Chapter 3. Login Modules Without External Identity Store

3.1. Identity Login Module

Short name: Identity

Full name: org.jboss.security.auth.spi.IdentityLoginModule

Parent: AbstractServer Login Module

Identity login module is a simple login module that associates a hard-coded user name to any subject authenticated against the module. It creates a SimplePrincipal instance using the name specified by the principal option. This login module is useful when a fixed identity is required to be provided to a service. This can also be used in development environments for testing the security associated with a given principal and associated roles.

Table 3.1. Identity Login Module Options

OptionTypeDefaultDescription

principal

String

guest

The name to use for the principal.

roles

comma-separated list of Strings

none

A comma-delimited list of roles which will be assigned to the subject.

3.2. UsersRoles Login Module

Short name: UsersRoles

Full name: org.jboss.security.auth.spi.UsersRolesLoginModule

Parent: UsernamePassword Login Module

UsersRoles login module is a simple login module that supports multiple users and user roles loaded from Java properties files. The primary purpose of this login module is to easily test the security settings of multiple users and roles using properties files deployed with the application.

Table 3.2. UsersRoles Login Module Options

OptionTypeDefaultDescription

usersProperties

Path to a file or resource.

users.properties

The file or resource which contains the user-to-password mappings. The format of the file is username=password

rolesProperties

Path to a file or resource.

roles.properties

The file or resource which contains the user-to-role mappings. The format of the file is username=role1,role2,role3

defaultUsersProperties

String

defaultUsers.properties

The name of the properties resource containing the username-to-password mappings that will be used as the default properties passed to the usersProperties properties.

defaultRolesProperties

String

defaultRoles.properties

The name of the properties resource containing the username-to-roles mappings that will be used as the default properties passed to the usersProperties properties.

roleGroupSeperator

String

.

The character used to separate the role group name from the user name, for example jduke.CallerPrincipal=…​.

3.3. PropertiesUsers Login Module

Short name: PropertiesUsers

Full name: org.jboss.security.auth.spi.PropertiesUsersLoginModule

Parent: UsersRoles Login Module

The PropertiesUsers login module that uses a properties file to store user names and passwords for authentication. No authorization, role mapping, is provided. This module is only appropriate for testing.

3.4. SimpleUsers Login Module

Short name: SimpleUsers

Full name: org.jboss.security.auth.spi.SimpleUsersLoginModule

Parent: PropertiesUsers Login Module

The SimpleUsers login module that stores the user name and clear-text password using module-option. The name and value attributes of the module-option specifies a user name and password. It is included for testing only, and is not appropriate for a production environment.

3.5. SecureIdentity Login Module

Short name: SecureIdentity

Full name: org.picketbox.datasource.security.SecureIdentityLoginModule

Parent: AbstractPasswordCredential Login Module

The SecurityIdentity login module is a module that is provided for legacy purposes. It allows users to encrypt a password and then use the encrypted password with a static principal. If an application uses SecureIdentity, consider using a password vault mechanism instead.

Table 3.3. SecureIdentity Login Module Options

OptionTypeDefaultDescription

username

String

none

The user name for authentication.

password

encrypted String

""

The password to use for authentication. To encrypt the password, use the module directly at the command line, for example java org.picketbox.datasource.security.SecureIdentityLoginModule password_to_encrypt, and paste the result of this command into the module option’s value field. The default value is an empty String.

managedConnectionFactoryName

JCA resource

none

The name of the JCA connection factory for your datasource.

3.6. ConfiguredIdentity Login Module

Short name: ConfiguredIdentity

Full name: org.picketbox.datasource.security.ConfiguredIdentityLoginModule

Parent: AbstractPasswordCredential Login Module

The ConfiguredIdentity login module associates the principal specified in the module options with any subject authenticated against the module. The type of Principal class used is org.jboss.security.SimplePrincipal.

Table 3.4. ConfiguredIdentity Login Module Options

OptionTypeDefaultDescription

username

String

none

The user name for authentication.

password

encrypted String

""

The password to use for authentication, which can be encrypted via the vault mechanism. The default value is an empty String.

principal

Name of a principal

none

The principal which will be associated with any subject authenticated against the module.

3.7. Simple Login Module

Short name: Simple

Full name: org.jboss.security.auth.spi.SimpleServerLoginModule

Parent: UsernamePassword Login Module

The Simple login module is a module for quick setup of security for testing purposes. It implements the following simple algorithm:

  • If the password is null, authenticate the user and assign an identity of guest and a role of guest.
  • Otherwise, if the password is equal to the user, assign an identity equal to the username and both user and guest roles.
  • Otherwise, authentication fails.

