Chapter 10. Security Administration Reference

10.1. Included Authentication Modules

The following authentication modules are included in the JBoss Enterprise Application Platform. Some of these handle authorization as well as authentication. These usually include the word Role within the Code name.
When you configure these modules, use the Code value to refer to the module.

Table 10.1. Client

Code
Client
Class
org.jboss.security.ClientLoginModule
Description
This login module is designed to establish caller identity and credentials when the JBoss Enterprise Application Platform is acting as a client. It should never be used as part of a security domain used for actual server authentication.

Table 10.2. Client Module Options

Option Type Default Description
multi-threaded
true or false
false
Set to true if each thread has its own principal and credential storage. Set to false to indicate that all threads in the VM share the same identity and credential.
password-stacking
useFirstPass or false
false
Set to useFirstPass to indicate that this login module should look for information stored in the LoginContext to use as the identity. This option can be used when stacking other login modules with this one.
>restore-login-identity
true or false
false
Set to true if the identity and credential seen at the start of the login() method should be restored after the logout() method is invoked.

Table 10.3. Certificate

Code
Certificate
Class
org.jboss.security.auth.spi.BaseCertLoginModule
Description
This login module is designed to authenticate users based on X509 Certificates. A use case for this is CLIENT-CERT authentication of a web application.

Table 10.4. Certificate Module Options

Option Type Default Description
securityDomain
string
none
Name of the security domain that has the JSSE configuration for the truststore holding the trusted certificates.
verifier
Class
none
The class name of the org.jboss.security.auth.certs.X509CertificateVerifier to use for verification of the login certificate.

Table 10.5. CertificateUsers

Code
CertificateUsers
Class
org.jboss.security.auth.spi.UsersRolesLoginModule
Description
Uses a properties resources. The first maps usernames to passwords, and the second maps usernames to roles.

Table 10.6. CertificateUsers Module Options

Option Type Default Description
unauthenticatedIdentity
A string
none
Defines the principal name that should be assigned to requests which contain no authentication information. This can allow unprotected servlets to invoke methods on EJBs that do not require a specific role. Such a principal has no associated roles and can only access either unsecured EJBs or EJB methods that are associated with the unchecked permission constraint.
password-stacking
useFirstPass or false
false
Set to useFirstPass to indicate that this login module should look for information stored in the LoginContext to use as the identity. This option can be used when stacking other login modules with this one.
hashAlgorithm A string
none
The name of the java.security.MessageDigest algorithm to use to hash the password. There is no default so this option must be explicitly set to enable hashing. When hashAlgorithm is specified, the clear text password obtained from the CallbackHandler is hashed before it is passed to UsernamePasswordLoginModule.validatePassword as the inputPassword argument. The expectedPassword stored in the users.properties file must be comparably hashed. Refer to http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html for information on java.security.MessageDigest and the algorithms this class supports.
hashEncoding
base64 or hex
base64
The string format for the hashed password, if hashAlgorithm is also set.
hashCharSet
A string
The default encoding set in the container's environment.
The encoding used to convert the clear-text password to a byte array.
usersProperties
The fully-qualified file path and name of a properties file or resource
users.properties
The file containing the mappings between users and passwords. Each property in the file has the format username=password.
rolesProperties
The fully-qualified file path and name of a properties file or resource
roles.properties
The file containing the mappings between users and roles. Each property in the file has the format username=role1,role2,...,roleN.
ignorePasswordCase
true or false
false
Whether the password comparison should ignore case. This is useful for hashed password encoding where the case of the hashed password is not significant.
principalClass
A fully-qualified classname.
none
A Principal implementation class which contains a constructor that takes a String argument for the princpal name.
roleGroupSeparator
A single character
. (a single period)
The character used to seperate the username from the role group name in the rolesGroup file.
defaultUsersProperties
string
defaultUsers.properties
Name of the resource or file to fall back to if the usersProperties file can't be found.
defaultRolesProperties
string
defaultRoles.properties
Name of the resource or file to fall back to if the rolesProperties file cannot be found.
hashUserPassword
true or false
true
Whether to hash the password entered by the user, when hashAlgorithm is specified. Defaults to true.
hashStorePassword
true or false
true
Whether the store password returned from getUsersPassword() should be hashed, when hashAlgorithm is specified.
digestCallback
A fully-qualified classname.
none
The class name of the org.jboss.crypto.digest.DigestCallback implementation that includes pre or post digest content such as salt values. Only used if hashAlgorithm is specified.
storeDigestCallback
A fully-qualified classname.
none
The class name of the org.jboss.crypto.digest.DigestCallback implementation that includes pre/post digest content like salts for hashing the store password. Only used if hashStorePassword is true and hashAlgorithm is specified.
callback.option.STRING
Various none
All options prefixed with callback.option. are passed to the DigestCallback.init(Map) method. The input username is always passed in via the javax.security.auth.login.name option, and the input/store password is passed in via the javax.security.auth.login.password option to the digestCallback or storeDigestCallback.

