Appendix A. Reference

A.1. Included Authentication Modules

The following authentication modules are included in JBoss EAP 6. Some of these handle authorization as well as authentication. These usually include the word Role within the Code name.
When you configure these modules, use the Code value or the full (package qualified) name to refer to the module.

Authentication Modules

Table A.1. RealmDirect

Code
RealmDirect
Class
org.jboss.as.security.RealmDirectLoginModule
Description
A login module implementation to interface directly with the security realm. This login module allows all interactions with the backing store to be delegated to the realm removing the need for any duplicate and synchronized definitions. Used for remoting calls and management interface.

Table A.2. RealmDirect Module Options

Option Type Default Description
realm
string
ApplicationRealm
Name of the desired realm.

Table A.3. Client

Code
Client
Class
org.jboss.security.ClientLoginModule
Description
This login module is designed to establish caller identity and credentials when JBoss EAP 6 is acting as a client. It should never be used as part of a security domain used for server authentication.

Table A.4. Client Module Options

Option Type Default Description
multi-threaded
true or false
false
Set to true if each thread has its own principal and credential storage. Set to false to indicate that all threads in the VM share the same identity and credential.
password-stacking
useFirstPass or false
false
Set to useFirstPass to indicate that this login module should look for information stored in the LoginContext to use as the identity. This option can be used when stacking other login modules with this one.
restore-login-identity
true or false
false
Set to true if the identity and credential seen at the start of the login() method should be restored after the logout() method is invoked.

Table A.5. Remoting

Code
Remoting
Class
org.jboss.as.security.remoting.RemotingLoginModule
Description
This login module is used to check if the request currently being authenticated is a request received over a Remoting connection, and if so the identity that was created during the Remoting authentication process is used and associated with the current request. If the request did not arrive over a Remoting connection this module does nothing and allows the JAAS based login to continue to the next module.

Table A.6. Remoting Module Options

Option Type Default Description
password-stacking
useFirstPass or false
false
A value of useFirstPass indicates that this login module should first look to the information stored in the LoginContext for the identity. This option can be used when stacking other login modules with this one.
principalClass
A fully-qualified classname.
none
A Principal implementation class which contains a constructor that takes String arguments for the principal name.
unauthenticatedIdentity
A principal name.
none
Defines the principal name assigned to requests which contain no authentication information. This can allow unprotected servlets to invoke methods on EJBs that do not require a specific role. Such a principal has no associated roles and can only access unsecured EJBs or EJB methods that are associated with the unchecked permission constraint.

Table A.7. Certificate

Code
Certificate
Class
org.jboss.security.auth.spi.BaseCertLoginModule
Description
This login module is designed to authenticate users based on X509 Certificates. A use case for this is CLIENT-CERT authentication of a web application.

Table A.8. Certificate Module Options

Option Type Default Description
securityDomain
string
other
Name of the security domain that has the JSSE configuration for the truststore holding the trusted certificates.
verifier
class
none
The class name of the org.jboss.security.auth.certs.X509CertificateVerifier to use for verification of the login certificate.

Table A.9. CertificateRoles

Code
CertificateRoles
Class
org.jboss.security.auth.spi.CertRolesLoginModule
Description
This login module extends the Certificate login module to add role mapping capabilities from a properties file. It takes all of the same options as the Certificate login module, and adds the following options.

Table A.10. CertificateRoles Module Options

Option Type Default Description
rolesProperties
string
roles.properties
The name of the resource or file containing the roles to assign to each user. The role properties file must be in the format username=role1,role2 where the username is the DN of the certificate, escaping any = (equals) and space characters. The following example is in the correct format:
CN\=unit-tests-client,\ OU\=Red\ Hat\ Inc.,\ O\=Red\ Hat\ Inc.,\ ST\=North\ Carolina,\ C\=US
defaultRolesProperties
string
defaultRoles.properties
Name of the resource or file to fall back to if the rolesProperties file cannot be found.
roleGroupSeparator
A single character.
. (a single period)
Which character to use as the role group separator in the rolesProperties file.

