JBossAS7: Security Design One Stop Article

Version 12

    This is the one stop article for security design in JBoss AS7/EAP6+.

     

     

    Architecture

     

    JBossAS7Architecture_v1.png

     

    This architecture diagram is a rough diagram which depicts the various subsystems and interfaces used in JBossAS7/JBossEAP6.

    The "AS Platform Security Component" depicts the security integration code that exists in JBossAS7+/JBoss EAP6. This integration layer may use the security functionality provided by the PicketBox library.

     

     

    Domain Model

    JBoss AS7 : Security Domain Model

     

    Securing Passwords

    JBoss AS7 Securing Passwords

    Management Layer Security

     

    Default HTTP Interface Security

    Default Native Interface Security

    Security Realms

    Access control notes

    RBAC Usecases

     

    Security Domains

     

    The mapping of shortened names for login modules to the standard login modules available in JBoss AS is provided below.  The latest is always available in the class

    org.jboss.as.security.ModulesMap

     

    NameActual Login Module
    Client

    org.jboss.security.ClientLoginModule

    Certificate

    org.jboss.security.auth.spi.BaseCertLoginModule

    CertificateRolesorg.jboss.security.auth.spi.CertRolesLoginModule
    DatabaseCertificate

    org.jboss.security.auth.spi.DatabaseCertLoginModule

    Databaseorg.jboss.security.auth.spi.DatabaseServerLoginModule
    Identity

    org.jboss.security.auth.spi.IdentityLoginModule

    Ldap

    org.jboss.security.auth.spi.LdapLoginModule

    LdapExtended

    org.jboss.security.auth.spi.LdapExtLoginModule

    RoleMapping

    org.jboss.security.auth.spi.RoleMappingLoginModule

    RunAs

    org.jboss.security.auth.spi.RunAsLoginModule

    Simple


    org.jboss.security.auth.spi.SimpleServerLoginModule

    UsersRoles

    org.jboss.security.auth.spi.UsersRolesLoginModule


    CallerIdentity

    org.jboss.resource.security.CallerIdentityLoginModule


    ConfiguredIdentity

    org.jboss.resource.security.ConfiguredIdentityLoginModule

    JaasSecurityDomainIdentity

    org.jboss.resource.security.JaasSecurityDomainIdentityLoginModule


    PBEIdentity

    org.jboss.resource.security.PBEIdentityLoginModule


    SecureIdentity


    org.jboss.resource.security.SecureIdentityLoginModule

     

    Using custom login module

    Just write the FQCN in the code attribute and it should work out of the box.

     

    To place the custom login module class files, you can place them in a jar and put it either:

    • application classpath of your web archive (war) or ejb jar or enterprise archive (ear)  OR
    • separate module under the modules directory.

    Read http://community.jboss.org/wiki/JBossAS7SecurityCustomLoginModules

     

    Deploying dynamic security domains

     

    Marcus Moyses talks about it here.  You have to use the CLI. The command is one line.

     

    You can add it via CLI using:
    /subsystem=security/security-domain=MyEncryptedDS:add(cache-type=default,
    authentication=[{"code"=>"SecureIdentity","flag"=>"required","module-options"=>[("username"=>"sa"),("password"=>"encryptedPassword")]}])
    
    
    
    
    
    
    
    
    
    
    
    

    Deploying Custom Tomcat Authenticators in AS7

     

    Thanks to Darran Lofthouse for the sample. Add the valve configuration into the jboss-web.xml of your web archive.

    <jboss-web>
      <security-domain>SPNEGO</security-domain>
        <valve>
            <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>
        </valve>
    </jboss-web>
    
    
    
    
    
    
    
    
    
    
    
    

     

    Note that this is a general pattern to configure tomcat valves in JBoss AS7. Configure them in jboss-web.xml

     

    One more example:

     

    <jboss-web>
      <security-domain>idp</security-domain>
      <valve>
         <class-name>org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve</class-name>
         <param>
            <param-name>signOutgoingMessages</param-name>
            <param-value>false</param-value>
         </param>
         <param>
            <param-name>ignoreIncomingSignatures</param-name>
            <param-value>true</param-value>
         </param>
       </valve>
    </jboss-web>
    
    
    
    
    
    
    
    
    
    
    
    

    JCA - Datasource Security

    Historically, the JCA login modules in JBoss AS have been described here: https://community.jboss.org/wiki/ConfigJCALoginModule  [This information is primarily for JBoss AS5/6] 

    But you can get an idea on the login modules.

     

    Here is an example of a security domain that is referenced by a data source:

     

     <security-domain name="DsRealm" cache-type="default">
        <authentication>
                <login-module code="ConfiguredIdentity" flag="required">
                     <module-option name="userName" value="sa"/>
                     <module-option name="principal" value="sa"/>
                     <module-option name="password" value="sa"/>
            </login-module>
        </authentication>
    </security-domain>
    
    
    
    
    
    
    
    
    
    
    
    

    Remember, you can mask the password by using the vault facility in AS71.

     

    How would this get used?  Example security-ds.xml is below.

    <?xml version="1.0" encoding="UTF-8"?>
    
    <datasources>
         <datasource jndi-name="java:jboss/datasources/securityDs"
              pool-name="securityDs">
              <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url>
              <driver>h2</driver>
              <new-connection-sql>select current_user()</new-connection-sql>
              <security>
                   <security-domain>DsRealm</security-domain>
              </security>
         </datasource>
    </datasources>
    
    
    
    
    
    
    
    

     

     

    Security Auditing

     

    JBossAS7SecurityAuditing

     

    JACC (JSR-115) on JBoss AS7.1

    http://community.jboss.org/wiki/JACCOnJBossAS7

     

     

    Java Security Manager

    JBoss AS7: Security : Running under a Java Security Manager

    HornetQ (Messaging) Security

    http://docs.jboss.org/hornetq/2.2.5.Final/user-manual/en/html/security.html

     

    Web Security

     

    http://community.jboss.org/wiki/PrimerOnWebSecurityInJBossAS

    http://community.jboss.org/wiki/JBossAS7SecureMyWebAppHowDoI

    Web Services Security

    JBossWS Authentication

    JBossWS Secure Transport

     

    JAXR Security

            Please see http://docs.oracle.com/cd/E17802_01/webservices/webservices/docs/1.6/tutorial/doc/JAXR-ebXML2.html  for an overview of JAXR.

            JBoss AS7+/EAP do not carry any UDDI registries.  We provide JAXR Client API and Provider.  Use JSSE settings to communicate with the external UDDI registry over X509.

     

     

    Single Sign On

    http://community.jboss.org/wiki/SAMLWebBrowserSSOOnJBossAS70

    http://community.jboss.org/wiki/CheatSheetForPicketLinkOnRedHatOpenShift/

     

     

    Where is JaasSecurityDomain in AS7?

    It has been replaced by the jsse xml element in the security subsystem configuration. https://docs.jboss.org/author/display/AS7/Security+subsystem+configuration

     

    Additional Referencehttps://docs.jboss.org/author/display/AS7/Security+subsystem+configuration

     

    JBoss AS Security Subsystem Configuration

     

    JBossAS7SecurityAuditing

     

    Running JBoss AS7 under a Java Security Manager

    Choosing SSO for your JBoss Application Server