Jboss authentication
We'll deal with creating a new ldap based security domain, changing the default domain and securing the consoles.
Configure a new domain
We'll describe this in terms of the bedework quickstart but the changes are much the same for any directory server.
The bedework quickstart uses an ldap directory server (apacheDS) to provide authentication services.
In the configuration there is a per-application property which looks like:
org.bedework.app.UserCal.security.domain=bedeworkdemo
The value of this property is tied into the definition in the jboss login-config.xml file. We need to create one called "bedeworkdemo" which uses an ldap module.
To do so insert in that file the following
<application-policy name="bedeworkdemo">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule"
flag="required">
<module-option name="java.naming.factory.initial">
com.sun.jndi.ldap.LdapCtxFactory
</module-option>
<module-option name="java.naming.provider.url">
ldap://localhost:10389/
</module-option>
<module-option name="java.naming.security.authentication">
simple
</module-option>
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">
,ou=accounts,dc=bedework,dc=org
</module-option>
<!-- Roles are not used by bedework - not sure if we need these -->
<module-option name="rolesCtxDN">
ou=Roles,dc=jboss,dc=org
</module-option>
<module-option name="uidAttributeID">member</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false </module-option>
</login-module>
</authentication>
</application-policy>
Default domain
The file server/default/deployers/jbossweb.deployer/META-INF/war-deployers-jboss-beans.xml defines the default security domain for web applications:
...
<!-- The JAAS security domain to use in the absense of an explicit
security-domain specification in the war WEB-INF/jboss-web.xml
-->
<property name="defaultSecurityDomain">java:/jaas/jboss-web-policy</property>
Probably not a bad idea to point that at your own domain or remove it altogether,
<property name="defaultSecurityDomain">java:/jaas/bedeworkdemo</property>
Secure the jmx console
Ideally this would be using the same domain but does need roles to bar access to all except a privileged few.
In the distributed login-config.xml is the definition
<application-policy name="jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag="required">
<module-option name="usersProperties">props/jmx-console-users.properties</module-option>
<module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
which uses 2 properties files.
To secure the JMX Console using these properties files, make the following changes in server/default/deploy/jmx-console.war/WEB-INF
- In web.xml uncomment the security-constraint block.
- In server/default/conf/props/jmx-console-users.properties and server/default/conf/props/jmx-console-roles.properties change the users and passwords to what you desire. They will need the JBossAdmin role specified in the web.xml file to run the JMX Console.
- In jboss-web.xml uncomment the security-domain block. The security domain jmx-console maps is declared in server/default/conf/login-config.xml
Note that the new admin-console uses the same authentication domain.
Secure the web console
Much the same as the jmx console. Make the same changes to management/console-mgr.sar/web-console.war. However, we'll change the name of the domain to jmx-console so we only have one set of properties to change.
Limit access to applications from an ip address range
It may be worth doing this - see http://community.jboss.org/wiki/LimitAccessToCertainClients