Table A.11. Database

Code Database
Class
org.jboss.security.auth.spi.DatabaseServerLoginModule
Description
A JDBC-based login module that supports authentication and role mapping. It is based on two logical tables, with the following definitions.
  • Principals: PrincipalID (text), Password (text)
  • Roles: PrincipalID (text), Role (text), RoleGroup (text)

Table A.12. Database Module Options

Option Type Default Description
digestCallback
A fully-qualified classname
none
The class name of the DigestCallback implementation that includes pre/post digest content like salts for hashing the input password. Only used if hashAlgorithm has been specified.
dsJndiName
A JNDI resource
java:/DefaultDS
The name of the JNDI resource storing the authentication information. This option is required.
hashAlgorithm
String
Use plain passwords
The message digest algorithm used to hash passwords. Supported algorithms depend on the Java Security Provider, but the following are supported: MD5, SHA-1, and SHA-256.
hashCharset
String
The platform's default encoding
The name of the charset/encoding to use when converting the password String to a byte array. This includes all supported Java charset names.
hashEncoding
String
Base64
The string encoding format to use.
ignorePasswordCase
boolean
false
A flag indicating if the password comparison should ignore case.
inputValidator
A fully-qualified classname
none
The instance of the InputValidator implementation used to validate the username and password supplied by the client.
principalsQuery
prepared SQL statement
select Password from Principals where PrincipalID=?
The prepared SQL query to obtain the information about the principal.
rolesQuery
prepared SQL statement
none
The prepared SQL query to obtain the information about the roles. It should be equivalent to select Role, RoleGroup from Roles where PrincipalID=?, where Role is the role name and the RoleGroup column value should always be either Roles with a capital R or CallerPrincipal.
storeDigestCallback
A fully-qualified classname
none
The class name of the DigestCallback implementation that includes pre/post digest content like salts for hashing the store/expected password. Only used if hashStorePassword or hashUserPassword is true and hashAlgorithm has been specified.
suspendResume
boolean
true
Whether any existing JTA transaction should be suspended during database operations.
throwValidatorError
boolean
false
A flag that indicates whether validation errors should be exposed to clients or not
transactionManagerJndiName
JNDI Resource
java:/TransactionManager
The JNDI name of the transaction manager used by the login module.

Table A.13. DatabaseCertificate

Code
DatabaseCertificate
Class
org.jboss.security.auth.spi.DatabaseCertLoginModule
Description
This login module extends the Certificate login module to add role mapping capabilities from a database table. It has the same options plus these additional options:

Table A.14. DatabaseCertificate Module Options

Option Type Default Description
dsJndiName
A JNDI resource
java:/DefaultDS
The name of the JNDI resource storing the authentication information. This option is required.
rolesQuery
prepared SQL statement
select Role,RoleGroup from Roles where PrincipalID=?
SQL prepared statement to be executed in order to map roles. It should be an equivalent to select Role, RoleGroup from Roles where PrincipalID=?, where Role is the role name and the RoleGroup column value should always be either Roles with a capital R or CallerPrincipal.
suspendResume
true or false
true
Whether any existing JTA transaction should be suspended during database operations.

Table A.15. Identity

Code
Identity
Class
org.jboss.security.auth.spi.IdentityLoginModule
Description
Associates the principal specified in the module options with any subject authenticated against the module. The type of Principal class used is org.jboss.security.SimplePrincipal. If no principal option is specified a principal with the name of guest is used.

Table A.16. Identity Module Options

Option Type Default Description
principal
String
guest
The name to use for the principal.
roles
comma-separated list of strings
none
A comma-delimited list of roles which will be assigned to the subject.

Table A.17. Ldap

Code
Ldap
Class
org.jboss.security.auth.spi.LdapLoginModule
Description
Authenticates against an LDAP server, when the username and password are stored in an LDAP server that is accessible using a JNDI LDAP provider. Many of the options are not required, because they are determined by the LDAP provider or the environment.

