JAAS, Wildfly and Microsoft Active Directory

Some time ago, I wrote about a Java EE Web application that made use of Microsoft Active Directory, through Java Authentication and Authorization Service (JAAS), as its security mechanism. The program was deployed in a Glassfish 4.0 application server. I’ve recently moved this application to a Red Hat Wildfly 9.0.1 server and I’d like to share a couple of issues I consider can be helpful for those involved in the same topic.

The fist one is the configuration of the LDAP realm. Here you have an excerpt of my standalone-full.xml file:


<management>
  <security-realms>
  ...
    <security-realm name="LdapRealm">
      <authentication>
        <ldap connection="AdConnection" base-dn="OU=TestOU,DC=test,DC=local" recursive="true">
          <username-filter attribute="sAMAccountName"/>
        </ldap>
      </authentication>
      <authorization>
        <ldap connection="AdConnection">
          <group-search group-name-attribute="cn">
            <principal-to-group group-attribute="memberOf"/>
          </group-search>
        </ldap>
      </authorization>
    </security-realm>
  ...
  </security-realms>
  <outbound-connections>
    <ldap name="AdConnection" url="ldap://127.0.0.1:389" 
      search-dn="CN=testapp,CN=Users,DC=test,DC=local" search-credential="password"/>
  </outbound-connections>
  ...
</management>

The CLI script that creates this XML structure on Wildfly 9.0.1 is:


connect
/core-service=management/ldap-connection=AdConnection:add(url="ldap://127.0.0.1:389", \
  search-dn="CN=testapp,CN=Users,DC=test,DC=local",search-credential="password")
/core-service=management/security-realm=LdapRealm:add
/core-service=management/security-realm=LdapRealm/authentication=ldap:add(connection=AdConnection, \
  base-dn="OU=TestOU,DC=test,DC=local", \
  recursive="true", \
  username-attribute="sAMAccountName")
batch
/core-service=management/security-realm=LdapRealm/authorization=ldap:add(connection="AdConnection")
/core-service=management/security-realm=LdapRealm/authorization=ldap/ \
  group-search=principal-to-group:add(group-name-attribute="cn", \
  group-attribute="memberOf")
run-batch
reload

The second issue is the configuration of a security domain, which is a concept that Glassfish not requires, there you just set up the name of the realm in the login-config element of the file web.xml Wildfly ignores this configuration, but requires instead its specific jboss-web.xml file in the WEB-INF folder of the application:


<?xml version="1.0" encoding="UTF-8"?>
<jboss-web version="7.1"
  xmlns="http://www.jboss.com/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/schema/jbossas/jboss-web_7_1.xsd">
  <context-root>/ifaztelep/>context-root>
  <security-domain>test-domain/>security-domain>
</jboss-web>

Finally, here you have the CLI script that creates the security domain in Wildfly:


connect
/subsystem=security/security-domain=test-domain:add(cache-type="default")
/subsystem=security/security-domain=test-domain/authentication=classic:add \
 (login-modules=[{code="RealmDirect", \
  flag="required", \
  module-options={password-stacking="useFirstPass",realm="LdapRealm"}}])
reload

Advertisements


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s