8 Replies Latest reply on Mar 20, 2013 4:16 AM by soul2zimate

    JBoss7 security-domain example with SecureIdentityLoginModule?

    mechevar
    mechevar Jul 31, 2011 6:21 PM

      Has anyone have a working example of <security-domain> working in JBoss7 while using the SecureIdentityLoginModule class to encrypt a database password?  I tried modifying a working login-config.xml configruation from previous JBoss 5 and its not working.  I keep getting this at startup

       

      Unauthenticated caller:null: java.lang.SecurityException: Unauthenticated caller:null

       

      I know the configuration is very different in JBoss7 so I'm sure I have a minor error somewhere since my configuration worked all the way through the 4 and 5 series.

       

      I got a simple script to encrypt the pass from the bin directory (i.e. ./encryptPass.sh myPassword1)

       

      #!/bin/bash
## Build ClassPath for command
CP=
CP=${CP}:../modules/org/picketbox/main/picketbox-4.0.0.CR1.jar
CP=${CP}:../modules/org/jboss/logging/main/jboss-logging-3.0.0.GA.jar

java -classpath ${CP} org.jboss.resource.security.SecureIdentityLoginModule $1

       

      In my standalone.xml I have the datasource and security domain defined like this

      <datasources>
  <datasource jndi-name="java:/oraclePool" pool-name="oraclePool" enabled="true" jta="true" use-java-context="true" use-ccm="true">
    <connection-url>jdbc:oracle:thin:@myurl:1521:mydb1</connection-url>
    <driver>com.oracle</driver>
    <pool>
      <min-pool-size>1</min-pool-size>
      <max-pool-size>200</max-pool-size>
      <prefill>true</prefill>
      <use-strict-min>false</use-strict-min>
      <flush-strategy>FailingConnectionOnly</flush-strategy>
    </pool>
    <security>
      <security-domain>encrypt</security-domain>

      <!-- works if I comment out security domain and uncomment plain user and pass
      <user-name>user</user-name>
      <password>password 1</password>
      -->
    </security>
    <statement>
      <track-statements>true</track-statements>
    </statement>
    <timeout>
      <blocking-timeout-millis>10000</blocking-timeout-millis>
      <idle-timeout-minutes>1</idle-timeout-minutes>
    </timeout>
    <validation>
      <exception-sorter class-name="org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter"></exception-sorter>
    </validation>
    </datasource>
      <drivers>
        <driver name="com.oracle" module="com.oracle">
          <xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-class>
        </driver>
      </drivers>
  </datasource>
</datasources>

<security-domain name="encrypt" cache-type="default">
  <authentication>
    <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
    <module-option name="username" value="user"/>
    <module-option name="password" value="388e8c68175fb02a4cce526e76882803"/>
    <module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=oraclePool"/>
  </authentication>
</security-domain>
        • 1. Re: JBoss7 security-domain example with SecureIdentityLoginModule?
          chrishiner
          chrishiner Aug 25, 2011 4:39 PM (in response to mechevar)

          Here's what I finally came up with:

                      <datasource jndi-name="jdbc/datasource" pool-name="some_Pool" enabled="true" jta="true" use-java-context="true" use-ccm="true">

                          <connection-url>

                              jdbc:db2://hostname:50000/DATABAS

                          </connection-url>

                          <driver>

                              db2

                          </driver>

                          <security>

                              <security-domain>mysecuritydomain</security-domain>

                          </security>

                      </datasource>

           

          Then:

                      <security-domain name="mysecuritydomain" cache-type="default">

                          <authentication>

                             <login-module code="SecureIdentity" flag="required">

                                <module-option name="username" value="username"/>

                                <module-option name="password" value="abcd8675309"/>

                             </login-module>

                          </authentication>

                      </security-domain>

            • Actions
          • 2. Re: JBoss7 security-domain example with SecureIdentityLoginModule?
            zekela104
            zekela104 Sep 2, 2011 11:07 AM (in response to chrishiner)

            I am trying to configure a security domain using the CLI.

             

            I can create the security domain, as follows:

             

                 /subsystem=security/security-domain=MyEncryptedDS:add(cache-type=default)

             

            which gives me:

             

                 <security-domain name="MyEncryptedDS" cache-type="default"/>

             

            but, I can't figure out how to create the authentication element containing the login-module and module-options.

             

            Does anyone know how to do this or whether it's even possible?

             

            Thanks.

             

              • Actions
            • 3. Re: JBoss7 security-domain example with SecureIdentityLoginModule?
              mmoyses
              mmoyses Sep 2, 2011 12:30 PM (in response to zekela104)

              You can add it via CLI using:

              /subsystem=security/security-domain=MyEncryptedDS:add(cache-type=default,authentication=[{"code"=>"SecureIdentity","flag"=>"required","module-options"=>[("username"=>"sa"),("password"=>"encryptedPassword")]}])

                • Actions
              • 4. Re: JBoss7 security-domain example with SecureIdentityLoginModule?
                zekela104
                zekela104 Sep 2, 2011 2:31 PM (in response to mmoyses)

                Thanks, Marcus.

                  • Actions
                • 5. Re: JBoss7 security-domain example with SecureIdentityLoginModule?
                  jbride
                  jbride Feb 20, 2012 1:46 AM (in response to mmoyses)

                  anybody else recently having problems getting this CLI command to execute in 7.1.0.Final ?

                   

                  the following is what I'm getting :

                   

                  [standalone@ratwaterIBM:9999 /] /subsystem=security/security-domain=MyEncryptedDS:add(cache-type=default,authentication=[{"code"=>"SecureIdentity","flag"=>"required","module-options"=>[("username"=>"sa"),("password"=>"encryptedPassword")]}])

                  'authentication' is not found among the supported properties: [cache-type]

                    • Actions
                  • 6. Re: JBoss7 security-domain example with SecureIdentityLoginModule?
                    chrishiner
                    chrishiner Feb 21, 2012 9:04 AM (in response to jbride)

                    Try this:

                    /subsystem=security/security-domain=somealiasname:add(cache-type=default)

                     

                    /subsystem=security/security-domain=somealiasname/authentication=classic:add(login-modules=[{"code"=>"SecureIdentity", "flag"=>"required", "module-options"=>[("username"=>"someuserid"),("password"=>"somepassword")]}])

                      • Actions
                    • 7. Re: JBoss7 security-domain example with SecureIdentityLoginModule?
                      jbride
                      jbride Feb 22, 2012 6:31 PM (in response to chrishiner)

                      thank you!

                       

                      this worked

                        • Actions
                      • 8. Re: JBoss7 security-domain example with SecureIdentityLoginModule?
                        soul2zimate
                        soul2zimate Mar 20, 2013 4:16 AM (in response to mmoyses)

                        Hey Marcus,

                         

                        Now one single command does not work since 7.1,

                         

                        /subsystem=security/security-domain=MyEncryptedDS:add(cache-type=default,authentication=[{"code"=>"SecureIdentity","flag"=>"required","module-options"=>[("username"=>"sa"),("password"=>"encryptedPassword")]}])

                         

                        this will cause failure message : 'authentication' is not found among the supported properties: [cache-type]

                         

                        I have to add the security-domain at first and add the classic authentication.


                        Is this a intentional modification like that?

                          • Actions