-
1. Re: CLIENT_CERT with ActiveDirectory roles
mchoma Jun 10, 2016 1:33 AM (in response to geturner)What is your setup? Does wildfly performs 2 way TLS authentication or some web server in front (apache)? If wildfly, you should be able to use Certificate login module (to get certificate subject - user login) in conjuction with LdapRoles mapping modules (to get roles).
*Ldap login modules can be used, when user provides username/password, which is not your case.
For comprehensive list of avalaible modules look at Login Module Reference - Red Hat Customer Portal
-
2. Re: CLIENT_CERT with ActiveDirectory roles
geturner Jun 10, 2016 8:55 AM (in response to mchoma)Here is my setup. I have the AD url set to a local port 389 which I have TCPMon intercepting so that I can see activity going to AD, but it never gets ANYTHING!
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="keystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" alias="ncserver" key-password="changeit"/>
</ssl>
</server-identities>
<authentication>
<truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit"/>
</authentication>
<authorization map-groups-to-roles="true">
<ldap connection="ActiveDirectory">
<username-to-dn>
<username-filter base-dn="OU=ExternalUsers,DC=sf,DC=space,DC=smil" recursive="false" user-dn-attribute="dn" attribute="serialNumber"/>
</username-to-dn>
<group-search group-name-attribute="cn">
<principal-to-group group-attribute="memberOf"/>
</group-search>
</ldap>
</authorization>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="ActiveDirectory" url="ldap://localhost:389" search-dn="cn=wildfly,cn=Users,dc=sf,dc=space,dc=smil" search-credential="1qaz2wsx!QAZ@WSX" security-realm="ApplicationRealm"/>
</outbound-connections>
<audit-log>
<formatters>
<json-formatter name="json-formatter"/>
</formatters>
<handlers>
<file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
</handlers>
<logger log-boot="true" log-read-only="false" enabled="true">
<handlers>
<handler name="file"/>
</handlers>
</logger>
</audit-log>
<management-interfaces>
<http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
<access-control provider="simple">
<role-mapping>
<role name="SuperUser">
<include>
<user name="$local"/>
</include>
</role>
</role-mapping>
</access-control>
</management>
-
3. Re: CLIENT_CERT with ActiveDirectory roles
mchoma Jun 14, 2016 1:21 AM (in response to geturner)To setup 2 way TLS with Undertow see
https://github.com/wildfly/quickstart/tree/10.x/helloworld-client-ssl
To achieve additional role mapping you need to define security domain (for example named cert_sec_domain) using Certificate Login Module and Ldap Roles Mapping Provider.
For more details see https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0.beta/login-module-reference/
And reference this "cert_sec_domain" in jboss-web.xml
It means you don't need authorization element to be set in security realm. Note, your references are cycling in your security realm configuration ApplicationRealm -> authorization -> ldap -> outbound-connections -> ApplicationRealm
-
4. Re: CLIENT_CERT with ActiveDirectory roles
geturner Jun 14, 2016 8:54 AM (in response to mchoma)I have resolved the issue on y own. Please do not reploy to this discussion from here forward.
-
5. Re: CLIENT_CERT with ActiveDirectory roles
mchoma Jun 14, 2016 9:00 AM (in response to geturner)Please, can you share with us your solution?
-
6. Re: CLIENT_CERT with ActiveDirectory roles
geturner Jun 14, 2016 11:32 AM (in response to mchoma)It may not be perfect, but it is working well for me:
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="keystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" alias="ncserver" key-password="changeit"/>
</ssl>
</server-identities>
<authentication>
<truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit"/>
</authentication>
</security-realm>
</security-realms>
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-web-policy"> <!-- add cache-type="default" for production? -->
<authentication>
<login-module code="Certificate" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="securityDomain" value="jboss-web-policy"/>
<module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
</login-module>
<login-module code="AdvancedLdap" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="bindDN" value="cn=wildfly,cn=Users,dc=sf,dc=space,dc=smil"/>
<module-option name="bindCredential" value="1qaz2wsx!QAZ@WSX"/>
<module-option name="java.naming.provider.url" value="ldap://10.10.20.89:389"/>
<module-option name="baseCtxDN" value="OU=ExternalUsers,DC=sf,DC=space,DC=smil"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="rolesCtxDN" value="DC=sf,DC=space,DC=smil"/>
<module-option name="recurseRoles" value="true"/>
</login-module>
</authentication>
<jsse keystore-password="changeit" keystore-url="file:${jboss.server.config.dir}/keystore.jks" truststore-password="changeit" truststore-url="file:${jboss.server.config.dir}/truststore.jks" client-auth="true"/>
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
Be sure to add a jboss-web.xml containing
<jboss-web>
<security-domain>jboss-web-policy</security-domain>
</jboss-web>
And in the web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>DataStoreWebService</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>DataStoreWebServiceAccessRole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT_CERT</auth-method>
<realm-name>ApplicationRealm</realm-name>
</login-config>
<security-role>
<role-name>DataStoreWebServiceAccessRole</role-name>
</security-role>
</web-app>