Table A.18. Ldap Module Options

Option Type Default Description
java.naming.factory.initial
class name
com.sun.jndi.ldap.LdapCtxFactory
InitialContextFactory implementation class name.
java.naming.provider.url
ldap:// URL
If the value of java.naming.security.protocol is SSL, ldap://localhost:636, otherwise ldap://localhost:389
URL for the LDAP server.
java.naming.security.authentication
none, simple, or the name of a SASL mechanism
simple
The security level to use to bind to the LDAP server.
java.naming.security.protocol
transport protocol
If unspecified, determined by the provider.
The transport protocol to use for secure access, such as SSL or TLS.
java.naming.security.principal
string
none
The name of the principal for authenticating the caller to the service. This is built from other properties described below.
java.naming.security.credentials
credential type
none
The type of credential used by the authentication scheme. Some examples include hashed password, clear-text password, key, or certificate. If this property is unspecified, the behavior is determined by the service provider.
principalDNPrefix
string
Prefix added to the username to form the user DN. You can prompt the user for a username and build the fully-qualified DN by using the principalDNPrefix and principalDNSuffix.
principalDNSuffix
string
Suffix added to the username to form the user DN. You can prompt the user for a username and build the fully-qualified DN by using the principalDNPrefix and principalDNSuffix.
useObjectCredential
true or false
false
Whether the credential should be obtained as an opaque Object using the org.jboss.security.auth.callback.ObjectCallback type of Callback rather than as a char[] password using a JAAS PasswordCallback. This allows for passing non-char[] credential information to the LDAP server.
rolesCtxDN
fully-qualified DN
none
The fully-qualified DN for the context to search for user roles.
userRolesCtxDNAttributeName
attribute
none
The attribute in the user object that contains the DN for the context to search for user roles. This differs from rolesCtxDN in that the context to search for a user's roles may be unique for each user.
roleAttributeID
attribute
roles
Name of the attribute containing the user roles.
roleAttributeIsDN
true or false
false
Whether or not the roleAttributeID contains the fully-qualified DN of a role object. If false, the role name is taken from the value of the roleNameAttributeId attribute of the context name. Certain directory schemas, such as Microsoft Active Directory, require this attribute to be set to true.
roleNameAttributeID
attribute
name
Name of the attribute within the roleCtxDN context which contains the role name. If the roleAttributeIsDN property is set to true, this property is used to find the role object's name attribute.
uidAttributeID
attribute
uid
Name of the attribute in the UserRolesAttributeDN that corresponds to the user ID. This is used to locate the user roles.
matchOnUserDN
true or false
false
Whether or not the search for user roles should match on the user's fully-distinguished DN or the username only. If true, the full user DN is used as the match value. If false, only the username is used as the match value against the uidAttributeName attribute.
allowEmptyPasswords
true or false
false
Whether to allow empty passwords. Most LDAP servers treat empty passwords as anonymous login attempts. To reject empty passwords, set this to false.

Table A.19. LdapExtended

Code
LdapExtended
Class
org.jboss.security.auth.spi.LdapExtLoginModule
Description
An alternate LDAP login module implementation that uses searches to locate the bind user and associated roles. The roles query recursively follows DNs to navigate a hierarchical role structure. It uses the same java.naming options as the Ldap module, and uses the following options instead of the other options of the Ldap module.
The authentication happens in 2 steps:
  1. An initial bind to the LDAP server is done using the bindDN and bindCredential options. The bindDN is a LDAP user with the ability to search both the baseCtxDN and rolesCtxDN trees for the user and roles. The user DN to authenticate against is queried using the filter specified by the baseFilter attribute.
  2. The resulting user DN is authenticated by binding to the LDAP server using the user DN as the InitialLdapContext environment Context.SECURITY_PRINCIPAL. The Context.SECURITY_CREDENTIALS property is set to the String password obtained by the callback handler.

