Chapter 12. Security Administration Reference
12.1. Included Authentication Modules
The following authentication modules are included in JBoss EAP 6. Some of these handle authorization as well as authentication. These usually include the word
Role within the Code name.
When you configure these modules, use the
Code value or the full (package qualified) name to refer to the module.
Authentication Modules
Table 12.1. RealmDirect
| Code | RealmDirect
|
| Class | org.jboss.as.security.RealmDirectLoginModule
|
| Description |
A login module implementation to interface directly with the security realm. This login module allows all interactions with the backing store to be delegated to the realm removing the need for any duplicate and synchronized definitions. Used for remoting calls and management interface.
|
Table 12.2. RealmDirect Module Options
| Option | Type | Default | Description |
|---|---|---|---|
realm |
string
| ApplicationRealm
|
Name of the desired realm.
|
Table 12.3. Client
| Code | Client
|
| Class | org.jboss.security.ClientLoginModule
|
| Description |
This login module is designed to establish caller identity and credentials when JBoss EAP 6 is acting as a client. It should never be used as part of a security domain used for server authentication.
|
Table 12.4. Client Module Options
| Option | Type | Default | Description |
|---|---|---|---|
multi-threaded | true or false
| false
|
Set to true if each thread has its own principal and credential storage. Set to false to indicate that all threads in the VM share the same identity and credential.
|
password-stacking
| useFirstPass or false
| false
|
Set to
useFirstPass to indicate that this login module should look for information stored in the LoginContext to use as the identity. This option can be used when stacking other login modules with this one.
|
restore-login-identity
| true or false
| false
|
Set to true if the identity and credential seen at the start of the
login() method should be restored after the logout() method is invoked.
|
Table 12.5. Remoting
| Code | Remoting
|
| Class | org.jboss.as.security.remoting.RemotingLoginModule
|
| Description |
This login module is used to check if the request currently being authenticated is a request received over a Remoting connection, and if so the identity that was created during the Remoting authentication process is used and associated with the current request. If the request did not arrive over a Remoting connection this module does nothing and allows the JAAS based login to continue to the next module.
|
Table 12.6. Remoting Module Options
| Option | Type | Default | Description |
|---|---|---|---|
password-stacking | useFirstPass or false
| false
|
A value of
useFirstPass indicates that this login module should first look to the information stored in the LoginContext for the identity. This option can be used when stacking other login modules with this one.
|
principalClass
|
A fully-qualified classname.
|
none
|
A
Principal implementation class which contains a constructor that takes String arguments for the principal name.
|
unauthenticatedIdentity
|
A principal name.
|
none
|
Defines the principal name assigned to requests which contain no authentication information. This can allow unprotected servlets to invoke methods on EJBs that do not require a specific role. Such a principal has no associated roles and can only access unsecured EJBs or EJB methods that are associated with the
unchecked permission constraint.
|
Table 12.7. Certificate
| Code | Certificate
|
| Class | org.jboss.security.auth.spi.BaseCertLoginModule
|
| Description |
This login module is designed to authenticate users based on
X509 Certificates. A use case for this is CLIENT-CERT authentication of a web application.
|
Table 12.8. Certificate Module Options
| Option | Type | Default | Description |
|---|---|---|---|
securityDomain
| string | other
|
Name of the security domain that has the JSSE configuration for the truststore holding the trusted certificates.
|
verifier
| class |
none
|
The class name of the
org.jboss.security.auth.certs.X509CertificateVerifier to use for verification of the login certificate.
|
Table 12.9. CertificateRoles
| Code | CertificateRoles
|
| Class | org.jboss.security.auth.spi.CertRolesLoginModule
|
| Description |
This login module extends the Certificate login module to add role mapping capabilities from a properties file. It takes all of the same options as the Certificate login module, and adds the following options.
