6 Replies Latest reply on Jun 14, 2016 11:32 AM by George Turner

    CLIENT_CERT with ActiveDirectory roles

    George Turner Newbie

      I am using 2 way SSL, TLS, mutual authentication (wow, so many names for the same thing!) and I want to load roles from Active Directory per the certificate presented by the user.  LOTS of digging has left me nowhere.  The closest capability I have found, is to create a security-domain with a AdvancedLdap login-module, but a login-module is for authentication.  It seems like I need a policy-module for authorization, but I cannot find any such example.  Has anyone made this work?  It seems this should be a basic configuration in todays web.

        • 1. Re: CLIENT_CERT with ActiveDirectory roles
          Martin Choma Expert

          What is your setup? Does wildfly performs 2 way TLS authentication or some  web server in front (apache)? If wildfly, you should be able to use Certificate login module (to get certificate subject - user login) in conjuction with LdapRoles mapping modules (to get roles).

           

          *Ldap login modules can be used, when user provides username/password, which is not your case.

           

          For comprehensive list of avalaible modules look at Login Module Reference - Red Hat Customer Portal

          • 2. Re: CLIENT_CERT with ActiveDirectory roles
            George Turner Newbie

            Here is my setup.  I have the AD url set to a local port 389 which I have TCPMon intercepting so that I can see activity going to AD, but it never gets ANYTHING!

             

                <management>

                    <security-realms>

                        <security-realm name="ManagementRealm">

                            <authentication>

                                <local default-user="$local" skip-group-loading="true"/>

                                <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>

                            </authentication>

                            <authorization map-groups-to-roles="false">

                                <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>

                            </authorization>

                        </security-realm>

                        <security-realm name="ApplicationRealm">

                            <server-identities>

                                <ssl>

                                    <keystore path="keystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" alias="ncserver" key-password="changeit"/>

                                </ssl>

                            </server-identities>

                            <authentication>

                                <truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit"/>

                            </authentication>

                            <authorization map-groups-to-roles="true">

                                <ldap connection="ActiveDirectory">

                                    <username-to-dn>

                                        <username-filter base-dn="OU=ExternalUsers,DC=sf,DC=space,DC=smil" recursive="false" user-dn-attribute="dn" attribute="serialNumber"/>

                                    </username-to-dn>

                                    <group-search group-name-attribute="cn">

                                        <principal-to-group group-attribute="memberOf"/>

                                    </group-search>

                                </ldap>

                            </authorization>

                        </security-realm>

                    </security-realms>

                    <outbound-connections>

                        <ldap name="ActiveDirectory" url="ldap://localhost:389" search-dn="cn=wildfly,cn=Users,dc=sf,dc=space,dc=smil" search-credential="1qaz2wsx!QAZ@WSX" security-realm="ApplicationRealm"/>

                    </outbound-connections>

                    <audit-log>

                        <formatters>

                            <json-formatter name="json-formatter"/>

                        </formatters>

                        <handlers>

                            <file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>

                        </handlers>

                        <logger log-boot="true" log-read-only="false" enabled="true">

                            <handlers>

                                <handler name="file"/>

                            </handlers>

                        </logger>

                    </audit-log>

                    <management-interfaces>

                        <http-interface security-realm="ManagementRealm" http-upgrade-enabled="true">

                            <socket-binding http="management-http"/>

                        </http-interface>

                    </management-interfaces>

                    <access-control provider="simple">

                        <role-mapping>

                            <role name="SuperUser">

                                <include>

                                    <user name="$local"/>

                                </include>

                            </role>

                        </role-mapping>

                    </access-control>

                </management>

            • 3. Re: CLIENT_CERT with ActiveDirectory roles
              Martin Choma Expert

              To setup 2 way TLS with Undertow see

              https://github.com/wildfly/quickstart/tree/10.x/helloworld-client-ssl

               

              To achieve additional role mapping you need to define security domain (for example named cert_sec_domain) using Certificate Login Module and Ldap Roles Mapping Provider.

              For more details see https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0.beta/login-module-reference/

               

              And reference this "cert_sec_domain" in jboss-web.xml

               

              It means you don't need authorization element to be set in security realm. Note, your references are cycling in your security realm configuration  ApplicationRealm -> authorization -> ldap -> outbound-connections -> ApplicationRealm

              • 4. Re: CLIENT_CERT with ActiveDirectory roles
                George Turner Newbie

                I have resolved the issue on y own.  Please do not reploy to this discussion from here forward.

                • 5. Re: CLIENT_CERT with ActiveDirectory roles
                  Martin Choma Expert

                  Please, can you share with us your solution?