Table 10.7. CertificateRoles

Code
CertificateRoles
Class
org.jboss.security.auth.spi.CertRolesLoginModule
Description
This login module extends the Certificate login module to add role mapping capabilities from a properties file. It takes all of the same options as the Certificate login module, and adds the following options.

Table 10.8. CertificateRoles Module Options

Option Type Default Description
rolesProperties
A string
roles.properties
The name of the resource or file containing the roles to assign to each user. The role properties file must be in the format username=role1,role2 where the username is the DN of the certificate, escaping any = (equals) and space characters. The following example is in the correct format:
CN\=unit-tests-client,\ OU\=Red\ Hat\ Inc.,\ O\=Red\ Hat\ Inc.,\ ST\=North\ Carolina,\ C\=US=JBossAdmin
defaultRolesProperties
A string
defaultRoles.properties
Name of the resource or file to fall back to if the rolesProperties file cannot be found.
roleGroupSeparator
A single character
. (a single period)
Which character to use as the role group separator in the roleProperties file.

Table 10.9. Database

Code Database
Class
org.jboss.security.auth.spi.DatabaseServerLoginModule
Description
A JDBC-based login module that supports authentication and role mapping. It is based on two logical tables, with the following definitions.
  • Principals: PrincipalID (text), Password (text)
  • Roles: PrincipalID (text), Role (text), RoleGroup (text)

Table 10.10. Database Module Options

Option Type Default Description
dsJndiName
A JNDI resource
none
The name of the JNDI resource storing the authentication information. This option is required.
principalsQuery
A prepared SQL statement
select Password from Principals where PrincipalID=?
The prepared SQL query to obtain the information about the principal.
rolesQuery
A prepared SQL statement
select Role, RoleGroup from Roles where PrincipalID=?
The prepared SQL query to obtain the information about the roles.

Table 10.11. DatabaseCertificate

Code
DatabaseCertificate
Class
org.jboss.security.auth.spi.DatabaseCertLoginModule
Description
This login module extends the Certificate login module to add role mapping capabilities from a database table. It has the same options plus these additional options:

Table 10.12. DatabaseCertificate Module Options

Option Type Default Description
dsJndiName
A JNDI resource
The name of the JNDI resource storing the authentication information. This option is required.
rolesQuery
A prepared SQL statement
select Role,RoleGroup from Roles where PrincipalID=?
SQL prepared statement to be executed in order to map roles. It should be an equivalent to select Role, RoleGroup from Roles where PrincipalID=?, where Role is the role name and the RoleGroup column value should always be Roles. with capital R.
suspendResume
true or false
true
Whether any existing JTA transaction should be suspended during database operations.

Table 10.13. Identity

Code
Identity
Class
org.jboss.security.auth.spi.IdentityLoginModule
Description
Associates the principal specified in the module options with any subject authenticated against the module. The type of Principal class used is org.jboss.security.SimplePrincipal.. If no principal option is specified a principal with the name of guest is used.

Table 10.14. Identity Module Options

Option Type Default Description
principal
A string
guest
The name to use for the principal.
roles
A comma-separated list of strings
none
A comma-delimited list of roles which will be assigned to the subject.

Table 10.15. Ldap

Code
Ldap
Class
org.jboss.security.auth.spi.LdapLoginModule
Description
Authenticates against an LDAP server, when the username and password are stored in an LDAP server that is accessible using a JNDI LDAP provider. Many of the options are not required, because they are determined by the LDAP provider or the environment.

