Appendix A. Reference

A.1. Included Authentication Modules

The following authentication modules are included in JBoss EAP 6. Some of these handle authorization as well as authentication. These usually include the word Role within the Code name.
When you configure these modules, use the Code value or the full (package qualified) name to refer to the module.

Authentication Modules

Table A.1. Login Modules

Code Class Description
Client Class This login module is designed to establish caller identity and credentials when JBoss EAP 6 is acting as a client. It should never be used as part of a security domain used for actual server authentication.
Remoting N/A This login module is used to check if the request currently being authenticated is a request received over a Remoting connection, and if so the identity that was created during the Remoting authentication process is used and associated with the current request. If the request did not arrive over a Remoting connection this module does nothing and allows the JAAS based login to continue to the next module.
RealmDirect N/A This login module makes use of a security realm to authenticate the current request if that did not occur in the Remoting login module and then use the realm to load the users' roles. By default this login module assumes the realm to use is named ApplicationRealm although other names can be overridden. The advantage of this approach is that all of the backing store configuration can be left within the realm with the security domain delegating to the realm.

Table A.2. Client Module Options

Option Type Default Description
multi-threaded
true or false
false
Set to true if each thread has its own principal and credential storage. Set to false to indicate that all threads in the VM share the same identity and credential.
password-stacking
useFirstPass or false
false
Set to useFirstPass to indicate that this login module should look for information stored in the LoginContext to use as the identity. This option can be used when stacking other login modules with this one.
restore-login-identity
true or false
false
Set to true if the identity and credential seen at the start of the login() method should be restored after the logout() method is invoked.

Table A.3. Remoting Module Options

Option Type Default Description
password-stacking
useFirstPass or false
false
A value of useFirstPass indicates that this login module should first look to the information stored in the LoginContext for the identity. This option can be used when stacking other login modules with this one.
principalClass
A fully-qualified classname.
none
A Principal implementation class which contains a constructor that takes String arguments for the principal name.
unauthenticatedIdentity
A principal name.
none
Defines the principal name assigned to requests which contain no authentication information. This can allow unprotected servlets to invoke methods on EJBs that do not require a specific role. Such a principal has no associated roles and can only access unsecured EJBs or EJB methods that are associated with the unchecked permission constraint.

Table A.4. Certificate

Code
Certificate
Class
org.jboss.security.auth.spi.BaseCertLoginModule
Description
This login module is designed to authenticate users based on X509 Certificates. A use case for this is CLIENT-CERT authentication of a web application.

Table A.5. Certificate Module Options

Option Type Default Description
securityDomain
string
none
Name of the security domain that has the JSSE configuration for the truststore holding the trusted certificates.
verifier
class
none
The class name of the org.jboss.security.auth.certs.X509CertificateVerifier to use for verification of the login certificate.

Table A.6. CertificateUsers

Code
CertificateUsers
Class
org.jboss.security.auth.spi.UsersRolesLoginModule
Description
Uses a properties resources. The first maps usernames to passwords, and the second maps usernames to roles.

