <attribute name="IterationCount">13</attribute>
           </mbean>
          


          and added the following to the login-config.xml:

           <module-option name="bindCredential">OQQj2fCjjfoc8VaDLVKU7</module-option>
           <module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=LdapPassword</module-option>
          


          I created the ${jboss.server.home.dir}/conf/server.password file via the command:

          java -cp lib\jbosssx.jar org.jboss.security.plugins.FilePassword theSalt 13 password server.password

          Is the password specified above on the FilePassword arg list the password of the LDAP server bindDN?

          Then I use the command:

          java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils theSalt 13 domain-password data-source-password

          to generate the encrypted bindCredential.

          I'm a little confused on what domain-password and data-source-password should be. Should one of them be the bindDN password and if so what is the other one used for.

          Can anyone explain this in layman terms for me please as when I try all this the server comes up but authentication fails when I login to my app, so I must have something screwed up?


          • 2. Re: LdapExtLoginModule and jaasSecurityDomain
            Chris Miles Newbie

            OK, for the sake of someone else wanting to do this same thing I'm going to outline what I did to get this to work. The doc is very sparse on this stuff so this took me many fustrating days of trial and error until I got something working.....

            1) Added the following into jboss-service.xml. Please note that you cannot add this at the END of the file (it just does not work and I have no idea why). I stuck it as the first mbean entry though I have no idea how far down the file you can go. I just know it cannot be last:

             <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
             name="jboss.security:service=JaasSecurityDomain,domain=LdapPassword">
             <constructor>
             <arg type="java.lang.String" value="ServerMasterPassword"/>
             </constructor>
             <!-- The opaque master password file used to decrypt the encrypted
             database password key -->
             <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
             <attribute name="Salt">twsalt12</attribute>
             <attribute name="IterationCount">13</attribute>
             </mbean>
            


            2) Added the following into the login-config.xml for the LdapExtLoginModule:

             <module-option name="bindCredential">1q2vSZDcCkctsxrys110r3</module-option>
             <module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=LdapPassword</module-option>
            


            3) Created the server.password file with the following:

            java -cp jbosssx.jar org.jboss.security.plugins.FilePassword twsalt12 13 thePassword server.password

            4) Created the encrypted bindCredential with the following:

            java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils twsalt12 13 thePassword clearTextBindCredential

            Hopefully the above helps someone...

            • 3. Re: LdapExtLoginModule and jaasSecurityDomain
              Scott Stark Master

              Update the wiki with your results:
              http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapExtLoginModule

              The JaasSecurityDomain position is a function of its dependencies. Since it depends on the JaasSecurityManager, it either needs to be after that service, or use a dependency statement:

               <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
               name="jboss.security:service=JaasSecurityDomain,domain=LdapPassword">
               <constructor>
               <arg type="java.lang.String" value="ServerMasterPassword"/>
               </constructor>
               <!-- The opaque master password file used to decrypt the encrypted
               database password key -->
               <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
               <attribute name="Salt">twsalt12</attribute>
               <attribute name="IterationCount">13</attribute>
               <depends optional-attribute-name="ManagerServiceName">jboss.security:service=JaasSecurityManager</depends>
               </mbean>
              



              • 4. Re: LdapExtLoginModule and jaasSecurityDomain
                Andrew Lai Newbie

                Many thanks to cmiles123 for this post.

                Most helpful.

                • 5. Re: LdapExtLoginModule and jaasSecurityDomain
                  Matias Carminatti Newbie

                  Hello People,

                   

                   

                  I have  tried to encrypt my bindCredential on Jboss 5.1 following the  instructions of Chris  Miles. But unfortunately I can not get  it yet.


                  First of  all, I integrated the LdapExtLoginModule through the plainTextPassword  satisfactorily. After finished the first step, I configured my  jboss-service.xml and my login-config.xml to encrypt the bindCredential.  But, when my application tries to authenticate I have this message “Bad  Password for usernme=...”.