Table 10.16. Ldap Module Options

Option Type Default Description
java.naming.factory.initial
class name
com.sun.jndi.ldap.LdapCtxFactory
InitialContextFactory implementation class name.
java.naming.provider.url
ldap:// URL
none
URL for the LDAP server.
java.naming.security.authentication
none, simple, or the name of a SASL mechanism
simple
The security level to use to bind to the LDAP server.
java.naming.security.protocol
A transport protocol
If unspecified, determined by the provider.
The transport protocol to use for secure access, such as SSL.
java.naming.security.principal
A string
none
The name of the principal for authenticating the caller to the service. This is built from other properties described below.
java.naming.security.credentials
A credential type
none
The type of credential used by the authentication scheme. Some examples include hashed password, clear-text password, key, or certificate,. If this property is unspecified, the behavior is determined by the service provider.
principalDNPrefix
A string
none
Prefix added to the username to form the user DN. You can prompt the user for a username and build the fully-qualified DN by using the principalDNPrefix and principalDNSuffix.
principalDNSuffix
string
Suffix added to the username to form the user DN. You can prompt the user for a username and build the fully-qualified DN by using the principalDNPrefix and principalDNSuffix.
useObjectCredential
true or false
false
Whether the credential should be obtained as an opaque Object using the org.jboss.security.auth.callback.ObjectCallback type of Callback rather than as a char[] password using a JAAS PasswordCallback. This allows for passing non-char[] credential information to the LDAP server.
rolesCtxDN
A fully-qualified DN
none
The fully-qualified DN for the context to search for user roles.
userRolesCtxDNAttributeName
An attribute
none
The attribute in the user object that contains the DN for the context to search for user roles. This differs from rolesCtxDN in that the context to search for a user's roles may be unique for each user.
rolesAttributeID
An attribute
roles
Name of the attribute containing the user roles.
rolesAttributeIsDN
true or false
false
Whether or not the roleAttributeID contains the fully-qualified DN of a role object. If false, the role name is taken from the value of the roleNameAttributeId attribute of the context name. Certain directory schemas, such as Microsoft Active Directory, require this attribute to be set to true.
rolesNameAttributeID
An attribute
group
Name of the attribute within the roleCtxDN context which contains the role name. If the roleAttributeIsDN property is set to true, this property is used to find the role object's name attribute.
uidAttributeID
An attribute
uid
Name of the attribute in the UserRolesAttributeDN that corresponds to the user ID. This is used to locate the user roles.
matchOnUserDN
true or false
false
Whether or not the search for user roles should match on the user's fully distinguished DN or the username only. If true, the full user DN is used as the match value. If false, only the username is used as the match value against the uidAttributeName attribute.
allowEmptyPasswords
true or false
true
Whether to allow empty passwords. Most LDAP servers treat empty passwords as anonymous login attempts. To reject empty passwords, set this to false.

Table 10.17. LdapExtended

Code
LdapExtended
Class
org.jboss.security.auth.spi.LdapExtLoginModule
Description
An alternate LDAP login module implementation that uses searches to locate the bind user and associated roles. The roles query recursively follows DNs to navigate a hierarchical role structure. It uses the same java.naming options as the Ldap module, and uses the following options instead of the other options of the Ldap module.
The authentication happens in 2 steps:
  1. An initial bind to the LDAP server is done using the bindDN and bindCredential options. The bindDN is a LDAP user with the ability to search both the baseCtxDN and rolesCtxDN trees for the user and roles. The user DN to authenticate against is queried using the filter specified by the baseFilter attribute.
  2. The resulting user DN is authenticated by binding to the LDAP server using the user DN as the InitialLdapContext environment Context.SECURITY_PRINCIPAL. The Context.SECURITY_CREDENTIALS property is set to the String password obtained by the callback handler.