Table A.20. LdapExtended Module Options

Option Type Default Description
baseCtxDN
fully-qualified DN
none
The fixed DN of the top-level context to begin the user search.
bindCredential
string, optionally encrypted
none
See the JBoss EAP Application Security Guide for more information.
bindDN
fully-qualified DN
none
The DN used to bind against the LDAP server for the user and roles queries. This DN needs read and search permissions on the baseCtxDN and rolesCtxDN values.
baseFilter
LDAP filter string
none
A search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).
rolesCtxDN
fully-qualified DN
none
The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.
roleFilter
LDAP filter string
none
A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).
roleAttributeIsDN
true or false
false
Whether or not the roleAttributeID contains the fully-qualified DN of a role object. If false, the role name is taken from the value of the roleNameAttributeId attribute of the context name. Certain directory schemas, such as Microsoft Active Directory, require this attribute to be set to true.
defaultRole
Role name
none
A role included for all authenticated users
parseRoleNameFromDN
true or false
false
A flag indicating if the DN returned by a query contains the roleNameAttributeID. If set to true, the DN is checked for the roleNameATtributeID. If set to false, the DN is not checked for the roleNameAttributeID. This flag can improve the performance of LDAP queries.
parseUsername
true or false
false
A flag indicating if the DN is to be parsed for the username. If set to true, the DN is parsed for the username. If set to false the DN is not parsed for the username. This option is used together with usernameBeginString and usernameEndString.
usernameBeginString
string
none
Defines the string which is to be removed from the start of the DN to reveal the username. This option is used together with usernameEndString.
usernameEndString
string
none
Defines the string which is to be removed from the end of the DN to reveal the username. This option is used together with usernameBeginString.
roleNameAttributeID
attribute
name
Name of the attribute within the roleCtxDN context which contains the role name. If the roleAttributeIsDN property is set to true, this property is used to find the role object's name attribute.
distinguishedNameAttribute
attribute
distinguishedName
The name of the attribute in the user entry that contains the DN of the user. This may be necessary if the DN of the user itself contains special characters (backslash for example) that prevent correct user mapping. If the attribute does not exist, the entry's DN is used.
roleRecursion
integer
0
The numbers of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.
searchTimeLimit
integer
10000 (10 seconds)
The timeout in milliseconds for user or role searches.
searchScope
One of: OBJECT_SCOPE, ONELEVEL_SCOPE, SUBTREE_SCOPE
SUBTREE_SCOPE
The search scope to use.
allowEmptyPasswords
true or false
false
Whether to allow empty passwords. Most LDAP servers treat empty passwords as anonymous login attempts. To reject empty passwords, set this to false.
referralUserAttributeIDToCheck
attribute
none
If you are not using referrals, this option can be ignored. When using referrals, this option denotes the attribute name which contains users defined for a certain role (for example, member), if the role object is inside the referral. Users are checked against the content of this attribute name. If this option is not set, the check will always fail, so role objects cannot be stored in a referral tree.

Table A.21. RoleMapping

Code
RoleMapping
Class
org.jboss.security.auth.spi.RoleMappingLoginModule
Description
Maps a role which is the end result of the authentication process to a declarative role. This module must be flagged as optional when you add it to the security domain.

Table A.22. RoleMapping Module Options

Option Type Default Description
rolesProperties
The fully-qualified file path and name of a properties file or resource
none
The fully-qualified file path and name of a properties file or resource which maps roles to replacement roles. The format is original_role=role1,role2,role3
replaceRole
true or false
false
Whether to add to the current roles, or replace the current roles with the mapped ones. Replaces if set to true.

Note

The rolesProperties module option is required for RoleMapping.

Table A.23. RunAs

Code
RunAs
Class
org.jboss.security.auth.spi.RunAsLoginModule
Description
A helper module that pushes a run as role onto the stack for the duration of the login phase of authentication, and pops the run as role off the stack in either the commit or abort phase. This login module provides a role for other login modules that must access secured resources in order to perform their authentication, such as a login module which accesses a secured EJB. RunAsLoginModule must be configured before the login modules that require a run as role to be established.

Table A.24. RunAs Options

Option Type Default Description
roleName
role name
nobody
The name of the role to use as the run as role during the login phase.
principalName
principal name
nobody
Name of the principal to use as the run as principal during login phase. If not specified a default of nobody is used.
principalClass
A fully-qualified classname.
none
A Principal implementation class which contains a constructor that takes String arguments for the principal name.

Table A.25. Simple

Code
Simple
Class
org.jboss.security.auth.spi.SimpleServerLoginModule
Description
A module for quick setup of security for testing purposes. It implements the following simple algorithm:
  • If the password is null, authenticate the user and assign an identity of guest and a role of guest.
  • Otherwise, if the password is equal to the user, assign an identity equal to the username and both admin and guest roles.
  • Otherwise, authentication fails.
Simple Module Options

The Simple module has no options.

Table A.26. ConfiguredIdentity

Code
ConfiguredIdentity
Class
org.picketbox.datasource.security.ConfiguredIdentityLoginModule
Description
Associates the principal specified in the module options with any subject authenticated against the module. The type of Principal class used is org.jboss.security.SimplePrincipal.