                  I have followed exactly this procedure:

                  a) I generate the server.password file, as shown:

                  C:\jboss-5.1.0.GA\server\default\conf> java  -cp ../../../common/lib/jbosssx.jar   org.jboss.security.plugins.FilePassword 12345678 17 master server.password


                  b) I generate the encrypt bindCredential, as shown:

                  C:\jboss-5.1.0.GA\server\default\conf> java  -cp ../../../common/lib/jbosssx.jar org.jboss.security.plugins.PBEUtils 12345678 17 master theLDAPPassword

                  Encoded password: 1iiUbPJv1Cwo77b2SigBpa


                  c) Added the following into jboss-service.xml:

                  <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
                  name="jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword">
                  <constructor>
                  <arg type="java.lang.String" value="ServerMasterPassword"/>
                  </constructor>          
                  <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
                  <attribute name="Salt">12345678</attribute>
                  <attribute name="IterationCount">17</attribute>
                  <depends optional-attribute-name="ManagerServiceName">jboss.security:service=JaasSecurityManager</depends>
                  </mbean>


                  d) And This is my config on login-config.xml:

                  <application-policy name="myProject-domain">
                  <authentication>
                  <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                  <module-option name="java.naming.provider.url">ldap://<LdapServer>:389/</module-option>
                  <module-option name="java.naming.security.authentication">simple</module-option>
                  <module-option name="bindDN">CN=LdapUser,OU=Usuarios,OU=Sistemas,OU=OU Sectores,OU=OU Administracion,OU=OU General,DC=<myCompany>,DC=com</module-option>                    
                  <module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword</module-option>                     
                  <module-option name="bindCredential">
                  1iiUbPJv1Cwo77b2SigBpa</module-option>
                  <module-option name="baseCtxDN">OU=OU General,DC=ad-fravega,DC=com</module-option>
                  <module-option name="baseFilter">(sAMAccountName={0})</module-option>                     
                  <module-option name="rolesCtxDN">OU=Grupos MyApplication,OU=Grupos,DC=<myCompany>,DC=com</module-option>
                  <module-option name="roleFilter">(member={1})</module-option>
                  <module-option name="roleAttributeID">CN</module-option>
                  <module-option name="roleRecursion">-1</module-option>
                  </login-module>                    
                  </authentication>
                  </application-policy>

                   


                  Additionally, they commented that:

                  • I used the functionality of the jmx-console code64  and I obtained the same encryption from the command line.

                  • But, when I used the  decode64 funcionality, I can  not get the original password.

                   

                  I really would appreciate your help with this issue.

                  • 6. Re: LdapExtLoginModule and jaasSecurityDomain
                    Ethan Stein Newbie

                    This is a really old post, but it might be helpful to others. I got it to work with JBOSS 4.0.5.GA using the above instructions provided by Chris Miles.  However, there were some key important differences.

                     

                    1. In the mbean, the value for the constructor argument needs to be the same as the domain= value.  So in the Chris' example, I would expect that

                     

                    <arg type="java.lang.String" value="ServerMasterPassword"/>

                     

                    would instead be

                     

                    <arg type="java.lang.String" value="LdapPassword"/>

                     

                    This value also needs to be what is specified as the domain in the login-config.xml

                     

                    2. When running the java commands, the org.jboss.security.plugins.FilePassword "password" parameter needs to be the same as the org.jboss.security.plugins.PBEUtils "domain-password" parameter.  And the org.jboss.security.plugins.PBEUtils "data-source-password" parameter needs to be the Active Directory Bind DN password.

                    • 7. Re: LdapExtLoginModule and jaasSecurityDomain
                      Nikos Massios Novice

                      We have encountered the same problem on jboss 5.1 GA. Has anybody found a solution?

                       

                      There is a similar thread connected to this

                      http://community.jboss.org/thread/150593

                       

                      We are considering fixing it ourselves.

                       

                      Nikos

                      • 8. Re: LdapExtLoginModule and jaasSecurityDomain
                        Nikos Massios Novice

                        I added logging to the decoder action class

                        http://www.docjar.com/html/api/org/jboss/security/auth/spi/DecodeAction.java.html

                         

                        This is the exception.