|
Table 12.10. CertificateRoles Module Options
| Option | Type | Default | Description |
|---|---|---|---|
rolesProperties
| string | roles.properties
|
The name of the resource or file containing the roles to assign to each user. The role properties file must be in the format
username=role1,role2 where the username is the DN of the certificate, escaping any = (equals) and space characters. The following example is in the correct format:
CN\=unit-tests-client,\ OU\=Red\ Hat\ Inc.,\ O\=Red\ Hat\ Inc.,\ ST\=North\ Carolina,\ C\=US |
defaultRolesProperties
| string | defaultRoles.properties
|
Name of the resource or file to fall back to if the
rolesProperties file cannot be found.
|
roleGroupSeparator
| A single character. | . (a single period)
|
Which character to use as the role group separator in the
rolesProperties file.
|
Table 12.11. Database
| Code | Database |
| Class | org.jboss.security.auth.spi.DatabaseServerLoginModule
|
| Description |
A JDBC-based login module that supports authentication and role mapping. It is based on two logical tables, with the following definitions.
|
Table 12.12. Database Module Options
| Option | Type | Default | Description |
|---|---|---|---|
digestCallback
| A fully-qualified classname |
none
|
The class name of the
DigestCallback implementation that includes pre/post digest content like salts for hashing the input password. Only used if hashAlgorithm has been specified.
|
dsJndiName
| A JNDI resource | java:/DefaultDS
|
The name of the JNDI resource storing the authentication information. This option is required.
|
hashAlgorithm
| String |
Use plain passwords
|
The message digest algorithm used to hash passwords. Supported algorithms depend on the Java Security Provider, but the following are supported:
MD5, SHA-1, and SHA-256.
|
hashCharset
| String |
The platform's default encoding
|
The name of the charset/encoding to use when converting the password String to a byte array. This includes all supported Java charset names.
|
hashEncoding
| String |
Base64
|
The string encoding format to use.
|
ignorePasswordCase
| boolean |
false
|
A flag indicating if the password comparison should ignore case.
|
inputValidator
| A fully-qualified classname |
none
|
The instance of the InputValidator implementation used to validate the username and password supplied by the client.
|
principalsQuery
| prepared SQL statement | select Password from Principals where PrincipalID=?
|
The prepared SQL query to obtain the information about the principal.
|
rolesQuery
| prepared SQL statement |
none
|
The prepared SQL query to obtain the information about the roles. It should be equivalent to
select Role, RoleGroup from Roles where PrincipalID=?, where Role is the role name and the RoleGroup column value should always be either Roles with a capital R or CallerPrincipal.
|
storeDigestCallback
| A fully-qualified classname |
none
|
The class name of the
DigestCallback implementation that includes pre/post digest content like salts for hashing the store/expected password. Only used if hashStorePassword or hashUserPassword is true and hashAlgorithm has been specified.
|
suspendResume
| boolean |
true
|
Whether any existing JTA transaction should be suspended during database operations.
|
throwValidatorError
| boolean |
false
|
A flag that indicates whether validation errors should be exposed to clients or not
|
transactionManagerJndiName
| JNDI Resource |
java:/TransactionManager
|
The JNDI name of the transaction manager used by the login module.
|
Table 12.13. DatabaseCertificate
| Code | DatabaseCertificate
|
| Class | org.jboss.security.auth.spi.DatabaseCertLoginModule
|
| Description |
This login module extends the Certificate login module to add role mapping capabilities from a database table. It has the same options plus these additional options:
|
Table 12.14. DatabaseCertificate Module Options
| Option | Type | Default | Description |
|---|---|---|---|
dsJndiName
| A JNDI resource | java:/DefaultDS
|
The name of the JNDI resource storing the authentication information. This option is required.
|
rolesQuery
| prepared SQL statement | select Role,RoleGroup from Roles where PrincipalID=?
|
SQL prepared statement to be executed in order to map roles. It should be an equivalent to
select Role, RoleGroup from Roles where PrincipalID=?, where Role is the role name and the RoleGroup column value should always be either Roles with a capital R or CallerPrincipal.
