3 Replies Latest reply on Jan 18, 2016 6:16 PM by Rahul Daga

    Meaning of 'realm' and 'security-domain' ?

    Ralph Soika Apprentice

      Hi,

       

      I have a question about the right understanding of the security configuration in WildFly.

      I succeeded to configure my EAR with a security-domain using a Database Login Module. It works great! And I am again impressed how easy it is to configure WildFly. But I have a problem with the meaning of 'realms' and 'security-domains' in WildFly.

       

      In my standalong.xml file I added the following configuration for a new Database Login Module:

       

      <security-domain name="imixsrealm">

                          <authentication>

                              <login-module code="Database" flag="required">

                                  <module-option name="dsJndiName" value="java:/jdbc/imixs_office"/>

                                  <module-option name="principalsQuery" value="select PASSWORD from USERID where ID=?"/>

                                  <module-option name="rolesQuery" value="select GROUP_ID,'Roles' from USERID_USERGROUP where ID=?"/>

                                  <module-option name="hashAlgorithm" value="SHA-256"/>

                                  <module-option name="hashEncoding" value="hex"/>

                                  <module-option name="unauthenticatedIdentity" value="anonymous"/>

                              </login-module>

                          </authentication>

                      </security-domain>

       

      Next I added into the WEB-INF folder of my war module a 'jboss-web.xml' file with the following content:

       

      <?xml version="1.0" encoding="UTF-8"?>

      <jboss-web>

         <security-domain>imixsrealm</security-domain>

      </jboss-web>

       

      and into the EJB module a 'jboss-ejb3.xml' file with this content:

       

      <?xml version="1.1" encoding="UTF-8"?>

      <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"

        xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

        xmlns:s="urn:security:1.1"

        xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"

        version="3.1" impl-version="2.0">

        <assembly-descriptor>

        <s:security>

        <ejb-name>*</ejb-name>

        <!-- other imixsrealm -->

        <s:security-domain>imixsrealm</s:security-domain>

        <s:missing-method-permissions-deny-access>false</s:missing-method-permissions-deny-access>

        </s:security>

        </assembly-descriptor>

      </jboss:ejb-jar>

       

       

      But what I am wondering about is that in the web.xml file I need the following login-config entry

       

        <login-config>

        <auth-method>FORM</auth-method>

        <realm-name>ApplicationRealm</realm-name>

        <form-login-config>

        <form-login-page>/login.jsf</form-login-page>

        <form-error-page>/loginerror.jsf</form-error-page>

        </form-login-config>

        </login-config>

       

      My question is: Why must be the realm-name in web.xml set to 'ApplicationRealm' ? Here I expected that I could set 'imixsrealm'.

      It looks to me that in WildFly the realm-name used in web.xml must always be 'ApplicationRealm'  and can not be changed?

      Or is there a way to change the realm-name in web.xml - maybe I have only misunderstood something?

      But the database login module works excellent - so I am fine with my current configuration ;-)

       

      ====
      Ralph

        • 1. Re: Meaning of 'realm' and 'security-domain' ?
          xiang yingbing Master

          My opinions (maybe I am wrong):

           

          1. You had better change <security-domain name="imixsrealm"> to <security-domain name="imixs-security-domain">.

           

          2. wildfly-8.0.0.CR1\docs\schema\jboss-as-config_2_0.xsd is a good place to find answer. Its comments are meaningful!

           

          3. (a)Security Domain: ONLY support JAAS function.

              (b) SecurityRealm combines the JAAS(security-domain) and SSL.

           

                 Currently,  <security-realm name="ManagementRealm"> is for jboss management applications:

              <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
              <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
              <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>

           

                While <security-realm name="ApplicationRealm"> is for all applications deployed in JBoss AS by developers. For example:

                        EJB applications' SSL and JAAS functions.

                As to WAR application, you can configure security-domain(JAAS) for it in jboss-web.xml, and you can configure SSL for undertow(web server) like this:

                       <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm"/>

                       NOTE: sometimes, SSL function is configured in front apache.

           

           

          4. Why must be the realm-name in web.xml set to 'ApplicationRealm' ?

              (a) You can ignore <realm-name>ApplicationRealm</realm-name>.

              (b) And you can configure your security domain in WEB-INF/jboss-web.xml, like this:

                         <?xml version="1.0" encoding="UTF-8"?>

                          <jboss-web>

                              <security-domain>java:/jaas/ybxiang-forum-jaas-security-domain</security-domain>

                              <!-- encoding for login servlet 'j_security_check' -->

                              <!-- for jboss as 7.2.0 and lower version -->

                              <valve>

                                  <class-name>org.apache.catalina.authenticator.FormAuthenticator</class-name>

                                  <param>

                                      <param-name>characterEncoding</param-name>

                                      <param-value>UTF-8</param-value>

                                  </param>

                              </valve>

                             

                              <!-- for wildfly-8.0.0.CR1 and higher version

                              http://javaarm.com/faces/display.xhtml?tid=3341

                              <default-encoding>UTF-8</default-encoding>

                              -->

                          </jboss-web>

           

                I did not try <realm-name>ApplicationRealm</realm-name>  in WEB-INF/web.xml.

          • 2. Re: Meaning of 'realm' and 'security-domain' ?
            xiang yingbing Master

            I have the same question: How to add a custom realm to WildFly?

            It seems that <security-realm name="ManagementRealm"> and <security-realm name="ApplicationRealm"> are enough.

             

            There are less people in wildfly forum than in jboss as 7 forum (JBoss AS 7).

            If your problem exists in jboss as 7 too(not a wildfly-specified problem), you had better post it in jboss as 7 forum (JBoss AS 7).

            • 3. Re: Meaning of 'realm' and 'security-domain' ?
              Rahul Daga Newbie

              Is is possible to set a maximum number of retries and then lock the account out via an update sql? Or attach a listener and do the same?