2.3. Defining Application Security Domain

To allow an application to communicate with the application server through the SPNEGOLoginModule, you need to define the application security domain on the application server.
To define the application security domain, do the following:
  1. Open the $JBOSS_HOME/jboss-as/server/$PROFILE/conf/login-config.xml file for editing.
  2. Define a new application policy with the following chained configuration:
    • The SPNEGOLoginModule and its configuration with the following options:
      <module-option name="password-stacking">useFirstPass</module-option>
      The password-stacking option activates client-side authentication of clients with other login modules. Set the password-stacking option to useFirstPass, so the module looks first for a shared user name and password with javax.security.auth.login.name and javax.security.auth.login.password respectively (for further information refer to Password Stacking in the Security Guide).
      <module-option name="serverSecurityDomain">DomainName</module-option>
      The serverSecurityDomain option defines the server security domain, which defines the authentication module (Kerberos) and server authentication properties (refer to Section 2.2, “Defining Server Security Domain”).
    • The login module which returns the roles of the authenticated user and its configuration options. You can make use of the UsersRolesLoginModule that obtains the user roles from a properties file or AdvancedLdapLoginModule, which obtains user roles from an LDAP server following GSSAPI. For further information refer to Section 2.4, “Role Mapping”.

Example 2.2. Application Security Domain

<application-policy name="SPNEGO">
   <authentication>
      <login-module
         code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule"
         flag="requisite">
         <module-option name="password-stacking">useFirstPass</module-option>
         <module-option name="serverSecurityDomain">host</module-option>
      </login-module>
      <login-module
         code="org.jboss.security.auth.spi.UsersRolesLoginModule"
         flag="required">
         <module-option name="password-stacking">useFirstPass</module-option>
         <module-option name="usersProperties">props/spnego-users.properties</module-option>
         <module-option name="rolesProperties">props/spnego-roles.properties</module-option>
      </login-module>
   </authentication>
</application-policy>
In Example 2.2, “Application Security Domain” we have defined an application security domain called SPNEGO with two login modules:
  • org.jboss.security.negotiation.spnego.SPNEGOLoginModule provides SPNEGO user authentication;
  • org.jboss.security.auth.spi.UsersRolesLoginModule returns the roles of the user authenticated by the SPNEGOLoginModule (the roles are filtered from a users properties file).