5.9.2. Configure Authentication in a Security Domain
Procedure 5.7. Setup Authentication Settings for a Security Domain
Open the security domain's detailed view.Click the Profiles label at the top right of the management console. In a managed domain, select the profile to modify from the Profile selection box at the top left of the Profile view. Click the Security menu item at the left, and click Security Domains from the expanded menu. Click the View link for the security domain you want to edit.
Navigate to the Authentication subsystem configuration.Click the Authentication label at the top of the view if it is not already selected.The configuration area is divided into two areas: Login Modules and Details. The login module is the basic unit of configuration. A security domain can include several login modules, each of which can include several attributes and options.
Add an authentication module.Click the Add button to add a JAAS authentication module. Fill in the details for your module. The Code is the class name of the module. The Flags controls how the module relates to other authentication modules within the same security domain.Explanation of the Flags
The Java Enterprise Edition 6 specification provides the following explanation of the flags for security modules. The following list is taken from http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html#AppendixA. Refer to that document for more detailed information.
Flag Details requiredThe LoginModule is required to succeed. If it succeeds or fails, authentication still continues to proceed down the LoginModule list. requisiteLoginModule is required to succeed. If it succeeds, authentication continues down the LoginModule list. If it fails, control immediately returns to the application (authentication does not proceed down the LoginModule list). sufficientThe LoginModule is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list. optionalThe LoginModule is not required to succeed. If it succeeds or fails, authentication still continues to proceed down the LoginModule list.After you have added your module, you can modify its Code or Flags by clicking the button in the Details section of the screen. Be sure the Attributes tab is selected.
Optional: Add or remove module options.If you need to add options to your module, click its entry in the Login Modules list, and select the Module Options tab in the Details section of the page. Click the button, and provide the key and value for the option. Use the button to remove an option.
Your authentication module is added to the security domain, and is immediately available to applications which use the security domain.
By default, each login module defined in a security domain has the
jboss.security.security_domain module option added to it automatically. This option causes problems with login modules which check to make sure that only known options are defined. The IBM Kerberos login module,
com.ibm.security.auth.module.Krb5LoginModule is one of these.
truewhen starting JBoss EAP 6. Add the following to your start-up parameters.