Table A.7. CertificateUsers Module Options

Option Type Default Description
unauthenticatedIdentity
string
none
Defines the principal name that should be assigned to requests which contain no authentication information. This can allow unprotected servlets to invoke methods on EJBs that do not require a specific role. Such a principal has no associated roles and can only access either unsecured EJBs or EJB methods that are associated with the unchecked permission constraint.
password-stacking
useFirstPass or false
false
Set to useFirstPass to indicate that this login module should look for information stored in the LoginContext to use as the identity. This option can be used when stacking other login modules with this one.
hashAlgorithm string
none
The name of the java.security.MessageDigest algorithm to use to hash the password. There is no default so this option must be explicitly set to enable hashing. When hashAlgorithm is specified, the clear text password obtained from the CallbackHandler is hashed before it is passed to UsernamePasswordLoginModule.validatePassword as the inputPassword argument. The expectedPassword stored in the users.properties file must be comparably hashed. Refer to http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html for information on java.security.MessageDigest and the algorithms this class supports.
hashEncoding
base64 or hex
base64
The string format for the hashed password, if hashAlgorithm is also set.
hashCharset
string
The default encoding set in the container's environment.
The encoding used to convert the clear-text password to a byte array.
usersProperties
The fully-qualified file path and name of a properties file or resource.
users.properties
The file containing the mappings between users and passwords. Each property in the file has the format username=password.
rolesProperties
The fully-qualified file path and name of a properties file or resource.
roles.properties
The file containing the mappings between users and roles. Each property in the file has the format username=role1,role2,...,roleN.
ignorePasswordCase
true or false
false
Whether the password comparison should ignore case. This is useful for hashed password encoding where the case of the hashed password is not significant.
principalClass
The fully-qualified classname.
org.jboss.security.SimplePrincipal
A Principal implementation class which contains a constructor that takes String arguments for the princpal name.
roleGroupSeparator
A single character.
. (a single period)
The character used to separate the username from the role group name in the rolesProperties file.
defaultUsersProperties
string
defaultUsers.properties
Name of the resource or file to fall back to if the usersProperties file can not be found.
defaultRolesProperties
string
defaultRoles.properties
Name of the resource or file to fall back to if the rolesProperties file cannot be found.
hashUserPassword
true or false
true
Whether to hash the password entered by the user, when hashAlgorithm is specified. Defaults to true.
hashStorePassword
true or false
false
Whether the store password returned from getUsersPassword() should be hashed, when hashAlgorithm is specified.
digestCallback
A fully-qualified classname.
none
The class name of the org.jboss.crypto.digest.DigestCallback implementation that includes pre or post digest content such as salt values. Only used if hashAlgorithm is specified.
storeDigestCallback
A fully-qualified classname.
none
The class name of the org.jboss.crypto.digest.DigestCallback implementation that includes pre/post digest content like salts for hashing the store password. Only used if hashStorePassword is true and hashAlgorithm is specified.
callback.option.STRING
Various none
All options prefixed with callback.option. are passed to the DigestCallback.init(Map) method. The input username is always passed in via the javax.security.auth.login.name option, and the input/store password is passed in via the javax.security.auth.login.password option to the digestCallback or storeDigestCallback.

Table A.8. CertificateRoles

Code
CertificateRoles
Class
org.jboss.security.auth.spi.CertRolesLoginModule
Description
This login module extends the Certificate login module to add role mapping capabilities from a properties file. It takes all of the same options as the Certificate login module, and adds the following options.

Table A.9. CertificateRoles Module Options

Option Type Default Description
rolesProperties
string
roles.properties
The name of the resource or file containing the roles to assign to each user. The role properties file must be in the format username=role1,role2 where the username is the DN of the certificate, escaping any = (equals) and space characters. The following example is in the correct format:
CN\=unit-tests-client,\ OU\=Red\ Hat\ Inc.,\ O\=Red\ Hat\ Inc.,\ ST\=North\ Carolina,\ C\=US
defaultRolesProperties
string
defaultRoles.properties
Name of the resource or file to fall back to if the rolesProperties file cannot be found.
roleGroupSeparator
A single character.
. (a single period)
Which character to use as the role group separator in the rolesProperties file.

Table A.10. Database

Code Database
Class
org.jboss.security.auth.spi.DatabaseServerLoginModule
Description
A JDBC-based login module that supports authentication and role mapping. It is based on two logical tables, with the following definitions.
  • Principals: PrincipalID (text), Password (text)
  • Roles: PrincipalID (text), Role (text), RoleGroup (text)

Table A.11. Database Module Options

Option Type Default Description
dsJndiName
A JNDI resource
none
The name of the JNDI resource storing the authentication information. This option is required.
principalsQuery
prepared SQL statement
select Password from Principals where PrincipalID=?
The prepared SQL query to obtain the information about the principal.
rolesQuery
prepared SQL statement
none
The prepared SQL query to obtain the information about the roles. It should be equivalent to select Role, RoleGroup from Roles where PrincipalID=?, where Role is the role name and the RoleGroup column value should always be either Roles with a capital R or CallerPrincipal.

Table A.12. DatabaseCertificate

Code
DatabaseCertificate
Class
org.jboss.security.auth.spi.DatabaseCertLoginModule
Description
This login module extends the Certificate login module to add role mapping capabilities from a database table. It has the same options plus these additional options:

Table A.13. DatabaseCertificate Module Options

Option Type Default Description
dsJndiName
A JNDI resource
The name of the JNDI resource storing the authentication information. This option is required.
rolesQuery
prepared SQL statement
select Role,RoleGroup from Roles where PrincipalID=?
SQL prepared statement to be executed in order to map roles. It should be an equivalent to select Role, RoleGroup from Roles where PrincipalID=?, where Role is the role name and the RoleGroup column value should always be either Roles with a capital R or CallerPrincipal.
suspendResume
true or false
true
Whether any existing JTA transaction should be suspended during database operations.