|
suspendResume
| true or false
| true
|
Whether any existing JTA transaction should be suspended during database operations.
|
Table 12.15. Identity
| Code | Identity
|
| Class | org.jboss.security.auth.spi.IdentityLoginModule
|
| Description |
Associates the principal specified in the module options with any subject authenticated against the module. The type of Principal class used is
org.jboss.security.SimplePrincipal. If no principal option is specified a principal with the name of guest is used.
|
Table 12.16. Identity Module Options
| Option | Type | Default | Description |
|---|---|---|---|
principal
| String | guest
|
The name to use for the principal.
|
roles
| comma-separated list of strings |
none
|
A comma-delimited list of roles which will be assigned to the subject.
|
Table 12.17. Ldap
| Code | Ldap
|
| Class | org.jboss.security.auth.spi.LdapLoginModule
|
| Description |
Authenticates against an LDAP server, when the username and password are stored in an LDAP server that is accessible using a JNDI LDAP provider. Many of the options are not required, because they are determined by the LDAP provider or the environment.
|
Table 12.18. Ldap Module Options
| Option | Type | Default | Description |
|---|---|---|---|
java.naming.factory.initial
| class name | com.sun.jndi.ldap.LdapCtxFactory
| InitialContextFactory implementation class name.
|
java.naming.provider.url
| ldap:// URL
|
If the value of
java.naming.security.protocol is SSL, ldap://localhost:636, otherwise ldap://localhost:389
|
URL for the LDAP server.
|
java.naming.security.authentication
| none, simple, or the name of a SASL mechanism
| simple
|
The security level to use to bind to the LDAP server.
|
java.naming.security.protocol
| transport protocol |
If unspecified, determined by the provider.
|
The transport protocol to use for secure access, such as SSL.
|
java.naming.security.principal
| string |
none
|
The name of the principal for authenticating the caller to the service. This is built from other properties described below.
|
java.naming.security.credentials
| credential type |
none
|
The type of credential used by the authentication scheme. Some examples include hashed password, clear-text password, key, or certificate. If this property is unspecified, the behavior is determined by the service provider.
|
principalDNPrefix
| string | |
Prefix added to the username to form the user DN. You can prompt the user for a username and build the fully-qualified DN by using the
principalDNPrefix and principalDNSuffix.
|
principalDNSuffix
| string | |
Suffix added to the username to form the user DN. You can prompt the user for a username and build the fully-qualified DN by using the
principalDNPrefix and principalDNSuffix.
|
useObjectCredential
| true or false
|
false
|
Whether the credential should be obtained as an opaque Object using the
org.jboss.security.auth.callback.ObjectCallback type of Callback rather than as a char[] password using a JAAS PasswordCallback. This allows for passing non-char[] credential information to the LDAP server.
|
rolesCtxDN
| fully-qualified DN |
none
|
The fully-qualified DN for the context to search for user roles.
|
userRolesCtxDNAttributeName
|
attribute
|
none
|
The attribute in the user object that contains the DN for the context to search for user roles. This differs from
rolesCtxDN in that the context to search for a user's roles may be unique for each user.
|
roleAttributeID
| attribute | roles
|
Name of the attribute containing the user roles.
|
roleAttributeIsDN
| true or false
| false
|
Whether or not the
roleAttributeID contains the fully-qualified DN of a role object. If false, the role name is taken from the value of the roleNameAttributeId attribute of the context name. Certain directory schemas, such as Microsoft Active Directory, require this attribute to be set to true.
|
roleNameAttributeID
| attribute | name
|
Name of the attribute within the
roleCtxDN context which contains the role name. If the roleAttributeIsDN property is set to true, this property is used to find the role object's name attribute.
|
uidAttributeID
| attribute | uid
|
Name of the attribute in the
UserRolesAttributeDN that corresponds to the user ID. This is used to locate the user roles.