                        package access decode caught an exception
                        java.security.PrivilegedActionException:
                        java.security.NoSuchAlgorithmException: No transformation given
                               at java.security.AccessController.doPrivileged(Native Method)
                               at org.jboss.security.auth.spi.DecodeAction.decode(DecodeAction.java:84)
                               at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:326)
                               at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:276)
                               at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:249)
                               at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                               at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                               at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                               at java.lang.reflect.Method.invoke(Method.java:597)
                               at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
                               at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
                               at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
                               at java.security.AccessController.doPrivileged(Native Method)
                               at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
                               at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
                               at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
                               at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
                               at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
                               at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
                               at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
                               at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)
                               at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)
                               at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
                               at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
                               at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
                               at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                               at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                               at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
                               at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                               at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
                               at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
                               at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
                               at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
                               at java.lang.Thread.run(Thread.java:619)
                        Caused by: java.security.NoSuchAlgorithmException: No transformation given
                               at javax.crypto.Cipher.a(DashoA13*..)
                               at javax.crypto.Cipher.b(DashoA13*..)
                               at javax.crypto.Cipher.getInstance(DashoA13*..)
                               at org.jboss.security.auth.spi.DecodeAction.decode(DecodeAction.java:72)
                               at org.jboss.security.auth.spi.DecodeAction.decode64(DecodeAction.java:54)
                               at org.jboss.security.auth.spi.DecodeAction.run(DecodeAction.java:43)
                               ... 34 more

                        • 9. Re: LdapExtLoginModule and jaasSecurityDomain
                          Nikos Massios Novice

                          The problem was with

                          The DecodeAction class that is called by both the LdapExtLoginModule and the LdapLoginModule classes

                           

                          The original code can be found here

                          http://www.docjar.com/docs/api/org/jboss/security/auth/spi/DecodeAction.html

                           

                          I rewrote parts of it to make it look like this. I tried it on JBoss 5.1GA with both the LdapLoginModule and the LdapExtLoginModule and it now works

                           

                           

                          package org.jboss.security.auth.spi;

                           

                          import java.security.AccessController;
                          import java.security.PrivilegedActionException;
                          import java.security.PrivilegedExceptionAction;

                           

                          import javax.management.MBeanServer;
                          import javax.management.ObjectName;

                           

                          import org.apache.log4j.Logger;
                          import org.jboss.mx.util.MBeanServerLocator;

                           

                          class DecodeAction implements PrivilegedExceptionAction<Object> {
                              protected static Logger _logger = Logger.getLogger(DecodeAction.class);
                             

                           

                              String password;
                              ObjectName serviceName;

                           

                              DecodeAction(String password, ObjectName serviceName) {
                                  _logger.debug("DecodeAction password " + password + " serviceName " +serviceName);
                                  this.password = password;
                                  this.serviceName = serviceName;

                              }

                           

                              /**
                               *
                               * @return
                               * @throws Exception
                               */
                              public Object run() throws Exception {
                                  _logger.debug("DecodeAction run fixedDecode64 " + password );

                           

                                  // Invoke the decodeb64 op
                                  byte[] secret = decode64(password);

                           

                                  // Convert to UTF-8 base char array
                                  String secretPassword = new String(secret, "UTF-8");
                                 
                                  //_logger.debug( " secretPassword " +secretPassword);
                                  return secretPassword.toCharArray();
                              }

                           

                           

                              private byte[] decode64(String secret) throws Exception {

                           

                                 
                                  MBeanServer server = MBeanServerLocator.locateJBoss();
                                  Object[] params = {secret};
                                  String[] signature = {"java.lang.String"};
                                   byte[] decoded = ( byte[]) server.invoke(serviceName, "decode64",
                                                                    params, signature);

                           

                                   return decoded;
                              }

                           

                              static char[] decode(String password, ObjectName serviceName)

                                      throws Exception {
                                  DecodeAction action = new DecodeAction(password, serviceName);
                                  try {
                                      char[] decode = (char[]) AccessController.doPrivileged(action);
                                      return decode;
                                  } catch (PrivilegedActionException e) {
                                      _logger.debug("package access decode caught an exception ",e );
                                      throw e.getException();
                                  }
                              }
                          }

                          • 10. Re: LdapExtLoginModule and jaasSecurityDomain
                            Vítězslav T Newbie

                            Good day,

                            how can I migrate this solution on jboss 7 (if it's possible). Thanks for reply.

                            • 11. Re: LdapExtLoginModule and jaasSecurityDomain
                              Gavin Lam Newbie

                              Has anyone found a solution for JBoss 5.1? I tried Nikos's solution but I can't get the code to compile.

                              • 12. Re: LdapExtLoginModule and jaasSecurityDomain
                                Nikos Massios Novice

                                Hello Gavin,

                                 

                                I am uploading the file that works in our workspace with JBoss 5.1GA. What problem do you have with the compilation?

                                 

                                Nikos