Table A.27. ConfiguredIdentity Module Options

Option Type Default Description
username
string none The username for authentication.
password
encrypted string ""
The password to use for authentication. To encrypt the password, use the module directly at the command line.
java org.picketbox.datasource.security.SecureIdentityLoginModule password_to_encrypt
Paste the result of this command into the module option's value field. The default value is an empty string.
principal
Name of a principal
none
The principal which will be associated with any subject authenticated against the module.

Table A.28. SecureIdentity

Code
SecureIdentity
Class
org.picketbox.datasource.security.SecureIdentityLoginModule
Description
This module is provided for legacy purposes. It allows you to encrypt a password and then use the encrypted password with a static principal. If your application uses SecureIdentity, consider using a password vault mechanism instead.

Table A.29. SecureIdentity Module Options

Option Type Default Description
username
string none The username for authentication.
password
encrypted string ""
The password to use for authentication. To encrypt the password, use the module directly at the command line.
java org.picketbox.datasource.security.SecureIdentityLoginModule password_to_encrypt
Paste the result of this command into the module option's value field. The default value is an empty string.
managedConnectionFactoryName
JCA resource none
The name of the JCA connection factory for your datasource.

Table A.30. PropertiesUsers

Code
PropertiesUsers
Class
org.jboss.security.auth.spi.PropertiesUsersLoginModule
Description
Uses a properties file to store usernames and passwords for authentication. No authorization (role mapping) is provided. This module is only appropriate for testing.

Table A.31. SimpleUsers

Code
SimpleUsers
Class
org.jboss.security.auth.spi.SimpleUsersLoginModule
Description
This login module stores the username and clear-text password using module-option. module-option's name and value attributes specify a username and password. It is included for testing only, and is not appropriate for a production environment.

Table A.32. LdapUsers

Code
LdapUsers
Class
org.jboss.security.auth.spi.LdapUsersLoginModule
Description
The LdapUsers module is superseded by the ExtendedLDAP and AdvancedLdap modules.

Table A.33. Kerberos

Code
Kerberos
Class
com.sun.security.auth.module.Krb5LoginModule. In the IBM JDK the classname is com.ibm.security.auth.module.Krb5LoginModule.
Description
Performs Kerberos login authentication, using GSSAPI. This module is part of the security framework from the API provided by Sun Microsystems. Details can be found at http://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html. This module needs to be paired with another module which handles the authentication and roles mapping.

Table A.34. Kerberos Module Options

Option Type Default Description
storekey
true or false
false
Whether or not to add the KerberosKey to the subject's private credentials.
doNotPrompt
true or false
false
If set to true, the user is not prompted for the password if credentials cannot be obtained from the cache, the keytab, or through shared state.
useTicketCache
Boolean value of true or false
.
false
If true, the TGT is obtained from the ticket cache. If false, the ticket cache is not used.
ticketcache
A file or resource representing a Kerberos ticket cache. If this is set, useTicketCache must also be set to true, otherwise a configuration error will be returned.
The default depends on which operating system you use.
  • Red Hat Enterprise Linux / Solaris: /tmp/krb5cc_uid, using the numeric UID value of the operating system.
  • Microsoft Windows Server: uses the Local Security Authority (LSA) API to find the ticketcache.
The location of the ticket cache.
useKeyTab
true or false
false Whether to obtain the principal's key from a key table file.
keytab
A file or resource representing a Kerberos keytab.
the location in the operating system's Kerberos configuration file, or /home/user/krb5.keytab
The location of the key table file.
principal
string none
The name of the principal. This can either be a simple user name or a service name such as host/testserver.acme.com. Use this instead of obtaining the principal from the key table, or when the key table contains more than one principal.
useFirstPass
true or false
false
Whether to retrieve the username and password from the module's shared state, using javax.security.auth.login.name and javax.security.auth.login.password as the keys. If authentication fails, no retry attempt is made.
tryFirstPass
true or false
false
Same as useFirstPass, but if authentication fails, the module uses the CallbackHandler to retrieve a new username and password. If the second authentication fails, the failure is reported to the calling application.
storePass
true or false
false
Whether to store the username and password in the module's shared state. This does not happen if the keys already exist in the shared state, or if authentication fails.
clearPass
true or false
false
Set this to true to clear the username and password from the shared state after both phases of authentication complete.

