9 Replies Latest reply on Mar 28, 2013 12:18 AM by xiang yingbing

    JBoss security.. add new user through the web app

    klind Newbie

      Hi. I am converting an existing web app that used to run in a simple jar file and Jetty server.

       

      I created a jboss-web.xml and added :

       

      <security-domain>java:/jaas/other</security-domain>

       

      used the add-user utility from the bin folder to add a new user, and I can login through the existing log in page.

       

      But in the application there is a page where you can register yourself as a user.

      The input is saved in the database.

      How do I create a new user in the security domaine.. the application-users.properties file.

        • 1. Re: JBoss security.. add new user through the web app
          xiang yingbing Master

          method.1. call jboss 7 "CLI/Native management" to add new user/role in application-users.properties and application-roles.properties.

                           (Please read jboss 7 document/wiki at first.)

           

                           If your program write user/role directly into those files, the new users/roles are NOT in jboss jaas cache memory.

           

           

          method.2 write user/role directly into those files, then invalidate the JAAS cache with bellow codes:

           


          private void flushJaasCache(String securityDomain, String jaasUsername){


          try {



          Object[] params = {jaasUsername};



          String[] signature = {"java.lang.String"};








          javax.management.MBeanServerConnection mbeanServerConnection = java.lang.management.ManagementFactory





          .getPlatformMBeanServer();



          javax.management.ObjectName mbeanName = new javax.management.ObjectName("jboss.as:subsystem=security,security-domain="+securityDomain);



          mbeanServerConnection.invoke(mbeanName, "flushCache", params, signature);


          } catch (Exception e) {



          throw new SecurityException(e);


          }

          }

           

           

           

           

          Good luck!

          • 2. Re: JBoss security.. add new user through the web app
            xiang yingbing Master

            The input is saved in the database.

            How do I create a new user in the security domaine.. the application-users.properties file.

            ~~~~~~~~~~~~~ How can you do things like that? If I send one email to you, can I expect your friends reply it?

                                           As to the data storage, You have only one choice: property file or Data Base.

                                          

             

            I suggest you save user/role into DB. I do NOT think it is difficult.

             

            Here is my standalone.xml for jboss 7.2:

             

            <?xml version='1.0' encoding='UTF-8'?>
            
            <server xmlns="urn:jboss:domain:1.4">
                ...
                <management>
                    <security-realms>
                        <security-realm name="ManagementRealm">
                            ...
                        </security-realm>
                        <security-realm name="ApplicationRealm">
                            <server-identities>
                                <ssl>
                                    <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="ybxiang_keystore_password"/>
                                </ssl>
                            </server-identities>
                            <authentication>
                                <jaas name="ybxiang-forum-jaas-security-domain"/>
                            </authentication>
                        </security-realm>
                    </security-realms>
                    <management-interfaces>
                        ...
                    </management-interfaces>
                </management>
            
                <profile>
                    ...
                    <subsystem xmlns="urn:jboss:domain:datasources:1.1">
                        <datasources>
                            <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true">
                                ...
                            </datasource>
                            <datasource jndi-name="java:jboss/datasources/ybxiangForumMySqlDataSource" pool-name="MySqlDS" enabled="true" use-java-context="true">
                                <connection-url>jdbc:mysql://localhost:3306/ybxiangforum9</connection-url>
                                <driver>com.mysql</driver>
                                <transaction-isolation>TRANSACTION_READ_COMMITTED</transaction-isolation>
                                <pool>
                                    <min-pool-size>10</min-pool-size>
                                    <max-pool-size>100</max-pool-size>
                                    <prefill>true</prefill>
                                </pool>
                                <security>
                                    <user-name>root</user-name>
                                    <password>yourpassword</password>
                                </security>
                                <statement>
                                    <prepared-statement-cache-size>32</prepared-statement-cache-size>
                                    <share-prepared-statements>true</share-prepared-statements>
                                </statement>
                            </datasource>
                            <drivers>
                                <driver name="h2" module="com.h2database.h2">
                                    <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
                                </driver>
                                <driver name="com.mysql" module="com.mysql">
                                    <xa-datasource-class>com.mysql.jdbc.jdbc2.optional.MysqlXADataSource</xa-datasource-class>
                                </driver>
                            </drivers>
                        </datasources>
                    </subsystem>
                    ...
                    <subsystem xmlns="urn:jboss:domain:security:1.2">
                        <security-domains>
                            <security-domain name="ybxiang-forum-jaas-security-domain" cache-type="default">
                                <authentication>
                                    <login-module code="Remoting" flag="optional">
                                        <module-option name="password-stacking" value="useFirstPass"/>
                                    </login-module>
                                    <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                                        <module-option name="password-stacking" value="useFirstPass"/>
                                        <module-option name="dsJndiName" value="java:jboss/datasources/ybxiangForumMySqlDataSource"/>
                                        <module-option name="principalsQuery" value="SELECT hashedPassword FROM User WHERE username=?"/>
                                        <module-option name="rolesQuery" value="SELECT DISTINCT r.name, 'Roles' FROM User u, User_UserGroup ug, UserGroup_JaasRole gr, JaasRole r WHERE u.id=ug.user_id AND ug.usergroup_id=gr.usergroup_id AND gr.jaasrole_id=r.id AND u.username=?"/>
                                        <module-option name="hashAlgorithm" value="SHA-256"/>
                                        <module-option name="hashEncoding" value="Base64"/>
                                        <module-option name="hashCharset" value="UTF-8"/>
                                        <module-option name="unauthenticatedIdentity" value="guest"/>
                                    </login-module>
                                </authentication>
                            </security-domain>
                            <security-domain name="other" cache-type="default">
                                <authentication>
                                    <login-module code="Remoting" flag="optional">
                                        <module-option name="password-stacking" value="useFirstPass"/>
                                    </login-module>
                                    <login-module code="RealmDirect" flag="required">
                                        <module-option name="password-stacking" value="useFirstPass"/>
                                    </login-module>
                                </authentication>
                            </security-domain>
                            <security-domain name="jboss-web-policy" cache-type="default">
                                <authorization>
                                    <policy-module code="Delegating" flag="required"/>
                                </authorization>
                            </security-domain>
                            <security-domain name="jboss-ejb-policy" cache-type="default">
                                <authorization>
                                    <policy-module code="Delegating" flag="required"/>
                                </authorization>
                            </security-domain>
                        </security-domains>
                    </subsystem>
                    ...
            
