7 Replies Latest reply on Aug 23, 2013 2:52 PM by pgmjsd

    Disable security during development

    stianst

      I have a web application that uses the 'other' security domain for authentication. Is there a way I can specify a default user during developement (without modifying the web.xml file) so I don't have to login all the time when I'm trying out changes to the web app? Ideal would be if its possible to edit the 'other' domain so it just defaults to a user without requiring any login.

        • 1. Re: Disable security during development
          jbertram

          Try adding this to the "RealmUsersRoles" login-module in the "other" <security-domain>:

           

            <module-option name="unauthenticatedIdentity" value="guest"/>

           

          Of course, you'll need to ensure this identity has a valid role in application-roles.properties.

          • 2. Re: Disable security during development
            stianst

            That didn't make any difference, have you tried this yourself?

            • 3. Re: Disable security during development
              jbertram

              Yes, I did try this myself in the past, and I just tried it again.  In both cases it worked as expected.  However, my use-case was JMS (which also uses the "other" security domain) so maybe there's a slight difference that causes it not to work with your use-case.  I wouldn't have suspected that though so my money is still on a configuration issue somewhere.

              • 4. Re: Disable security during development
                stianst

                I added the unauthenticatedIdentity option to RealmUsersRoles:

                 

                <login-module code="RealmUsersRoles" flag="required">
                                            <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
                                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
                                            <module-option name="realm" value="ApplicationRealm"/>
                                            <module-option name="password-stacking" value="useFirstPass"/>
                                            <module-option name="unauthenticatedIdentity" value="guest"/>
                </login-module>
                

                 

                And added a group for the user in application-roles.properties. When I tried to open a secured page the login form was shown. To check that the guest user would actually work I added the guest user with a password, and I could succesfully login as that user. However, the login form is always shown, with or without the user specified in application-users.properties.

                • 5. Re: Disable security during development
                  jbertram

                  The configuration looks fine.  It must be related to something web-specific since my JMS use-case works fine.

                  • 6. Re: Disable security during development
                    hub3rt

                    I have a similar problem with a remote client. Is there any solution? In standalone.xml i got:

                     

                    <security-domain name="other" cache-type="default">

                      <authentication>

                        <login-module code="Remoting" flag="optional">

                          <module-option name="password-stacking" value="useFirstPass"/>

                        </login-module>

                        <login-module code="RealmUsersRoles" flag="required">

                          <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>

                          <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>

                          <module-option name="realm" value="ApplicationRealm"/>

                          <module-option name="password-stacking" value="useFirstPass"/>

                          <module-option name="unauthenticatedIdentity" value="guest"/>

                        </login-module>

                      </authentication>

                    </security-domain>

                     

                    and

                     

                    <security-realm name="ApplicationRealm">

                      <authentication>

                        <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

                      </authentication>

                    </security-realm>

                     

                    My jboss-ejb-client.properties looks like:

                     

                    remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false

                    remote.connections=default

                    remote.connection.default.host=localhost

                    remote.connection.default.port=4447

                    remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false

                     

                    When I remove the credential and principal from jndi.properties like this:

                     

                    java.naming.factory.url.pkgs=org.jboss.ejb.client.naming

                    java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory

                    java.naming.provider.url=remote://localhost:4447

                    #java.naming.security.principal=user1

                    #java.naming.security.credentials=pass1

                     

                    and call an unprotected method from a class that doesn't even have a SecurityDomain I get " javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed". So it seems like the client has not automatically been authenticated as guest.

                    • 7. Re: Disable security during development
                      pgmjsd

                      Here is how to disable the security for remote EJB calls in AS 7: JBoss AS 7.1 - Disable Remote EJB Security Realm