Table A.35. SPNEGO

Code
SPNEGO
Class
org.jboss.security.negotiation.spnego.SPNEGOLoginModule
Description
Allows SPNEGO authentication to a Microsoft Active Directory server or other environment which supports SPNEGO. SPNEGO can also carry Kerberos credentials. This module needs to be paired with another module which handles authentication and role mapping.

Table A.36. SPNEGO Module Options

Option Type Default Description
serverSecurityDomain
string
null.
Defines the domain that is used to retrieve the identity of the server service through the kerberos login module. This property must be set.
removeRealmFromPrincipal
boolean
false
Specifies that the Kerberos realm should be removed from the principal before further processing.
usernamePasswordDomain
string
null
Specifies another security domain within the configuration that should be used as a failover login when Kerberos fails.

Table A.37. AdvancedLdap

Code AdvancedLdap
Class
org.jboss.security.negotiation.AdvancedLdapLoginModule
Description
A module which provides additional functionality, such as SASL and the use of a JAAS security domain.

Table A.38. AdvancedLdap Module Options

Option Type Default Description
bindAuthentication
string
none
The type of SASL authentication to use for binding to the directory server.
java.naming.provider.url
string
If the value of java.naming.security.protocol is SSL, ldap://localhost:686, otherwise ldap://localhost:389
The URI of the directory server.
baseCtxDN
fully-qualified DN
none
The distinguished name to use as the base for searches.
baseFilter
String representing a LDAP search filter.
none
The filter to use to narrow down search results.
roleAttributeID
String value representing an LDAP attribute.
none
The LDAP attribute which contains the names of authorization roles.
roleAttributeIsDN
true or false
false
Whether the role attribute is a Distinguished Name (DN).
roleNameAttributeID
String representing an LDAP attribute.
none
The attribute contained within the RoleAttributeId which contains the actual role attribute.
recurseRoles
true or false
false
Whether to recursively search the RoleAttributeId for roles.
referralUserAttributeIDToCheck
attribute
none
If you are not using referrals, this option can be ignored. When using referrals, this option denotes the attribute name which contains users defined for a certain role (for example, member), if the role object is inside the referral. Users are checked against the content of this attribute name. If this option is not set, the check will always fail, so role objects cannot be stored in a referral tree.

Table A.39. AdvancedADLdap

Code AdvancedADLdap
Class
org.jboss.security.negotiation.AdvancedADLoginModule
Description
This module extends the AdvancedLdap login module, and adds extra parameters that are relevant to Microsoft Active Directory.

Table A.40. UsersRoles

Code UsersRoles
Class
org.jboss.security.auth.spi.UsersRolesLoginModul
Description
A simple login module that supports multiple users and user roles stored in two different properties files.

Table A.41. UsersRoles Module Options

Option Type Default Description
usersProperties
Path to a file or resource.
users.properties
The file or resource which contains the user-to-password mappings. The format of the file is username=password
rolesProperties
Path to a file or resource.
roles.properties
The file or resource which contains the user-to-role mappings. The format of the file is username=role1,role2,role3
password-stacking
useFirstPass or false
false
A value of useFirstPass indicates that this login module should first look to the information stored in the LoginContext for the identity. This option can be used when stacking other login modules with this one.
hashAlgorithm
String representing a password hashing algorithm.
none
The name of the java.security.MessageDigest algorithm to use to hash the password. There is no default so this option must be explicitly set to enable hashing. When hashAlgorithm is specified, the clear text password obtained from the CallbackHandler is hashed before it is passed to UsernamePasswordLoginModule.validatePassword as the inputPassword argument. The password stored in the users.properties file must be comparably hashed.
hashEncoding
base64 or hex
base64
The string format for the hashed password, if hashAlgorithm is also set.
hashCharset
string
The default encoding set in the container's runtime environment
The encoding used to convert the clear-text password to a byte array.
unauthenticatedIdentity
principal name
none
Defines the principal name assigned to requests which contain no authentication information. This can allow unprotected servlets to invoke methods on EJBs that do not require a specific role. Such a principal has no associated roles and can only access unsecured EJBs or EJB methods that are associated with the unchecked permission constraint.
Custom Authentication Modules

Authentication modules are implementations of javax.security.auth.spi.LoginModule. Refer to the API documentation for more information about creating a custom authentication module.