|
matchOnUserDN
| true or false
| false
|
Whether or not the search for user roles should match on the user's fully-distinguished DN or the username only. If
true, the full user DN is used as the match value. If false, only the username is used as the match value against the uidAttributeName attribute.
|
allowEmptyPasswords
| true or false
| false
|
Whether to allow empty passwords. Most LDAP servers treat empty passwords as anonymous login attempts. To reject empty passwords, set this to
false.
|
Table 12.19. LdapExtended
| Code | LdapExtended
|
| Class | org.jboss.security.auth.spi.LdapExtLoginModule
|
| Description |
An alternate LDAP login module implementation that uses searches to locate the bind user and associated roles. The roles query recursively follows DNs to navigate a hierarchical role structure. It uses the same
java.naming options as the Ldap module, and uses the following options instead of the other options of the Ldap module.
The authentication happens in 2 steps:
|
Table 12.20. LdapExtended Module Options
| Option | Type | Default | Description |
|---|---|---|---|
baseCtxDN
| fully-qualified DN |
none
|
The fixed DN of the top-level context to begin the user search.
|
bindCredential
| string, optionally encrypted |
none
|
See the JBoss EAP Security Guide for more information.
|
bindDN
| fully-qualified DN |
none
|
The DN used to bind against the LDAP server for the user and roles queries. This DN needs read and search permissions on the
baseCtxDN and rolesCtxDN values.
|
baseFilter
| LDAP filter string |
none
|
A search filter used to locate the context of the user to authenticate. The input username or
userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).
|
rolesCtxDN
| fully-qualified DN |
none
|
The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.
|
roleFilter
| LDAP filter string |
none
|
A search filter used to locate the roles associated with the authenticated user. The input username or
userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).
|
roleAttributeIsDN | true or false
| false
|
Whether or not the
roleAttributeID contains the fully-qualified DN of a role object. If false, the role name is taken from the value of the roleNameAttributeId attribute of the context name. Certain directory schemas, such as Microsoft Active Directory, require this attribute to be set to true.
|
defaultRole
|
Role name
|
none
|
A role included for all authenticated users
|
parseRoleNameFromDN
| true or false
| false
|
A flag indicating if the DN returned by a query contains the roleNameAttributeID. If set to
true, the DN is checked for the roleNameATtributeID. If set to false, the DN is not checked for the roleNameAttributeID. This flag can improve the performance of LDAP queries.
|
parseUsername
| true or false
| false
|
A flag indicating if the DN is to be parsed for the username. If set to
true, the DN is parsed for the username. If set to false the DN is not parsed for the username. This option is used together with usernameBeginString and usernameEndString.
|
usernameBeginString
|
string
|
none
|
Defines the string which is to be removed from the start of the DN to reveal the username. This option is used together with
usernameEndString.
|
usernameEndString
|
string
|
none
|
Defines the string which is to be removed from the end of the DN to reveal the username. This option is used together with
usernameBeginString.
|
roleNameAttributeID
| attribute | name
|
Name of the attribute within the
roleCtxDN context which contains the role name. If the roleAttributeIsDN property is set to true, this property is used to find the role object's name attribute.
|
distinguishedNameAttribute
| attribute | distinguishedName
|
The name of the attribute in the user entry that contains the DN of the user. This may be necessary if the DN of the user itself contains special characters (backslash for example) that prevent correct user mapping. If the attribute does not exist, the entry's DN is used.
|
roleRecursion
| integer | 0
|
The numbers of levels of recursion the role search will go below a matching context. Disable recursion by setting this to
0.
|
searchTimeLimit
| integer | 10000 (10 seconds)
|
The timeout in milliseconds for user or role searches.
|
searchScope
|
One of:
OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE
| SUBTREE_SCOPE
|
The search scope to use.
|
allowEmptyPasswords
| true or false
| false
|
Whether to allow empty passwords. Most LDAP servers treat empty passwords as anonymous login attempts. To reject empty passwords, set this to false.