                  • 6. Re: CLIENT_CERT with ActiveDirectory roles
                    George Turner Newbie

                    It may not be perfect, but it is working well for me:

                     

                        <management>

                            <security-realms>

                                <security-realm name="ManagementRealm">

                                    <authentication>

                                        <local default-user="$local" skip-group-loading="true"/>

                                        <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>

                                    </authentication>

                                    <authorization map-groups-to-roles="false">

                                        <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>

                                    </authorization>

                                </security-realm>

                                <security-realm name="ApplicationRealm">

                                    <server-identities>

                                        <ssl>

                                            <keystore path="keystore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit" alias="ncserver" key-password="changeit"/>

                                        </ssl>

                                    </server-identities>

                                    <authentication>

                                        <truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="changeit"/>

                                    </authentication>

                                </security-realm>

                            </security-realms>

                     

                     

                     

                            <subsystem xmlns="urn:jboss:domain:security:1.2">

                                <security-domains>

                                    <security-domain name="other" cache-type="default">

                                        <authentication>

                                            <login-module code="Remoting" flag="optional">

                                                <module-option name="password-stacking" value="useFirstPass"/>

                                            </login-module>

                                            <login-module code="RealmDirect" flag="required">

                                                <module-option name="password-stacking" value="useFirstPass"/>

                                            </login-module>

                                        </authentication>

                                        <authorization>

                                            <policy-module code="Delegating" flag="required"/>

                                        </authorization>

                                    </security-domain>

                                    <security-domain name="jboss-web-policy">  <!-- add  cache-type="default" for production? -->

                                        <authentication>

                                            <login-module code="Certificate" flag="required">

                                                <module-option name="password-stacking" value="useFirstPass"/>

                                                <module-option name="securityDomain" value="jboss-web-policy"/>

                                                <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>

                                            </login-module>

                                            <login-module code="AdvancedLdap" flag="required">

                                                <module-option name="password-stacking" value="useFirstPass"/>

                                                <module-option name="bindDN" value="cn=wildfly,cn=Users,dc=sf,dc=space,dc=smil"/>

                                                <module-option name="bindCredential" value="1qaz2wsx!QAZ@WSX"/>

                                                <module-option name="java.naming.provider.url" value="ldap://10.10.20.89:389"/>

                                                <module-option name="baseCtxDN" value="OU=ExternalUsers,DC=sf,DC=space,DC=smil"/>

                                                <module-option name="baseFilter" value="(uid={0})"/>

                                                <module-option name="roleAttributeID" value="memberOf"/>

                                                <module-option name="roleAttributeIsDN" value="true"/>

                                                <module-option name="roleNameAttributeID" value="cn"/>

                                                <module-option name="rolesCtxDN" value="DC=sf,DC=space,DC=smil"/>

                                                <module-option name="recurseRoles" value="true"/>

                                            </login-module>

                                        </authentication>

                                        <jsse keystore-password="changeit" keystore-url="file:${jboss.server.config.dir}/keystore.jks" truststore-password="changeit" truststore-url="file:${jboss.server.config.dir}/truststore.jks" client-auth="true"/>

                                        <authorization>

                                            <policy-module code="Delegating" flag="required"/>

                                        </authorization>

                                    </security-domain>

                                    <security-domain name="jboss-ejb-policy" cache-type="default">

                                        <authorization>

                                            <policy-module code="Delegating" flag="required"/>

                                        </authorization>

                                    </security-domain>

                                </security-domains>

                            </subsystem>

                     

                     

                    Be sure to add a jboss-web.xml containing

                    <jboss-web>

                       <security-domain>jboss-web-policy</security-domain>

                    </jboss-web>

                     

                     

                    And in the web.xml

                     

                    <security-constraint>

                       <web-resource-collection>

                       <web-resource-name>DataStoreWebService</web-resource-name>

                       <url-pattern>/*</url-pattern>

                       </web-resource-collection>

                       <user-data-constraint>

                       <transport-guarantee>CONFIDENTIAL</transport-guarantee>

                       </user-data-constraint>

                       <auth-constraint>

                       <role-name>DataStoreWebServiceAccessRole</role-name>

                       </auth-constraint>

                       </security-constraint>

                       <login-config>

                       <auth-method>CLIENT_CERT</auth-method>

                       <realm-name>ApplicationRealm</realm-name>

                       </login-config>

                       <security-role>

                       <role-name>DataStoreWebServiceAccessRole</role-name>

                       </security-role>

                    </web-app>