            </server>
            
            • 3. Re: JBoss security.. add new user through the web app
              xiang yingbing Master

              NOTE:

               

              (1) If you do NOT want to use SSL, then remove <ssl> element.

                              <server-identities>
                                  <ssl>
                                      <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="ybxiang_keystore_password"/>
                                  </ssl>
                              </server-identities>

               

              (2) If you do NOT want to save hashed password in DB (namely, save plain text password in DB), then remove bellow elements:

                                          <module-option name="hashAlgorithm" value="SHA-256"/>
                                          <module-option name="hashEncoding" value="Base64"/>
                                          <module-option name="hashCharset" value="UTF-8"/>

              • 4. Re: JBoss security.. add new user through the web app
                klind Newbie

                Hi Xiang.. the thing is that this is an existing application, and when a user register they have to give some more information than just username and password.

                These informations are stored in the database. ( right now also the password )

                 

                So for this to get working quickly I just wanted to use files for the username and password.

                But maybe it is actually easy to get it to work with the database..

                Can I use my already existing tables or do I have to create new tables with known names to JBoss.

                • 5. Re: JBoss security.. add new user through the web app
                  xiang yingbing Master

                  You can save your username and password in DB. It is VERY easy and more flexible!

                  Please do NOT save them in property file. property file is ONLY for simple application.

                  More over, JBoss 7 JAAS Module loads Jaas info from ONE place automatically.

                   

                   

                   

                  Hi Xiang.. the thing is that this is an existing application, and when a user register they have to give some more information than just username and password.

                  These informations are stored in the database. ( right now also the password )

                  [xiang:] Yes. Saving data into DB is a correct decision.

                   

                  So for this to get working quickly I just wanted to use files for the username and password.

                  [xiang:] If I send one email to you, can I expect your friends reply it?

                              If you save data into DB, how can you expect jboss load them from property file?

                              Solution: save data into DB and save username and password into the property file too. You must synchronize the DB and property file. NOT a good idea.

                   

                              Why are you afraid of DB saving? It is VERY VERY easy! I have posted related configuration above.

                   

                  But maybe it is actually easy to get it to work with the database..

                  [xiang:] Sooner or later, you MUST use DB, so, why NOT use it now?

                   

                  Can I use my already existing tables or do I have to create new tables with known names to JBoss.

                  [xiang:] Yes, you can use already existing tables. There is NO need to create new tables. The configuration is very flexible.

                  (a) How to authenticate your account:

                    <module-option name="principalsQuery" value="SELECT password FROM User WHERE username=?"/>

                  or

                    <module-option name="principalsQuery" value="SELECT hashedPassword FROM User WHERE username=?"/>

                   

                  Here 'password' is the password column name. It can be any string.

                  Here 'username' is the username column name. It can be any string.

                  Here 'User' is the User table name. It can be any string.

                   

                   

                  (b) How to authorize your account (find roles for username):

                  <module-option name="rolesQuery" value="SQL OF FINDING ROLES LIST FOR ONE USER"/>

                   

                  The whole image:

                  JAAS.JPG

                  • 6. Re: JBoss security.. add new user through the web app
                    xiang yingbing Master

                    I posted related web configuration(security domain, role, constraint) here: https://community.jboss.org/thread/223004?tstart=0

                    • 7. Re: JBoss security.. add new user through the web app
                      xiang yingbing Master

                      If you fail to understand my description, please share your Desktop with some software and tell me when you are free (I am free on weekend).

                      I can do it for you, and explain it at the same time.

                       

                      Do you have a QQ?

                      • 8. Re: JBoss security.. add new user through the web app
                        klind Newbie

                        Hi Xiang.. I will try to use the Database solution. We might be using LDAP later on when this goes live.

                         

                        I will let you know as soon ad I tried.. Thanks for the quick reply.

                        • 9. Re: JBoss security.. add new user through the web app
                          xiang yingbing Master

                          Hi Xiang.. I will try to use the Database solution. We might be using LDAP later on when this goes live.

                          ~~~~~~~~~~~~~When LDAP is used, please change

                          <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"

                          to

                          <login-module code="org.jboss.security.auth.spi.RELATED-LDAP-LoginModule"

                          in above standalone.xml.

                           

                          (You can write your own LDAP/DB Login Module too. But you have to put it into jboss module system. So try to find jboss LDAP Login module class. Good luck!)