|
referralUserAttributeIDToCheck
|
attribute
|
none
|
If you are not using referrals, this option can be ignored. When using referrals, this option denotes the attribute name which contains users defined for a certain role (for example,
member), if the role object is inside the referral. Users are checked against the content of this attribute name. If this option is not set, the check will always fail, so role objects cannot be stored in a referral tree.
|
Table 12.21. RoleMapping
| Code | RoleMapping
|
| Class | org.jboss.security.auth.spi.RoleMappingLoginModule
|
| Description |
Maps a role which is the end result of the authentication process to a declarative role. This module must be flagged as
optional when you add it to the security domain.
|
Table 12.22. RoleMapping Module Options
| Option | Type | Default | Description |
|---|---|---|---|
rolesProperties
| The fully-qualified file path and name of a properties file or resource | none
|
The fully-qualified file path and name of a properties file or resource which maps roles to replacement roles. The format is
original_role=role1,role2,role3
|
replaceRole
| true or false
| false
|
Whether to add to the current roles, or replace the current roles with the mapped ones. Replaces if set to
true.
|
Note
The
rolesProperties module option is required for RoleMapping.
Table 12.23. RunAs
| Code | RunAs
|
| Class | org.jboss.security.auth.spi.RunAsLoginModule
|
| Description |
A helper module that pushes a
run as role onto the stack for the duration of the login phase of authentication, and pops the run as role off the stack in either the commit or abort phase. This login module provides a role for other login modules that must access secured resources in order to perform their authentication, such as a login module which accesses a secured EJB. RunAsLoginModule must be configured before the login modules that require a run as role to be established.
|
Table 12.24. RunAs Options
| Option | Type | Default | Description |
|---|---|---|---|
roleName
| role name | nobody
|
The name of the role to use as the
run as role during the login phase.
|
principalName
| principal name | nobody
|
Name of the principal to use as the
run as principal during login phase. If not specified a default of nobody is used.
|
principalClass
| A fully-qualified classname. |
none
|
A
Principal implementation class which contains a constructor that takes String arguments for the principal name.
|
Table 12.25. Simple
| Code | Simple
|
| Class | org.jboss.security.auth.spi.SimpleServerLoginModule
|
| Description |
A module for quick setup of security for testing purposes. It implements the following simple algorithm:
|
Simple Module Options
The Simple module has no options.
Table 12.26. ConfiguredIdentity
| Code | ConfiguredIdentity
|
| Class | org.picketbox.datasource.security.ConfiguredIdentityLoginModule
|
| Description |
Associates the principal specified in the module options with any subject authenticated against the module. The type of Principal class used is
org.jboss.security.SimplePrincipal.
|
Table 12.27. ConfiguredIdentity Module Options
| Option | Type | Default | Description |
|---|---|---|---|
username
| string | none | The username for authentication. |
password
| encrypted string | "" |
The password to use for authentication. To encrypt the password, use the module directly at the command line.
Paste the result of this command into the module option's value field. The default value is an empty string.
|
principal
| Name of a principal | none
|
The principal which will be associated with any subject authenticated against the module.
|
Table 12.28. SecureIdentity
| Code | SecureIdentity
|
| Class | org.picketbox.datasource.security.SecureIdentityLoginModule
|
| Description |
This module is provided for legacy purposes. It allows you to encrypt a password and then use the encrypted password with a static principal. If your application uses
SecureIdentity, consider using a password vault mechanism instead.
|
Table 12.29. SecureIdentity Module Options
| Option | Type | Default | Description |
|---|---|---|---|
username
| string | none | The username for authentication. |
password
| encrypted string | "" |
The password to use for authentication. To encrypt the password, use the module directly at the command line.
