8 Replies Latest reply on Mar 20, 2013 4:16 AM by soul2zimate

    JBoss7 security-domain example with SecureIdentityLoginModule?

    mechevar

      Has anyone have a working example of <security-domain> working in JBoss7 while using the SecureIdentityLoginModule class to encrypt a database password?  I tried modifying a working login-config.xml configruation from previous JBoss 5 and its not working.  I keep getting this at startup

       

      Unauthenticated caller:null: java.lang.SecurityException: Unauthenticated caller:null
      

       

      I know the configuration is very different in JBoss7 so I'm sure I have a minor error somewhere since my configuration worked all the way through the 4 and 5 series.

       

      I got a simple script to encrypt the pass from the bin directory (i.e. ./encryptPass.sh myPassword1)

       

      #!/bin/bash
      ## Build ClassPath for command
      CP=
      CP=${CP}:../modules/org/picketbox/main/picketbox-4.0.0.CR1.jar
      CP=${CP}:../modules/org/jboss/logging/main/jboss-logging-3.0.0.GA.jar
      
      java -classpath ${CP} org.jboss.resource.security.SecureIdentityLoginModule $1
      

       

      In my standalone.xml I have the datasource and security domain defined like this

      <datasources>
        <datasource jndi-name="java:/oraclePool" pool-name="oraclePool" enabled="true" jta="true" use-java-context="true" use-ccm="true">
          <connection-url>jdbc:oracle:thin:@myurl:1521:mydb1</connection-url>
          <driver>com.oracle</driver>
          <pool>
            <min-pool-size>1</min-pool-size>
            <max-pool-size>200</max-pool-size>
            <prefill>true</prefill>
            <use-strict-min>false</use-strict-min>
            <flush-strategy>FailingConnectionOnly</flush-strategy>
          </pool>
          <security>
            <security-domain>encrypt</security-domain>
      
            <!-- works if I comment out security domain and uncomment plain user and pass
            <user-name>user</user-name>
            <password>password 1</password>
            -->
          </security>
          <statement>
            <track-statements>true</track-statements>
          </statement>
          <timeout>
            <blocking-timeout-millis>10000</blocking-timeout-millis>
            <idle-timeout-minutes>1</idle-timeout-minutes>
          </timeout>
          <validation>
            <exception-sorter class-name="org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter"></exception-sorter>
          </validation>
          </datasource>
            <drivers>
              <driver name="com.oracle" module="com.oracle">
                <xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-class>
              </driver>
            </drivers>
        </datasource>
      </datasources>
      
      <security-domain name="encrypt" cache-type="default">
        <authentication>
          <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
          <module-option name="username" value="user"/>
          <module-option name="password" value="388e8c68175fb02a4cce526e76882803"/>
          <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=oraclePool"/>
        </authentication>
      </security-domain>
      
        • 1. Re: JBoss7 security-domain example with SecureIdentityLoginModule?
          chrishiner

          Here's what I finally came up with:

                      <datasource jndi-name="jdbc/datasource" pool-name="some_Pool" enabled="true" jta="true" use-java-context="true" use-ccm="true">

                          <connection-url>

                              jdbc:db2://hostname:50000/DATABAS

                          </connection-url>

                          <driver>

                              db2

                          </driver>

                          <security>

                              <security-domain>mysecuritydomain</security-domain>

                          </security>

                      </datasource>

           

          Then:

                      <security-domain name="mysecuritydomain" cache-type="default">

                          <authentication>

                             <login-module code="SecureIdentity" flag="required">

                                <module-option name="username" value="username"/>

                                <module-option name="password" value="abcd8675309"/>

                             </login-module>

                          </authentication>

                      </security-domain>

          • 2. Re: JBoss7 security-domain example with SecureIdentityLoginModule?
            zekela104

            I am trying to configure a security domain using the CLI.

             

            I can create the security domain, as follows:

             

                 /subsystem=security/security-domain=MyEncryptedDS:add(cache-type=default)

             

            which gives me:

             

                 <security-domain name="MyEncryptedDS" cache-type="default"/>

             

            but, I can't figure out how to create the authentication element containing the login-module and module-options.

             

            Does anyone know how to do this or whether it's even possible?

             

            Thanks.

             

            • 3. Re: JBoss7 security-domain example with SecureIdentityLoginModule?
              mmoyses

              You can add it via CLI using:

              /subsystem=security/security-domain=MyEncryptedDS:add(cache-type=default,authentication=[{"code"=>"SecureIdentity","flag"=>"required","module-options"=>[("username"=>"sa"),("password"=>"encryptedPassword")]}])

              • 4. Re: JBoss7 security-domain example with SecureIdentityLoginModule?
                zekela104

                Thanks, Marcus.

                • 5. Re: JBoss7 security-domain example with SecureIdentityLoginModule?
                  jbride

                  anybody else recently having problems getting this CLI command to execute in 7.1.0.Final ?

                   

                  the following is what I'm getting :

                   

                  [standalone@ratwaterIBM:9999 /] /subsystem=security/security-domain=MyEncryptedDS:add(cache-type=default,authentication=[{"code"=>"SecureIdentity","flag"=>"required","module-options"=>[("username"=>"sa"),("password"=>"encryptedPassword")]}])

                  'authentication' is not found among the supported properties: [cache-type]

                  • 6. Re: JBoss7 security-domain example with SecureIdentityLoginModule?
                    chrishiner

                    Try this:

                    /subsystem=security/security-domain=somealiasname:add(cache-type=default)

                     

                    /subsystem=security/security-domain=somealiasname/authentication=classic:add(login-modules=[{"code"=>"SecureIdentity", "flag"=>"required", "module-options"=>[("username"=>"someuserid"),("password"=>"somepassword")]}])

                    • 7. Re: JBoss7 security-domain example with SecureIdentityLoginModule?
                      jbride

                      thank you!

                       

                      this worked

                      • 8. Re: JBoss7 security-domain example with SecureIdentityLoginModule?
                        soul2zimate

                        Hey Marcus,

                         

                        Now one single command does not work since 7.1,

                         

                        /subsystem=security/security-domain=MyEncryptedDS:add(cache-type=default,authentication=[{"code"=>"SecureIdentity","flag"=>"required","module-options"=>[("username"=>"sa"),("password"=>"encryptedPassword")]}])

                         

                        this will cause failure message : 'authentication' is not found among the supported properties: [cache-type]

                         

                        I have to add the security-domain at first and add the classic authentication.


                        Is this a intentional modification like that?