4 Replies Latest reply on Nov 24, 2013 7:47 AM by kababji

    Connection between security-domains and security-realms

    kababji
    kababji Nov 18, 2013 12:34 PM

      I am trying to configure authentication and authorization in an EAR application, I think I nailed the Authentication part but missing something for the Authorization. What I have done so far is the following:

       

      1. Created a new custom security-realm named MyRealm with two custom plugins to load users and roles from a custom database.
      2. Configured the subsystem urn:jboss:domain:remoting:2.0 to use MyRealm instead of ApplicationRealm.
      3. Annotated my Stateless EJB bean with @DeclareRoles("administrator") and one of its methods with @RolesAllowed("administrator")
      4. Finally I added a file under META-INF/jboss-ejb3.xml with the following content (I guess it is the default and may not be needed)
      <?xml version="1.0" encoding="UTF-8"?>
<jboss:jboss xmlns="http://java.sun.com/xml/ns/javaee" xmlns:jboss="http://www.jboss.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:s="urn:security:1.1" version="3.1" impl-version="2.0">
  <assembly-descriptor>
    <s:security>
      <ejb-name>*</ejb-name>
      <s:security-domain>other</s:security-domain>
    </s:security>
  </assembly-descriptor>
</jboss:jboss>

       

      What works:

      1. When I invoke remotely an EJB method annotated with (i.e. @PermitAll) it gets invoked correctly, and if I check the caller identity I see the correct username as configured in jboss-ejb-client.properties.
      2. If I try to invoke the same EJB method with a username/password not created in my database I get a connection error (authentication fails).
      3. I put some logs in my Auhtentication/Authorization plugins, and I see in the logs that the method loadRoles returns the roles correctly array: [administrator]


      What does not work:

      1. If I invoke a method that requires a specific role using the annotation @RolesAllowed("administrator") then the invocation fails and I get an error saying Invocation on method:.... is not allowed
      2. If I remove the @RolesAllowed and check the isCallerInRole("administrator") it returns FALSE, keep in mind that as requested from the JEE specification I have added the @DeclareRoles("administrator") on my EJB.



      My understanding is that to secure EJB's you need a security domain, and that if you don't specify a security domain then the default one used is "other" but how I can tell the "other" security domain to use my custom realm MyRealm? and if I need a security domain then why I have to specify MyRealm to the urn:jboss:domain:remoting:2.0 subsystem? and what is the connection between the urn:jboss:domain:remoting:2.0 and the other security domain?

       

      Reading the documentation of: Security Realms - WildFly 8 - Project Documentation Editor I read this phrase related to Authentication that I don't totally understand and may have something to do with my problem:

      Authorization

      The actual security realms are not involved in any authorization decisions however they can be configured to load a users roles which will subsequently be used to make authorization decisions - when references to authorization are seen in the context of security realms it is this loading of roles that is being referred to.

      For the loading of roles the process is split out to occur after the authentication step so after a user has been authenticated a second step will occur to load the roles based on the username they used to authenticate with.

       

      Thanks

        • 1. Re: Connection between security-domains and security-realms
          pmm
          pmm Nov 19, 2013 3:33 AM (in response to kababji)

          You need a domain as well. Here's what we do:

          We have a domain with a custom login module (in your case the default database login module may work as well). Then have a JAAS realm that delegates to the domain instead of using plugins.

            • Actions
          • 2. Re: Re: Connection between security-domains and security-realms
            kababji
            kababji Nov 19, 2013 9:29 AM (in response to pmm)

            You mean that the plugins are useless and I should do everything using the security-domain tag? if yes does this also mean that I don't have to modify this line in the XML configuration? but then the remoting subsystem will use the ApplicationRealm which is something I am trying to avoid!

             

            <subsystem xmlns="urn:jboss:domain:remoting:2.0">
  <http-connector name="http-remoting-connector" connector-ref="default" security-realm="MyRealm"/>
</subsystem>

             

            I would appreciate if you could share some snippets of the configuration.

              • Actions
            • 3. Re: Re: Re: Connection between security-domains and security-realms
              pmm
              pmm Nov 20, 2013 3:56 AM (in response to kababji)

              This is the (simplified) configuration we go with:

               

              <management>
  <security-realms>
  <security-realm name="AcmeRealm">
  <authentication>
  <jaas name="acme"/>
  </authentication>
  </security-realm>
  </security-realms>
</management>


<subsystem xmlns="urn:jboss:domain:security:1.2">
  <security-domains>
  <security-domain name="acme" cache-type="default">
  <authentication>
  <login-module code="Remoting" flag="optional">
  <module-option name="password-stacking" value="useFirstPass"/>
  </login-module>
  <login-module code="com.acme.jboss.security.loginmodule.AcmeLoginModule" flag="required" module="com.acme.jboss.security">
  <module-option name="dsJndiName" value="java:/global/datasources/OracleAcmeDS"/>
  <module-option name="hashAlgorithm" value="acmeHash2"/>
  <!-- for whatever reason users without a role are only allowed if this is set -->
  <module-option name="unauthenticatedIdentity" value="guest"/>
  </login-module>
  </authentication>
  </security-domain>
  </security-domains>
</subsystem>

<subsystem xmlns="urn:jboss:domain:remoting:1.1">
  <connector name="remoting-connector" socket-binding="remoting" security-realm="AcmeRealm"/>
</subsystem>

               

              It may well be that the default database login module works for you. Check out http://sahirzm.blogspot.ch/2011/12/configure-database-server-loginmodule.html

               

              Don't forget the domain 

              @SecurityDomain("acme")
public void AcmeBean {

}

              And a security annotation like @PermitAll or @RolesAllowed

                • Actions
              • 4. Re: Re: Re: Connection between security-domains and security-realms
                kababji
                kababji Nov 24, 2013 7:47 AM (in response to pmm)

                Thanks Philippe, your answer helped me configure the server correctly. The only small different was in the remoting subsystem in WildFly it is urn:jboss:domain:demoting:2.0 and uses an http-connector but the configuration is the same and it works!

                  • Actions