Table 10.18. LdapExtended Module Options

Option Type Default Description
baseCtxDN
A fully-qualified DN
none
The fixed DN of the top-level context to begin the user search.
bindDN
A fully-qualified DN
none
The DN used to bind against the LDAP server for the user and roles queries. This DN needs read and search permissions on the baseCtxDN and rolesCtxDN values.
bindCredential
A string, optionally encrypted
none
The password for the bindDN. This can be encrypted if the jaasSecurityDomain is specified.
jaasSecurityDomain
A JMX ObjectName
none
The JMX ObjectName of the JaasSecurityDomain to use to decrypt the bindCredential. The encrypted form of the password is the format returned by the JaasSecurityDomain.encrypt64(byte[]) method.
baseFilter
LDAP filter string
none
A search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).
rolesCtxDN
fully-qualified DN
none
The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.
roleFilter
LDAP filter string
A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).
roleAttributeIsDN
true or false
false
Whether or not the roleAttributeID contains the fully-qualified DN of a role object. If false, the role name is taken from the value of the roleNameAttributeId attribute of the context name. Certain directory schemas, such as Microsoft Active Directory, require this attribute to be set to true.
defaultRole
Role name
none
A role included for all authenticated users
parseRoleNameFromDN
true or false
false
A flag indicating if the DN returned by a query contains the roleNameAttributeID. If set to true, the DN is checked for the roleNameATtributeID. If set to false, the DN is not checked for the roleNameAttributeID. This flag can improve the performance of LDAP queries.
parseUsername
true or false
false
A flag indicating if the DN is to be parsed for the username. If set to true, the DN is parsed for the username. If set to false the DN is not parsed for the username. This option is used together with usernameBeginString and usernameEndString.
usernameBeginString
a string
none
Defines the string which is to be removed from the start of the DN to reveal the username. This option is used together with usernameEndString.
usernameEndString
a string
none
Defines the string which is to be removed from the end of the DN to reveal the username. This option is used together with usernameBeginString.
roleNameAttributeID
An attribute
group
Name of the attribute within the roleCtxDN context which contains the role name. If the roleAttributeIsDN property is set to true, this property is used to find the role object's name attribute.
distinguishedNameAttribute
An attribute
distinguishedName
The name of the attribute in the user entry that contains the DN of the user. This may be necessary if the DN of the user itself contains special characters (backslash for example) that prevent correct user mapping. If the attribute does not exist, the entry's DN is used.
roleRecursion
An integer
0
The numbers of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.
searchTimeLimit
An integer
10000 (10 seconds)
The timeout in milliseconds for user or role searches.
searchScope
One of: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE
SUBTREE_SCOPE
The search scope to use.
allowEmptyPasswords
true or false
true
Whether to allow empty passwords. Most LDAP servers treat empty passwords as anonymous login attempts. To reject empty passwords, set this to false.

Table 10.19. RoleMapping

Code
RoleMapping
Class
org.jboss.security.auth.spi.RoleMappingLoginModule
Description
Maps a role which is the end result of the authentication process to a declarative role. This module must be flagged as optional when you add it to the security domain.

Table 10.20. RoleMapping Module Options

Option Type Default Description
rolesProperties
The fully-qualified file path and name of a properties file or resource
roles.properties
The fully-qualified file path and name of a properties file or resource which maps roles to replacement roles. The format is original_role=role1,role2,role3
replaceRole
true or false
false
Whether to add to the current roles, or replace the current roles with the mapped ones. Replaces if set to true.

Table 10.21. RunAs

Code
RunAs
Class
Class: org.jboss.security.auth.spi.RunAsLoginModule
Description
A helper module that pushes a run as role onto the stack for the duration of the login phase of authentication, and pops the run as role off the stack in either the commit or abort phase. This login module provides a role for other login modules that must access secured resources in order to perform their authentication, such as a login module which accesses a secured EJB. RunAsLoginModule must be configured before the login modules that require a run as role to be established.

Table 10.22. RunAs Options

Option Type Default Description
roleName
A role name.
nobody
The name of the role to use as the run as role during the login phase.

Table 10.23. Simple

Code
Simple
Class
org.jboss.security.auth.spi.SimpleServerLoginModule
Description
A module for quick setup of security for testing purposes. It implements the following simple algorithm:
  • f the password is null, authenticate the user and assign an identity of guest and a role of guest.
  • Otherwise, if the password is equal to theuser, assign an identity equal to the username and both and and guest roles.
  • Otherwise, authentication fails.
Simple Module Options

The Simple module has no options.

Table 10.24. ConfiguredIdentity

Code
ConfiguredIdentity
Class
org.picketbox.datasource.security.ConfiguredIdentityLoginModule
Description
Associates the principal specified in the module options with any subject authenticated against the module. The type of Principal class used is org.jboss.security.SimplePrincipal.

