Chapter 1. Login Module Overview
The basics of login modules and their use within security domains are covered in the Security Domains section in the JBoss EAP Security Architecture guide.
1.1. About the Organization of this Document
The login modules covered in this document are organized into the following functional areas:
Login Module Functional Organization
Login Modules Without External Identity Store
- Identity Login Module - Used when a fixed or hard-coded user name is needed.
- UsersRoles Login Module - Loads user names and roles from a local Java properties files.
- PropertiesUsers Login Module - Loads only user names from a local Java properties files.
- SimpleUsers Login Module - Defines user names and passwords directly in the login module configuration.
- SecureIdentity Login Module - Legacy, allows for a static principal and encrypted password to be defined directly in the module configuration.
- ConfiguredIdentity Login Module - Associates a static principal to any authenticated user.
- Simple Login Module - A module for quick security setup for testing.
- Disabled Login Module - A module that always fails authentication.
- Anon Login Module - A module to specify the identity for an unauthenticated user.
- RunAs Login Module - Helper module for adding an additional static role during the authentication phase.
- RoleMapping Login Module - Helper module for adding to or replacing the roles of an authenticated user with one or more roles.
- RealmDirect Login Module - Delegates authentication to a security realm.
- RealmUsersRoles Login Module - Legacy module replaced by RealmDirect.
Login Modules With External Identity Store
- Database Login Module - Uses a database to store users and role mappings.
- DatabaseUsers Login Module - Alias to Database for compatibility.
- Ldap Login Module - Uses an LDAP server to store users and role mappings.
- LdapExtended Login Module
- AdvancedLdap Login Module - Provides additional functionality when authenticating using an LDAP server.
- AdvancedAdLdap Login Module - Provides additional functionality used in Microsoft Active Directory.
- LdapUsers Login Module - Legacy module replaced by LdapExtended and AdvancedLdap.
- Kerberos Login Module - Used with Kerberos authentication.
- SPNEGO Login Module - Used with Kerberos authentication.
Certificate-Based Login Modules
- Certificate Login Module - Authenticates users via X509 certificates.
- CertificateRoles Login Module - Extends Certificate module with role mapping.
- DatabaseCertificate Login Module - Extends Certificate module with role mapping stored in a database.
Login Modules for EJBs and Remoting
- Remoting Login Module - Used in securing remote EJB invocations.
- Client Login Module - Used in local, in-JVM, EJB calls for establishing client identity.
- Custom Login Modules
This guide also provides reference information for related topics such as authorization modules, password stacking and password hashing.
1.2. Extension Hierarchy
The vast majority of the login modules covered in this document actually extend the configuration options and functionality of other login modules. The structure the login modules use to extend functionality forms a hierarchy:
Login Module Extension Hierarchy
Most of the login modules in the hierarchy are concrete Java classes that are instantiated and used by JBoss EAP, but there are a few abstract classes that cannot be instantiated and used directly. The purpose of these abstract classes are to provide common functionality and to serve purely as a base class for other login modules to extend.
By default, login modules inherit all behavior and options from login modules they extend, but they may also override that behavior from their parent login module. In some cases, this may lead to certain options that are inherited by a login module from their parent but go unused.