The Simple login module has no options.

3.8. Disabled Login Module

Short name: Disabled

Full name: org.jboss.security.auth.spi.DisabledLoginModule

A login module that always fails authentication. It is to be used for a security domain that needs to be disabled, for instance when we do not want JAAS to fall back to using the other security domain.

Table 3.5. Disabled Login Module Options

OptionTypeDefaultDescription

jboss.security.security_domain

String

 

Name of security domain to display in error message.

3.9. Anon Login Module

Short name: Anon

Full name: org.jboss.security.auth.spi.AnonLoginModule

Parent: UsernamePassword Login Module

A simple login module that allows for the specification of the identity of unauthenticated users via the unauthenticatedIdentity property. This login module has no additional options beyond its inherited options from UsernamePassword Login Module.

3.10. RunAs Login Module

Short name: RunAs

Full name: org.jboss.security.auth.spi.RunAsLoginModule

The RunAs login module is a helper module that pushes a run as role onto the stack for the duration of the login phase of authentication, then pops the run as role from the stack in either the commit or abort phase. The purpose of this login module is to provide a role for other login modules that must access secured resources in order to perform their authentication, for example, a login module that accesses a secured EJB. The RunAs login module must be configured ahead of the login modules that require a run as role established.

Table 3.6. RunAs Login Module Options

OptionTypeDefaultDescription

roleName

role name

nobody

The name of the role to use as the run as role during the login phase.

principalName

principal name

nobody

Name of the principal to use as the run as principal during login phase. If not specified a default of nobody is used.

principalClass

A fully qualified classname.

org.jboss.security.SimplePrincipal

A Principal implementation class which contains a constructor that takes String arguments for the principal name.

3.11. RoleMapping Login Module

Short name: RoleMapping

Full name: org.jboss.security.auth.spi.RoleMappingLoginModule

Parent: AbstractServer Login Module

The RoleMapping login module is a login module that supports mapping roles, that are the end result of the authentication process, to one or more declarative roles. For example, if the authentication process has determined that the user John has the roles ldapAdmin and testAdmin, and the declarative role defined in the web.xml or ejb-jar.xml file for access is admin, then this login module maps the admin roles to John. The RoleMapping login module must be defined as an optional module to a login module configuration as it alters mapping of the previously mapped roles.

Table 3.7. RoleMapping Login Module Options

OptionTypeDefaultDescription

rolesProperties

The fully qualified file path and name of a properties file or resource

none

The fully qualified file path and name of a properties file or resource which maps roles to replacement roles. The format is original_role=role1,role2,role3.

replaceRole

true or false

false

Whether to add to the current roles, or replace the current roles with the mapped ones. Replaces if set to true.

3.12. RealmDirect Login Module

Short name: RealmDirect

Full name: org.jboss.as.security.RealmDirectLoginModule

Parent: UsernamePassword Login Module

The RealmDirect login module allows for the use of an existing security realm to be used in making authentication and authorization decisions. When configured, this module will look up identity information using the referenced realm for making authentication decisions and delegate to that security realm for authorization decisions. For example, the pre-configured other security domain that ships with JBoss EAP has a RealmDirect login module. If no realm is referenced in this module, the ApplicationRealm security realm is used by default.

Table 3.8. RealmDirect Login Module Options

OptionTypeDefaultDescription

realm

String

ApplicationRealm

Name of the desired realm.

Note

The RealmDirect login module uses realm only for legacy security and not for Elytron.

3.13. RealmUsersRoles Login Module

Short name: RealmUsersRoles

Full name: org.jboss.as.security.RealmUsersRolesLoginModule

Parent: UsersRoles Login Module

A login module which can authenticate users from given realm. Used for remoting calls. Use of RealmDirect is recommended instead of RealmUsersRoles.

Table 3.9. RealmUsersRoles Login Module Options

OptionTypeDefaultDescription

realm

String

ApplicationRealm

Name of the desired realm.

hashAlgorithm

String

REALM

Static value set by login module for option from inherited UsernamePassword Login Module.

hashStorePassword

String

false

Static value set by login module for option from inherited UsernamePassword Login Module.

Note

The RealmUsersRoles login module uses realm only for legacy security and not for Elytron.