Table 10.25. ConfiguredIdentity Module Options

Option Type Default Description
principal
Name of a principal.
guest
The principal which will be associated with any subject authenticated against the module.

Table 10.26. SecureIdentity

Code
SecureIdentity
Class
org.picketbox.datasource.security.SecureIdentityLoginModule
Description
This module is provided for legacy purposes. It allows you to encrypt a password and then use the encrypted password with a static principal. If your application uses SecureIdentity, consider using a password vault mechanism instead.

Table 10.27. SecureIdentity Module Options

Option Type Default Description
username
string none The username for authentication.
password
encrypted string none
The password to use for authentication. To encrypt the password, use the module directly at the command line.
java org.picketbox.datasource.security.SecureIdentityLoginModule password_to_encrypt
Paste the result of this command into the module option's value field.
managedConnectionFactoryName
A JCA resource none
The name of the JCA connection factory for your datasource.

Table 10.28. PropertiesUsers

Code
PropertiesUsers
Class
org.jboss.security.auth.spi.PropertiesUsersLoginModule
Description
Uses a properties file to store usernames and passwords for authentication. No authorization (role mapping) is provided. This module is only appropriate for testing.

Table 10.29. PropertiesUsers Module Options

Option Type Default Description
properties
The fully-qualified file path and name of a Java properties file or resource. none
The properties file containing the usernames and clear-text passwords to be used for authentication.

Table 10.30. SimpleUsers

Code
SimpleUsers
Class
org.jboss.security.auth.spi.SimpleUsersLoginModule
Description
This login module stores the username and clear-text password in a Java properties file. It is included for testing only, and is not appropriate for a production environment.

Table 10.31. SimpleUsers Module Options

Option Type Default Description
username
string none The username to use for authentication.
password
string none The clear-text password to use for authentication.

Table 10.32. LdapUsers

Code
LdapUsers
Class
org.jboss.security.auth.spi.LdapUsersLoginModule
Description
The LdapUsers module is superseded by the ExtendedLDAP and AdvancedLdap modules.

Table 10.33. Kerberos

Code
Kerberos
Class
com.sun.security.auth.module.Krb5LoginModule
Description
Performs Kerberos login authentication, using GSSAPI. This module is part of the security framework from the API provided by Sun Microsystems. Details can be found at http://docs.oracle.com/javase/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html. This module needs to be paired with another module which handles the authentication and roles mapping.

Table 10.34. Kerberos Module Options

Option Type Default Description
storekey
true or false
false
Whether or not to add the KerberosKey to the subject's private credentials.
doNotPrompt
true or false
false
If set to true, the user is not prompted for the password.
useTicketCache
Boolean value of true or false
.
false
If true, the GTG is obtained from the ticket cache. If false, the ticket cache is not used.
ticketcache
A file or resource representing a Kerberos ticket cache.
The default depends on which operating system you use.
  • Red Hat Enterprise Linux / Solaris: /tmp/krb5cc_uid, using the numeric UID value of the operating system.
  • Microsoft Windows Server: uses the Local Security Authority (LSA) API to find the ticketcache.
The location of the ticket cache.
useKeyTab
true or false
false Whether to obtain the principal's key from a key table file.
keytab
A file or resource representing a Kerberos keytab.
the location in the operating system's Kerberos configuration file, or /home/user/krb5.keytab
The location of the key table file.
principal
A string none
The name of the principal. This can either be a simple user name or a service name such as host/testserver.acme.com. Use this instead of obtaining the principal from the key table, or when the key table contains more than one principal.
useFirstPass
true or false
false
Whether to retrieve the username and password from the module's shared state, using javax.security.auth.login.name and javax.security.auth.login.password as the keys. If authentication fails, no retry attempt is made.
tryFirstPass
true or false
false
Same as useFirstPass, but if authentication fails, the module uses the CallbackHandler to retrieve a new username and password. If the second authentication fails, the failure is reported to the calling application.
storePass
true or false
false
Whether to store the username and password in the module's shared state. This does not happen if the keys already exist in the shared state, or if authentication fails.
clearPass
true or false
false
Set this to true to clear a the username and password from the shared state after both phases of authentication complete.

