JAAS, Wildfly and Microsoft Active Directory

Some time ago, I wrote about a Java EE Web application that made use of Microsoft Active Directory, through Java Authentication and Authorization Service (JAAS), as its security mechanism. The program was deployed in a Glassfish 4.0 application server. I’ve recently moved this application to a Red Hat Wildfly 9.0.1 server and I’d like to share a couple of issues I consider can be helpful for those involved in the same topic.

The fist one is the configuration of the LDAP realm. Here you have an excerpt of my standalone-full.xml file:


<management>
  <security-realms>
  ...
    <security-realm name="LdapRealm">
      <authentication>
        <ldap connection="AdConnection" base-dn="OU=TestOU,DC=test,DC=local" recursive="true">
          <username-filter attribute="sAMAccountName"/>
        </ldap>
      </authentication>
      <authorization>
        <ldap connection="AdConnection">
          <group-search group-name-attribute="cn">
            <principal-to-group group-attribute="memberOf"/>
          </group-search>
        </ldap>
      </authorization>
    </security-realm>
  ...
  </security-realms>
  <outbound-connections>
    <ldap name="AdConnection" url="ldap://127.0.0.1:389" 
      search-dn="CN=testapp,CN=Users,DC=test,DC=local" search-credential="password"/>
  </outbound-connections>
  ...
</management>

The CLI script that creates this XML structure on Wildfly 9.0.1 is:


connect
/core-service=management/ldap-connection=AdConnection:add(url="ldap://127.0.0.1:389", \
  search-dn="CN=testapp,CN=Users,DC=test,DC=local",search-credential="password")
/core-service=management/security-realm=LdapRealm:add
/core-service=management/security-realm=LdapRealm/authentication=ldap:add(connection=AdConnection, \
  base-dn="OU=TestOU,DC=test,DC=local", \
  recursive="true", \
  username-attribute="sAMAccountName")
batch
/core-service=management/security-realm=LdapRealm/authorization=ldap:add(connection="AdConnection")
/core-service=management/security-realm=LdapRealm/authorization=ldap/ \
  group-search=principal-to-group:add(group-name-attribute="cn", \
  group-attribute="memberOf")
run-batch
reload

The second issue is the configuration of a security domain, which is a concept that Glassfish not requires, there you just set up the name of the realm in the login-config element of the file web.xml Wildfly ignores this configuration, but requires instead its specific jboss-web.xml file in the WEB-INF folder of the application:


<?xml version="1.0" encoding="UTF-8"?>
<jboss-web version="7.1"
  xmlns="http://www.jboss.com/xml/ns/javaee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/schema/jbossas/jboss-web_7_1.xsd">
  <context-root>/ifaztelep/>context-root>
  <security-domain>test-domain/>security-domain>
</jboss-web>

Finally, here you have the CLI script that creates the security domain in Wildfly:


connect
/subsystem=security/security-domain=test-domain:add(cache-type="default")
/subsystem=security/security-domain=test-domain/authentication=classic:add \
 (login-modules=[{code="RealmDirect", \
  flag="required", \
  module-options={password-stacking="useFirstPass",realm="LdapRealm"}}])
reload

Advertisements

JAAS, Glassfish and Microsoft Active Directory

I recently had to develop an internal Java EE Web application that made use of Microsoft Active Directory, through Java Authentication and Authorization Service (JAAS), as its security mechanism. The program must be deployed in a Glassfish 4.0 application server.

I don’t want to write the same post that other people have written before, so here you have a link to a tutorial written by Marcel Gascoyne, who explains clearly the setup that it is needed. The reason why I’m writing about this issue is because I had to make a change in Marcel’s configuration: with the JVM option -Djava.naming.referral=follow, my system didn’t retrieve the groups membership of the user authenticated, I put the option as a LDAP realm property instead. Once more stackoverflow.com was key to solve the problem.

Finally, I’d like to comment that I couldn’t setup the LDAP realm through Glassfish Web admin console because I got sintax errors with the character “=”, so I had to modify the file domain.xml directly. Another question is how to enable logging on the security system, it’s easy in theory but I couldn’t do it. I found this thread in stackoverflow.com, but I didn’t figure out the logger name.