Table A.14. Identity

Code
Identity
Class
org.jboss.security.auth.spi.IdentityLoginModule
Description
Associates the principal specified in the module options with any subject authenticated against the module. The type of Principal class used is org.jboss.security.SimplePrincipal.. If no principal option is specified a principal with the name of guest is used.

Table A.15. Identity Module Options

Option Type Default Description
principal
String
guest
The name to use for the principal.
roles
comma-separated list of strings
none
A comma-delimited list of roles which will be assigned to the subject.

Table A.16. Ldap

Code
Ldap
Class
org.jboss.security.auth.spi.LdapLoginModule
Description
Authenticates against an LDAP server, when the username and password are stored in an LDAP server that is accessible using a JNDI LDAP provider. Many of the options are not required, because they are determined by the LDAP provider or the environment.

Table A.17. Ldap Module Options

Option Type Default Description
java.naming.factory.initial
class name
com.sun.jndi.ldap.LdapCtxFactory
InitialContextFactory implementation class name.
java.naming.provider.url
ldap:// URL
none
URL for the LDAP server.
java.naming.security.authentication
none, simple, or the name of a SASL mechanism
simple
The security level to use to bind to the LDAP server.
java.naming.security.protocol
transport protocol
If unspecified, determined by the provider.
The transport protocol to use for secure access, such as SSL.
java.naming.security.principal
string
none
The name of the principal for authenticating the caller to the service. This is built from other properties described below.
java.naming.security.credentials
credential type
none
The type of credential used by the authentication scheme. Some examples include hashed password, clear-text password, key, or certificate. If this property is unspecified, the behavior is determined by the service provider.
principalDNPrefix
string
Prefix added to the username to form the user DN. You can prompt the user for a username and build the fully-qualified DN by using the principalDNPrefix and principalDNSuffix.
principalDNSuffix
string
Suffix added to the username to form the user DN. You can prompt the user for a username and build the fully-qualified DN by using the principalDNPrefix and principalDNSuffix.
useObjectCredential
true or false
false
Whether the credential should be obtained as an opaque Object using the org.jboss.security.auth.callback.ObjectCallback type of Callback rather than as a char[] password using a JAAS PasswordCallback. This allows for passing non-char[] credential information to the LDAP server.
rolesCtxDN
fully-qualified DN
none
The fully-qualified DN for the context to search for user roles.
userRolesCtxDNAttributeName
attribute
none
The attribute in the user object that contains the DN for the context to search for user roles. This differs from rolesCtxDN in that the context to search for a user's roles may be unique for each user.
roleAttributeID
attribute
roles
Name of the attribute containing the user roles.
roleAttributeIsDN
true or false
false
Whether or not the roleAttributeID contains the fully-qualified DN of a role object. If false, the role name is taken from the value of the roleNameAttributeId attribute of the context name. Certain directory schemas, such as Microsoft Active Directory, require this attribute to be set to true.
roleNameAttributeID
attribute
name
Name of the attribute within the roleCtxDN context which contains the role name. If the roleAttributeIsDN property is set to true, this property is used to find the role object's name attribute.
uidAttributeID
attribute
uid
Name of the attribute in the UserRolesAttributeDN that corresponds to the user ID. This is used to locate the user roles.
matchOnUserDN
true or false
false
Whether or not the search for user roles should match on the user's fully-distinguished DN or the username only. If true, the full user DN is used as the match value. If false, only the username is used as the match value against the uidAttributeName attribute.
allowEmptyPasswords
true or false
false
Whether to allow empty passwords. Most LDAP servers treat empty passwords as anonymous login attempts. To reject empty passwords, set this to false.

Table A.18. LdapExtended

Code
LdapExtended
Class
org.jboss.security.auth.spi.LdapExtLoginModule
Description
An alternate LDAP login module implementation that uses searches to locate the bind user and associated roles. The roles query recursively follows DNs to navigate a hierarchical role structure. It uses the same java.naming options as the Ldap module, and uses the following options instead of the other options of the Ldap module.
The authentication happens in 2 steps:
  1. An initial bind to the LDAP server is done using the bindDN and bindCredential options. The bindDN is a LDAP user with the ability to search both the baseCtxDN and rolesCtxDN trees for the user and roles. The user DN to authenticate against is queried using the filter specified by the baseFilter attribute.
  2. The resulting user DN is authenticated by binding to the LDAP server using the user DN as the InitialLdapContext environment Context.SECURITY_PRINCIPAL. The Context.SECURITY_CREDENTIALS property is set to the String password obtained by the callback handler.

