Jboss main configurations and security issues
1. Jboss usually comes with three configurations:
The min configuration, Login service JNDI server and a URL deployment scanner.
The default configuration consists of the standard services needed by most J2EE applications such as:
ThreadPool=JBoss System Threads.
It does not include the JAXR (Java API for XML Registries) service, The IIOP service, or any of the clustering services.
The all configuration starts all available services. This includes the RMI/IIOP service and clustering services.
2. The user can change the combination of services that Jboss will load and in this case the configuration is called custom configuration, Jboss documentation (http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossASTuningSliming) recommends that each one will remove all unnecessary services, so obliviously there is no "common" configuration that we can test.
3. Jboss uses four security concepts (http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossSX):
ClientLoginModule: It means no authentication at all.
UsersRolesLoginModule: There are two properties files in which users and rules are defined, the files are place in the conf directory or in the J2EE jar file.
DatabaseServerLoginModule: A JDBC based login, That means that users and password are stored in database, it based on two logical tables:
Principals (PrincipalID, Password).
Roles (PrincipalID, Role, RoleGroup).
LdapLoginModule: The authentication is against LDAP server using JNDI. The actual authentication happens in two phases:
Binding to the directory.
Searching the directory for objects that marches the specified rule.
Each concept is per application i.e. there is no way to secure all application in one action.
4. Jboss has 5 security services:
JaasSecurityManagerService: This is a JMX service which manages JAAS based SecurityManagers, JAAS SecurityManagers are responsible for validating credentials associated with principals.
JaasSecurityManager: its behavior derives from the execution of the login module instances that are configured under the name that matches the security domain to which the JaasSecurityManager has been assigned.
JaasSecurityDomain: extension of the JaasSecurityManager that adds the notion of a KeyStore, and JSSE KeyManagerFactory and TrustManagerFactory for supporting SSL and other cryptographic use cases.
DynamicLoginConfig: A security config mbean that loads an xml login configuration.
JACC: JACC is the Java Authorization for Container Contracts specification.