7 Replies Latest reply on Jan 31, 2013 6:44 AM by hisanobu.okuda

    jaas tag for management interface does not work in domain mode

    hisanobu.okuda
    hisanobu.okuda Jul 12, 2012 7:04 AM

      Some of LDAP server products allow an empty password to bind. This feature is problematic when you want to use LDAP for authentication of JBoss AS7 web console, i.e., any user can log in console with empty  password. Therefore <ldap> tag in security-realm does not have a capability to check an empty password, my customer want to use <jaas>. It works in standalone mode. The configuration is as follow:

       

            <security-realm name="ldap_security_realm">
    <authentication>
      <jaas name="managementLDAPDomain"/>
    </authentication>
      </security-realm>
    </security-realms>
    <management-interfaces>
      <native-interface security-realm="ManagementRealm">
    <socket interface="management" port="${jboss.management.native.port:9999}"/>
      </native-interface>
      <http-interface security-realm="ManagementRealm">
    <socket interface="management" port="${jboss.management.http.port:9990}"/>
      </http-interface>
    </management-interfaces>
  </management>
  ...
  (skip)
  ...
        <subsystem xmlns="urn:jboss:domain:security:1.1">
            <security-domains>
          <security-domain name="managementLDAPDomain">
        <authentication>
          <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
            <module-option name="java.naming.provider.url" value="ldap://dhcp-107.winlab.fab.redhat.com:389"/>
            <module-option name="java.naming.security.authentication" value="simple"/>
            <module-option name="bindDN" value="cn=Administrator,cn=users,DC=domain1,DC=winlab,DC=fab,DC=redhat,DC=com"/>
            ...

      But, it does not work in domain mode, because you can't put <security-domain> tag into host.xml. I put <security-domain> into domain.xml, but it does not work as well. Please help me out on how to configure it.

       

      Regards,

      Hisanobu Okuda

        • 1. Re: jaas tag for management interface does not work in domain mode
          dlofthouse
          dlofthouse Jul 12, 2012 7:20 AM (in response to hisanobu.okuda)

          In domain mode you would need to use a traditional JAAS config and reference it with the -Djava.security.auth.login.config property when starting the domain.

           

          However I see that the reason you are using JAAS is to use a LDAP based defintion - are you aware that you can configure the realm to use LDAP?

          1 of 1 people found this helpful
            • Actions
          • 2. Re: jaas tag for management interface does not work in domain mode
            hisanobu.okuda
            hisanobu.okuda Jul 12, 2012 9:40 AM (in response to dlofthouse)

            Darran, thank you for the info.

            I tried to test -Djava.security.auth.login.config property.

             

            I changed jaas name to "simple":

             

                  <security-realm name="ldap_security_realm">
    <authentication>
      <jaas name="simple"/>
    </authentication>
      </security-realm>
    </security-realms>
    <management-interfaces>
      <native-interface security-realm="ManagementRealm">
    <socket interface="management" port="${jboss.management.native.port:9999}"/>
      </native-interface>
      <http-interface security-realm="ldap_security_realm">
    <socket interface="management" port="${jboss.management.http.port:9990}"/>
      </http-interface>
    </management-interfaces>

            then, create simple.conf

             

            simple {
    org.jboss.security.auth.spi.SimpleServerLoginModule required;
};

            and add -Djava.security.auth.login.config=/opt/jboss-eap-6.0/domain/configuration/simple.conf

            then, restart JBoss AS7

             

             

            [hokuda@dhcp-193-121 configuration]$ ps -ef | grep "Host Controller"
hokuda   17156 17137 13 22:32 pts/0    00:00:03 /usr/lib/jvm/java-1.6.0/bin/java -D[Host Controller] -Dorg.jboss.boot.log.file=/opt/jboss-eap-6.0/domain/log/host-controller.log -Dlogging.configuration=file:/opt/jboss-eap-6.0/domain/configuration/logging.properties -server -Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Djboss.domain.default.config=domain.xml -Djboss.host.default.config=host.xml -Djava.security.auth.login.config=/opt/jboss-eap-6.0/domain/configuration/simple.conf -jar /opt/jboss-eap-6.0/jboss-modules.jar -mp /opt/jboss-eap-6.0/modules -jaxpmodule javax.xml.jaxp-provider org.jboss.as.host-controller -mp /opt/jboss-eap-6.0/modules --pc-address 127.0.0.1 --pc-port 53984 -default-jvm /usr/lib/jvm/java-1.6.0/bin/java --host-config=myhost.xml --domain-config=mydomain.xml -Djboss.home.dir=/opt/jboss-eap-6.0
...

            As logged in, the console shown "The web console could not be loaded. Authentication required.".

            What am I missing??

             

            Regards,

              • Actions
            • 3. Re: jaas tag for management interface does not work in domain mode
              hisanobu.okuda
              hisanobu.okuda Jul 13, 2012 2:31 AM (in response to hisanobu.okuda)

              I attached jdb to AS7 Host Controller instance, and found com.sun.security.auth.login.ConfigFile missing:

               

              HttpManagementService-threads - 3[1] step
> 
Step completed: "thread=HttpManagementService-threads - 3", org.jboss.modules.log.JDKModuleLogger.trace(), line=128 bci=0

HttpManagementService-threads - 3[1] locals
Method arguments:
format = "Class %s not found from %s"
arg1 = "com.sun.security.auth.login.ConfigFile"
arg2 = instance of org.jboss.modules.Module(id=4949)
Local variables:
HttpManagementService-threads - 3[1] cont

               

              Why is "com.sun.security.auth.login.ConfigFile" not found? In standalone mode, the class is loaded successfully...

               

              Regards,

                • Actions
              • 4. Re: jaas tag for management interface does not work in domain mode
                hisanobu.okuda
                hisanobu.okuda Jul 18, 2012 3:07 AM (in response to hisanobu.okuda)

                -jaas -Djava.security.auth.login.config option does not work in standalone mode, too.

                  • Actions
                • 5. Re: jaas tag for management interface does not work in domain mode
                  hisanobu.okuda
                  hisanobu.okuda Jul 18, 2012 4:05 AM (in response to hisanobu.okuda)

                  Resolved by adding -Djava.security.auth.login.config=/mydir/myjaasconfigfile and -Djboss.modules.system.pkgs=com.sun.security.auth.login

                    • Actions
                  • 6. Re: jaas tag for management interface does not work in domain mode
                    nicolasstr
                    nicolasstr Jan 30, 2013 7:52 AM (in response to hisanobu.okuda)

                    This helped me as well.

                     

                    Now one step further:

                     

                    My problem is that I am using a custom (in-house) LoginModule. And I find no way to make it loadable by the Host Controller - I get javax.security.auth.login.LoginException: unable to find LoginModule class

                    Indeed, in a security-domain in standalone mode, I can set the EAP module where the LoginModule is located in the login-module/module attribute.

                    But I cannot do that with the external jaas conf. file used by the Host Controller.

                     

                    Any idea ?

                      • Actions
                    • 7. Re: jaas tag for management interface does not work in domain mode
                      hisanobu.okuda
                      hisanobu.okuda Jan 31, 2013 6:44 AM (in response to nicolasstr)

                      Which modules to be loaded seems to be pre-defined and hard-coded. Picketbox module is one of them. Try to add your jar into picketbox module.

                        • Actions