Table A.19. LdapExtended Module Options

Option Type Default Description
baseCtxDN
fully-qualified DN
none
The fixed DN of the top-level context to begin the user search.
bindDN
fully-qualified DN
none
The DN used to bind against the LDAP server for the user and roles queries. This DN needs read and search permissions on the baseCtxDN and rolesCtxDN values.
bindCredential
string, optionally encrypted
none
Password stored as plain text for the bindDN, or loaded externally using EXT command. This password can be encrypted using the vault mechanism. You can use the following formats:
  • {EXT}... where the ... is the required external command. Example: {EXT}cat /mysecretpasswordfile
  • {EXTC[:expiration_in_millis]}... where the ... is the command that will be passed to the Runtime.exec(String) method to execute a platform command. The first line of the command output is used as the password.
    EXTC variant caches the passwords for expiration_in_millis milliseconds. Default cache expiration is 0 = infinity.
  • {CLASS}classname[:ctorargs] where the [:ctorargs] is an optional string delimited by the : from the classname that will be passed to the classname ctor. The ctorargs itself is a comma delimited list of strings.
    The password is obtained from classname by invoking a char[] toCharArray() method if found, otherwise, the String toString() method is used.
See the following topic to read more about encrypting sensitive strings: Section 10.11.2, “Create a Java Keystore to Store Sensitive Strings”
baseFilter
LDAP filter string
none
A search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).
rolesCtxDN
fully-qualified DN
none
The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.
roleFilter
LDAP filter string
none
A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).
roleAttributeIsDN
true or false
false
Whether or not the roleAttributeID contains the fully-qualified DN of a role object. If false, the role name is taken from the value of the roleNameAttributeId attribute of the context name. Certain directory schemas, such as Microsoft Active Directory, require this attribute to be set to true.
defaultRole
Role name
none
A role included for all authenticated users
parseRoleNameFromDN
true or false
false
A flag indicating if the DN returned by a query contains the roleNameAttributeID. If set to true, the DN is checked for the roleNameATtributeID. If set to false, the DN is not checked for the roleNameAttributeID. This flag can improve the performance of LDAP queries.
parseUsername
true or false
false
A flag indicating if the DN is to be parsed for the username. If set to true, the DN is parsed for the username. If set to false the DN is not parsed for the username. This option is used together with usernameBeginString and usernameEndString.
usernameBeginString
string
none
Defines the string which is to be removed from the start of the DN to reveal the username. This option is used together with usernameEndString.
usernameEndString
string
none
Defines the string which is to be removed from the end of the DN to reveal the username. This option is used together with usernameBeginString.
roleNameAttributeID
attribute
name
Name of the attribute within the roleCtxDN context which contains the role name. If the roleAttributeIsDN property is set to true, this property is used to find the role object's name attribute.
distinguishedNameAttribute
attribute
distinguishedName
The name of the attribute in the user entry that contains the DN of the user. This may be necessary if the DN of the user itself contains special characters (backslash for example) that prevent correct user mapping. If the attribute does not exist, the entry's DN is used.
roleRecursion
integer
0
The numbers of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.
searchTimeLimit
integer
10000 (10 seconds)
The timeout in milliseconds for user or role searches.
searchScope
One of: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE
SUBTREE_SCOPE
The search scope to use.
allowEmptyPasswords
true or false
false
Whether to allow empty passwords. Most LDAP servers treat empty passwords as anonymous login attempts. To reject empty passwords, set this to false.

Table A.20. RoleMapping

Code
RoleMapping
Class
org.jboss.security.auth.spi.RoleMappingLoginModule
Description
Maps a role which is the end result of the authentication process to a declarative role. This module must be flagged as optional when you add it to the security domain.

Table A.21. RoleMapping Module Options

Option Type Default Description
rolesProperties
The fully-qualified file path and name of a properties file or resource
roles.properties
The fully-qualified file path and name of a properties file or resource which maps roles to replacement roles. The format is original_role=role1,role2,role3
replaceRole
true or false
false
Whether to add to the current roles, or replace the current roles with the mapped ones. Replaces if set to true.