Paste the result of this command into the module option's value field. The default value is an empty string.
|
managedConnectionFactoryName
| JCA resource | none |
The name of the JCA connection factory for your datasource.
|
Table 12.30. PropertiesUsers
| Code | PropertiesUsers
|
| Class | org.jboss.security.auth.spi.PropertiesUsersLoginModule
|
| Description |
Uses a properties file to store usernames and passwords for authentication. No authorization (role mapping) is provided. This module is only appropriate for testing.
|
Table 12.31. SimpleUsers
| Code | SimpleUsers
|
| Class | org.jboss.security.auth.spi.SimpleUsersLoginModule
|
| Description |
This login module stores the username and clear-text password using
module-option. module-option's name and value attributes specify a username and password. It is included for testing only, and is not appropriate for a production environment.
|
Table 12.32. LdapUsers
| Code | LdapUsers
|
| Class | org.jboss.security.auth.spi.LdapUsersLoginModule
|
| Description |
The
LdapUsers module is superseded by the ExtendedLDAP and AdvancedLdap modules.
|
Table 12.33. Kerberos
| Code | Kerberos
|
| Class | com.sun.security.auth.module.Krb5LoginModule. In the IBM JDK the classname is com.ibm.security.auth.module.Krb5LoginModule.
|
| Description |
Performs Kerberos login authentication, using GSSAPI. This module is part of the security framework from the API provided by Sun Microsystems. Details can be found at http://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html. This module needs to be paired with another module which handles the authentication and roles mapping.
|
Table 12.34. Kerberos Module Options
| Option | Type | Default | Description |
|---|---|---|---|
storekey
| true or false
| false |
Whether or not to add the
KerberosKey to the subject's private credentials.
|
doNotPrompt
| true or false
| false |
If set to
true, the user is not prompted for the password.
|
useTicketCache
|
Boolean value of
. true or false
| false |
If
true, the TGT is obtained from the ticket cache. If false, the ticket cache is not used.
|
ticketcache
| A file or resource representing a Kerberos ticket cache. |
The default depends on which operating system you use.
| The location of the ticket cache. |
useKeyTab
| true or false
| false | Whether to obtain the principal's key from a key table file. |
keytab
| A file or resource representing a Kerberos keytab. |
the location in the operating system's Kerberos configuration file, or
/home/user/krb5.keytab
| The location of the key table file. |
principal
| string | none |
The name of the principal. This can either be a simple user name or a service name such as
host/testserver.acme.com. Use this instead of obtaining the principal from the key table, or when the key table contains more than one principal.
|
useFirstPass
| true or false
| false |
Whether to retrieve the username and password from the module's shared state, using
javax.security.auth.login.name and javax.security.auth.login.password as the keys. If authentication fails, no retry attempt is made.
|
tryFirstPass
| true or false
| false |
Same as
useFirstPass, but if authentication fails, the module uses the CallbackHandler to retrieve a new username and password. If the second authentication fails, the failure is reported to the calling application.
|
storePass
| true or false
| false |
Whether to store the username and password in the module's shared state. This does not happen if the keys already exist in the shared state, or if authentication fails.
|
clearPass
| true or false
| false |
Set this to
true to clear the username and password from the shared state after both phases of authentication complete.
|
Table 12.35. SPNEGO
| Code | SPNEGO
|
| Class | org.jboss.security.negotiation.spnego.SPNEGOLoginModule
|
| Description |
Allows SPNEGO authentication to a Microsoft Active Directory server or other environment which supports SPNEGO. SPNEGO can also carry Kerberos credentials. This module needs to be paired with another module which handles authentication and role mapping.
|
Table 12.36. SPNEGO Module Options
| Option | Type | Default | Description |
|---|---|---|---|
serverSecurityDomain
| string
| null.
|
Defines the domain that is used to retrieve the identity of the server service through the kerberos login module. This property must be set.
|
removeRealmFromPrincipal
| boolean
| false
|
Specifies that the Kerberos realm should be removed from the principal before further processing.
|
usernamePasswordDomain
| string
| null
|
Specifies another security domain within the configuration that should be used as a failover login when Kerberos fails.