Table 10.35. SPNEGOUsers

Code
SPNEGOUsers
Class
org.jboss.security.negotiation.spnego.SPNEGOLoginModule
Description
Allows SPNEGO authentication to a Microsoft Active Directory server or other environment which supports SPNEGO. SPNEGO can also carry Kerberos credentials. This module needs to be paired with another module which handles authentication and role mapping.

Table 10.36. SPNEGO Module Options

Option Type Default Description
storeKey
true or false
false
Whether or not to store the key.
useKeyTab
true or false
false
Whether to use a key table.
principal
String reperesenting a principal for Kerberos auhentication.
none
The name of the principal for authentication.
keyTab
A file or resource representing a keytab.
none
The location of a key table.
doNotPrompt
true or false
false
Whether to prompt for a password.
debug
true or false
false
Whether to record more verbose messages for debugging purposes.

Table 10.37. AdvancedLdap

Code AdvancedLdap
Class
org.jboss.security.negotiation.AdvancedLdapLoginModule
Description
A module which provides additional functionality, such as SASL and the use of a JAAS security domain.

Table 10.38. AdvancedLdap Module Options

Option Type Default Description
bindAuthentication
string
none
The type of SASL authentication to use for binding to the directory server.
jassSecurityDomain
string
none
The name of the JAAS security domain to use.
java.naming.provider.url
string
none
The URI of the directory server.
baseCtxDN
A fully qualified Distinguished Name (DN).
none
The distinguished name to use as the base for searches.
baseFilter
String representing a LDAP search filter.
none
The filter to use to narrow down search results.
roleAttributeID
A string representing an LDAP attribute.
none
The LDAP attribute which contains the names of authorization roles.
roleAttributeIsDN
true or false
false
Whether the role attribute is a Distinguished Name (DN).
roleNameAttributeID
String representing an LDAP attribute.
none
The attribute contained within the RoleAttributeId which contains the actual role attribute.
recurseRoles
true or false
false
Whether to recorsively search the RoleAttributeId for roles.

Table 10.39. AdvancedADLdap

Code AdvancedADLdap
Class
org.jboss.security.negotiation.AdvancedADLoginModule
Description
This module extends the AdvancedLdap login module, and adds extra parameters that are relevant to Microsoft Active Directory.

Table 10.40. AdvancedADLdap Module Options

Option Type Default Description
primaryGroupID
A string representing a Microsoft Active Directory group ID.
none
A primary group for limiting authorization. The primary group ID is used to obtain the objectSid of the user, for authorization.

Table 10.41. UsersRoles

Code UsersRoles
Class
org.jboss.security.auth.spi.UsersRolesLoginModul
Description
A simple login module that supports multiple users and user roles stored in two different properties files.

Table 10.42. UsersRoles Module Options

Option Type Default Description
usersProperties
Path to a file or resource.
users.properties
The file or resource which contains the user-to-password mappings. The format of the file is user=hashed-password
rolesProperties
Path to a file or resource.
roles.properties
The file or resource which contains the user-to-role mappings. The format of the file is username=role1,role2,role3
password-stacking
useFirstPass or false
false
A value of useFirstPass indicates that this login module should first look to the information stored in the LoginContext for the identity. This option can be used when stacking other login modules with this one.
hashAlgorithm
A string representing a password hashing algorithm.
none
The name of the java.security.MessageDigest algorithm to use to hash the password. There is no default so this option must be explicitly set to enable hashing. When hashAlgorithm is specified, the clear text password obtained from the CallbackHandler is hashed before it is passed to UsernamePasswordLoginModule.validatePassword as the inputPassword argument. The password stored in the users.properties file must be comparably hashed.
hashEncoding
base64 or hex
base64
The string format for the hashed password, if hashAlgorithm is also set.
hashCharset
A string
The default encoding set in the container's runtime environment
The encoding used to convert the clear-text password to a byte array.
unauthenticatedIdentity
A principal name
none
Defines the principal name assigned to requests which contain no authentication information. This can allow unprotected servlets to invoke methods on EJBs that do not require a specific role. Such a principal has no associated roles and can only access unsecured EJBs or EJB methods that are associated with the unchecked permission constraint.
Custom Authentication Modules

Authentication modules are implementations of org.jboss.security.LoginModule. Refer to the API documentation for more information about creating a custom authentication module.