Table A.22. RunAs

Code
RunAs
Class
Class: org.jboss.security.auth.spi.RunAsLoginModule
Description
A helper module that pushes a run as role onto the stack for the duration of the login phase of authentication, and pops the run as role off the stack in either the commit or abort phase. This login module provides a role for other login modules that must access secured resources in order to perform their authentication, such as a login module which accesses a secured EJB. RunAsLoginModule must be configured before the login modules that require a run as role to be established.

Table A.23. RunAs Options

Option Type Default Description
roleName
role name
nobody
The name of the role to use as the run as role during the login phase.

Table A.24. Simple

Code
Simple
Class
org.jboss.security.auth.spi.SimpleServerLoginModule
Description
A module for quick setup of security for testing purposes. It implements the following simple algorithm:
  • If the password is null, authenticate the user and assign an identity of guest and a role of guest.
  • Otherwise, if the password is equal to the user, assign an identity equal to the username and both admin and guest roles.
  • Otherwise, authentication fails.
Simple Module Options

The Simple module has no options.

Table A.25. ConfiguredIdentity

Code
ConfiguredIdentity
Class
org.picketbox.datasource.security.ConfiguredIdentityLoginModule
Description
Associates the principal specified in the module options with any subject authenticated against the module. The type of Principal class used is org.jboss.security.SimplePrincipal.

Table A.26. ConfiguredIdentity Module Options

Option Type Default Description
principal
Name of a principal
none
The principal which will be associated with any subject authenticated against the module.

Table A.27. SecureIdentity

Code
SecureIdentity
Class
org.picketbox.datasource.security.SecureIdentityLoginModule
Description
This module is provided for legacy purposes. It allows you to encrypt a password and then use the encrypted password with a static principal. If your application uses SecureIdentity, consider using a password vault mechanism instead.

Table A.28. SecureIdentity Module Options

Option Type Default Description
username
string none The username for authentication.
password
encrypted string none
The password to use for authentication. To encrypt the password, use the module directly at the command line.
java org.picketbox.datasource.security.SecureIdentityLoginModule password_to_encrypt
Paste the result of this command into the module option's value field.
managedConnectionFactoryName
JCA resource none
The name of the JCA connection factory for your datasource.

Table A.29. PropertiesUsers

Code
PropertiesUsers
Class
org.jboss.security.auth.spi.PropertiesUsersLoginModule
Description
Uses a properties file to store usernames and passwords for authentication. No authorization (role mapping) is provided. This module is only appropriate for testing.

Table A.30. SimpleUsers

Code
SimpleUsers
Class
org.jboss.security.auth.spi.SimpleUsersLoginModule
Description
This login module stores the username and clear-text password using module-option. module-option's name and value attributes specify a username and password. It is included for testing only, and is not appropriate for a production environment.

Table A.31. LdapUsers

Code
LdapUsers
Class
org.jboss.security.auth.spi.LdapUsersLoginModule
Description
The LdapUsers module is superseded by the ExtendedLDAP and AdvancedLdap modules.

Table A.32. Kerberos

Code
Kerberos
Class
com.sun.security.auth.module.Krb5LoginModule
Description
Performs Kerberos login authentication, using GSSAPI. This module is part of the security framework from the API provided by Sun Microsystems. Details can be found at http://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html. This module needs to be paired with another module which handles the authentication and roles mapping.

Table A.33. Kerberos Module Options

Option Type Default Description
storekey
true or false
false
Whether or not to add the KerberosKey to the subject's private credentials.
doNotPrompt
true or false
false
If set to true, the user is not prompted for the password.
useTicketCache
Boolean value of true or false
.
false
If true, the TGT is obtained from the ticket cache. If false, the ticket cache is not used.
ticketcache
A file or resource representing a Kerberos ticket cache.
The default depends on which operating system you use.
  • Red Hat Enterprise Linux / Solaris: /tmp/krb5cc_uid, using the numeric UID value of the operating system.
  • Microsoft Windows Server: uses the Local Security Authority (LSA) API to find the ticketcache.
The location of the ticket cache.
useKeyTab
true or false
false Whether to obtain the principal's key from a key table file.
keytab
A file or resource representing a Kerberos keytab.
the location in the operating system's Kerberos configuration file, or /home/user/krb5.keytab
The location of the key table file.
principal
string none
The name of the principal. This can either be a simple user name or a service name such as host/testserver.acme.com. Use this instead of obtaining the principal from the key table, or when the key table contains more than one principal.
useFirstPass
true or false
false
Whether to retrieve the username and password from the module's shared state, using javax.security.auth.login.name and javax.security.auth.login.password as the keys. If authentication fails, no retry attempt is made.
tryFirstPass
true or false
false
Same as useFirstPass, but if authentication fails, the module uses the CallbackHandler to retrieve a new username and password. If the second authentication fails, the failure is reported to the calling application.
storePass
true or false
false
Whether to store the username and password in the module's shared state. This does not happen if the keys already exist in the shared state, or if authentication fails.
clearPass
true or false
false
Set this to true to clear the username and password from the shared state after both phases of authentication complete.