|
Table 12.37. AdvancedLdap
| Code | AdvancedLdap |
| Class | org.jboss.security.negotiation.AdvancedLdapLoginModule
|
| Description |
A module which provides additional functionality, such as SASL and the use of a JAAS security domain.
|
Table 12.38. AdvancedLdap Module Options
| Option | Type | Default | Description |
|---|---|---|---|
bindAuthentication
|
string
|
none
|
The type of SASL authentication to use for binding to the directory server.
|
java.naming.provider.url
| string
|
If the value of
java.naming.security.protocol is SSL, ldap://localhost:686, otherwise ldap://localhost:389
|
The URI of the directory server.
|
baseCtxDN
|
fully-qualified DN
|
none
|
The distinguished name to use as the base for searches.
|
baseFilter
|
String representing a LDAP search filter.
|
none
|
The filter to use to narrow down search results.
|
roleAttributeID
|
String value representing an LDAP attribute.
|
none
|
The LDAP attribute which contains the names of authorization roles.
|
roleAttributeIsDN
| true or false
| false
|
Whether the role attribute is a Distinguished Name (DN).
|
roleNameAttributeID
|
String representing an LDAP attribute.
|
none
|
The attribute contained within the
RoleAttributeId which contains the actual role attribute.
|
recurseRoles
| true or false
| false
|
Whether to recursively search the
RoleAttributeId for roles.
|
referralUserAttributeIDToCheck
|
attribute
|
none
|
If you are not using referrals, this option can be ignored. When using referrals, this option denotes the attribute name which contains users defined for a certain role (for example,
member), if the role object is inside the referral. Users are checked against the content of this attribute name. If this option is not set, the check will always fail, so role objects cannot be stored in a referral tree.
|
Table 12.39. AdvancedADLdap
| Code | AdvancedADLdap |
| Class | org.jboss.security.negotiation.AdvancedADLoginModule
|
| Description |
This module extends the
AdvancedLdap login module, and adds extra parameters that are relevant to Microsoft Active Directory.
|
Table 12.40. UsersRoles
| Code | UsersRoles |
| Class | org.jboss.security.auth.spi.UsersRolesLoginModul
|
| Description |
A simple login module that supports multiple users and user roles stored in two different properties files.
|
Table 12.41. UsersRoles Module Options
| Option | Type | Default | Description |
|---|---|---|---|
usersProperties
|
Path to a file or resource.
| users.properties
|
The file or resource which contains the user-to-password mappings. The format of the file is
username=password
|
rolesProperties
|
Path to a file or resource.
| roles.properties
|
The file or resource which contains the user-to-role mappings. The format of the file is
username=role1,role2,role3
|
password-stacking
| useFirstPass or false
| false
|
A value of
useFirstPass indicates that this login module should first look to the information stored in the LoginContext for the identity. This option can be used when stacking other login modules with this one.
|
hashAlgorithm
|
String representing a password hashing algorithm.
| none
|
The name of the
java.security.MessageDigest algorithm to use to hash the password. There is no default so this option must be explicitly set to enable hashing. When hashAlgorithm is specified, the clear text password obtained from the CallbackHandler is hashed before it is passed to UsernamePasswordLoginModule.validatePassword as the inputPassword argument. The password stored in the users.properties file must be comparably hashed.
|
hashEncoding
| base64 or hex
| base64
|
The string format for the hashed password, if hashAlgorithm is also set.
|
hashCharset
|
string
|
The default encoding set in the container's runtime environment
|
The encoding used to convert the clear-text password to a byte array.
|
unauthenticatedIdentity
|
principal name
|
none
|
Defines the principal name assigned to requests which contain no authentication information. This can allow unprotected servlets to invoke methods on EJBs that do not require a specific role. Such a principal has no associated roles and can only access unsecured EJBs or EJB methods that are associated with the
unchecked permission constraint.
|
Custom Authentication Modules
Authentication modules are implementations of javax.security.auth.spi.LoginModule. Refer to the API documentation for more information about creating a custom authentication module.
