3 Replies Latest reply on May 3, 2018 2:03 AM by mchoma

    JBoss add_user.sh script vs Security Domain

    kevenliu
    kevenliu Apr 30, 2018 2:21 PM

      I'm really new to JBoss, and recently I'm having lots of issues while configuring authentication in JBoss. 

       

      My question is that, what is the Application User in add_user.sh ? If this creates a new application user, does that mean we don't need to use Security Domain?

       

      Or vice versa, if we use Security Domain (say Database), does that mean we don't need to use add_user.sh script for adding Application User?

       

      Or, I'm understanding this incorrectly? The application user created by add_user.sh is different than Security Domain?

       

      (The problem I'm having now is that, I'm migrating from Glassfish and in Glassfish, I had a keyfile as  a realm, but I don't know what is the equivalent in JBoss, and I tried both security domain and add_user.sh, none of them work for me)

        • 1. Re: JBoss add_user.sh script vs Security Domain
          dlofthouse
          dlofthouse May 1, 2018 7:26 AM (in response to kevenliu)

          All the add-user utility currently does is manipulate the management and application properties files included in the WildFly distribution.

           

          If you use a security realm that uses these files it will have an effect, however if you switch to something else like a database then this utility will have no further effect.

           

          We do have some future plans to make this usable with different Elytron security realms so we could cover database and LDAP but that is not in the imminent horizon.

          1 of 1 people found this helpful
            • Actions
          • 2. Re: JBoss add_user.sh script vs Security Domain
            kevenliu
            kevenliu May 1, 2018 2:47 PM (in response to dlofthouse)

            Thank you I get it!

             

            I'm having issue with role-mapping, it always show this in log trace:

            PBOX000292: Insufficient method permissions [principal: null, EJB name: SSLBean, method: findVarialbles, interface: Local, required roles: Roles(administrator,user,), principal roles: Roles(), run-as roles: null]

             

            However, I already setup my standalone.xml like this

             

              <login-module code="Database" flag="required">

             

              <module-option name="dsJndiName" value="java:jboss/datasources/pdbAuth"/>

              <module-option name="principalsQuery" value="select password from authentication where username=?"/>

              <module-option name="rolesQuery" value="select group_name, 'Roles' from user_group ug inner join authentication a on ug.user_id = a.id where a.username = ?"/>

              <module-option name="hashAlgorithm" value="SHA-256"/>

              <module-option name="hashEncoding" value="BASE64"/>

              <module-option name="unauthenticatedIdentity" value="guest"/>

              </login-module>

              <login-module code="RoleMapping" flag="required">

              <module-option name="rolesProperties" value="file:${jboss.server.config.dir}/app.properties"/>

              <module-option name="replaceRole" value="false"/>

              </login-module>

             

            And I set

            <security-domain>java:/jaas/app</security-domain>

            in jboss-web.xml.

             

            In app.properties I also declared my role-mappings. In the Bean I use the annotation @SecurityDomain("app")

             

            The error above still shows up, any idea what's the cause?

             

            Thanks!

              • Actions
            • 3. Re: JBoss add_user.sh script vs Security Domain
              mchoma
              mchoma May 3, 2018 2:03 AM (in response to kevenliu)

              If you are starting with WildFly I recommend you to migrate to Elytron directly. Legacy security solution you are investing into is already deprecated.

                • Actions