How to setup Active Directory for JBoss EAP 6.4.0.GA (AS 7.5.0)

Question

We migrate from WAS to JBoss EAP 6.4.0.GA (AS 7.5.0) and I'm unable to setup Active Directory to protect our web application. My configuration was inspired by http://middlewaremagic.com/jboss/?p=378 but it is not working for 7.5.0.

Here is the snippet of Security Domain in standalone.xml

<security-domain name="ad_security_domain" cache-type="default">
                    <authentication>
                        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                            <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                            <module-option name="java.naming.provider.url" value="ldap://10.175.35.60:389"/>

                            <module-option name="bindDN" value="CN=AD Reader,OU=Users,OU=XXX Group,DC=ferradev,DC=fe"/>
                            <module-option name="bindCredential" value="secret"/>

                            <module-option name="baseCtxDN" value="OU=Users,OU=XXX Company,OU=XXX Group,DC=ferradev,DC=fe"/>
                            <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                            <module-option name="rolesCtxDN" value="OU=Groups,OU=XXX Company,OU=XXX Group,DC=ferradev,DC=fe"/>
                            <module-option name="roleFilter" value="(member={1})"/>
                            <module-option name="roleAttributeID" value="memberOf"/>
                            <module-option name="roleAttributeIsDN" value="true"/>
                            <module-option name="roleNameAttributeID" value="cn"/>

                            <module-option name="allowEmptyPasswords" value="false"/>
                            <module-option name="Context.REFERRAL" value="follow"/>
                            <module-option name="throwValidateError" value="true"/>
                            <module-option name="searchScope" value="SUBTREE_SCOPE"/>
                        </login-module>
                        <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/fop-roles.properties"/>
                        </login-module>
                    </authentication>
                </security-domain>

I have this code in my jboss-web.xml

<?xml version="1.0"?>
<jboss-web>
    <security-domain>ad_security_domain</security-domain>
</jboss-web>

In the config directory (where the standalone.xml is) I have property file fop-roles.properties

APP_GG_FOP_DEV_ADMINS=Administrators

Here is snippet of my web.xml

<security-constraint>
        <web-resource-collection>
            <web-resource-name>Admin Resources</web-resource-name>
            <url-pattern>/configuration/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Administrators</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
</security-constraint>

....

<security-role>
        <description>Administrators Role</description>
        <role-name>Administrators</role-name>
</security-role>

Bellow are the screenshots of structure of our Active Directory:

Groups:

Users:

After successful deploymnet of the web application to JBoss the login page is shown but after filling the credentials I always got the error:

TRACE [org.jboss.security] (ServerService Thread Pool -- 100) PBOX000354: Setting security roles ThreadLocal: null

Answer 1

The role constraint in your web.xml says Administrators but the different roles that are possible from your roleCtxDn OU=Groups,OU=XXX Company,OU=XXX Group,DC=ferradev,DC=fe are APP_GG_FOR_DEV_ADMINS, APP_GG_FOR_DEV_MANAGERS, APP_GG_FOR_DEV_USERS and APP_GG_FOR_DEV_WS_ADMINS.

Also use all the TRACE logging options described in https://developer.jboss.org/wiki/SecurityFAQ to help work out your problem.

Answer 2

The RoleMappingLoginModule doesn't work correctly in JBoss AS7+ (EAP 6+). It can cause the problems in your scenario.

Use either (Option 1) password stacking and UsersRoles login module or (Option 2) use the role mapping feature directly.

Option 1:

<security-domain name="ad_security_domain" cache-type="default">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
      <!-- Put your original module options for LDAP here and add following: -->
      <module-option name="password-stacking" value="useFirstPass" />
    </login-module>
    <login-module code="UsersRoles" flag="optional">
      <module-option name="password-stacking" value="useFirstPass" />
      <module-option name="rolesProperties" value="${jboss.server.config.dir}/fop-roles.properties" />
    </login-module>
  </authentication>
</security-domain>

Option 2:

<security-domain name="ad_security_domain" cache-type="default">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
      <!-- Put your original module options for LDAP here -->
    </login-module>
  </authentication>
  <mapping>
    <mapping-module code="PropertiesRoles" type="role">
      <module-option name="rolesProperties" value="${jboss.server.config.dir}/fop-roles.properties" />
    </mapping-module>
  </mapping>
</security-domain>