Table A.34. SPNEGOUsers

Code
SPNEGOUsers
Class
org.jboss.security.negotiation.spnego.SPNEGOLoginModule
Description
Allows SPNEGO authentication to a Microsoft Active Directory server or other environment which supports SPNEGO. SPNEGO can also carry Kerberos credentials. This module needs to be paired with another module which handles authentication and role mapping.

Table A.35. SPNEGO Module Options

Option Type Default Description
storeKey
true or false
false
Whether or not to store the key.
useKeyTab
true or false
false
Whether to use a key table.
principal
String representing a principal for Kerberos authentication.
none
The name of the principal for authentication.
keyTab
A file or resource representing a keytab.
none
The location of a key table.
doNotPrompt
true or false
false
Whether to prompt for a password.
debug
true or false
false
Whether to record more verbose messages for debugging purposes.

Table A.36. AdvancedLdap

Code AdvancedLdap
Class
org.jboss.security.negotiation.AdvancedLdapLoginModule
Description
A module which provides additional functionality, such as SASL and the use of a JAAS security domain.

Table A.37. AdvancedLdap Module Options

Option Type Default Description
bindAuthentication
string
none
The type of SASL authentication to use for binding to the directory server.
java.naming.provider.url
string
none
The URI of the directory server.
baseCtxDN
fully-qualified DN
none
The distinguished name to use as the base for searches.
baseFilter
String representing a LDAP search filter.
none
The filter to use to narrow down search results.
roleAttributeID
String value representing an LDAP attribute.
none
The LDAP attribute which contains the names of authorization roles.
roleAttributeIsDN
true or false
false
Whether the role attribute is a Distinguished Name (DN).
roleNameAttributeID
String representing an LDAP attribute.
none
The attribute contained within the RoleAttributeId which contains the actual role attribute.
recurseRoles
true or false
false
Whether to recursively search the RoleAttributeId for roles.

Table A.38. AdvancedADLdap

Code AdvancedADLdap
Class
org.jboss.security.negotiation.AdvancedADLoginModule
Description
This module extends the AdvancedLdap login module, and adds extra parameters that are relevant to Microsoft Active Directory.

Table A.39. UsersRoles

Code UsersRoles
Class
org.jboss.security.auth.spi.UsersRolesLoginModul
Description
A simple login module that supports multiple users and user roles stored in two different properties files.

Table A.40. UsersRoles Module Options

Option Type Default Description
usersProperties
Path to a file or resource.
users.properties
The file or resource which contains the user-to-password mappings. The format of the file is user=hashed-password
rolesProperties
Path to a file or resource.
roles.properties
The file or resource which contains the user-to-role mappings. The format of the file is username=role1,role2,role3
password-stacking
useFirstPass or false
false
A value of useFirstPass indicates that this login module should first look to the information stored in the LoginContext for the identity. This option can be used when stacking other login modules with this one.
hashAlgorithm
String representing a password hashing algorithm.
none
The name of the java.security.MessageDigest algorithm to use to hash the password. There is no default so this option must be explicitly set to enable hashing. When hashAlgorithm is specified, the clear text password obtained from the CallbackHandler is hashed before it is passed to UsernamePasswordLoginModule.validatePassword as the inputPassword argument. The password stored in the users.properties file must be comparably hashed.
hashEncoding
base64 or hex
base64
The string format for the hashed password, if hashAlgorithm is also set.
hashCharset
string
The default encoding set in the container's runtime environment
The encoding used to convert the clear-text password to a byte array.
unauthenticatedIdentity
principal name
none
Defines the principal name assigned to requests which contain no authentication information. This can allow unprotected servlets to invoke methods on EJBs that do not require a specific role. Such a principal has no associated roles and can only access unsecured EJBs or EJB methods that are associated with the unchecked permission constraint.
Custom Authentication Modules

Authentication modules are implementations of javax.security.auth.spi.LoginModule. Refer to the API documentation for more information about creating a custom authentication module.