I am new to authentication and security area and I am trying to extend the authentication mechanism of my application, which currently provides traditional user name/password authentication, to provide user to authenticate via LDAP Server.
In the current implementation, the application uses j_security_check thread from Server API to authenticate the user. The standalone.xml file of Jboss has a login module pointing to a myLoginModuleClass class which extends the jboss.security.auth.spi.UsernamePasswordLoginModule.
<security-domain name="db-domain">
<authentication>
<login-module code="myLoginModuleClass" flag="required" module="packageForClass">
<module-option name="hashAlgorithm" value="SHA-256" />
<module-option name="hashEncoding" value="base64" />
<module-option name="password-stacking" value="useFirstPass" />
</login-module>
</authentication>
</security-domain>
I have added another login-module called LDAP Login module in a separate security.
<security-domain name="ldap-domain">
<authentication>
<login-module code="LDAPLoginModule" flag="required" module="LDAPModulePackage">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
<module-option name="java.naming.security.authentication" value="simple" />
<module-option name="bindCredential" value="secret" />
<module-option name="password-stacking" value="useFirstPass" />
</login-module>
</authentication>
</security-domain>
The issue I am currently facing is following: the jboss-web.xml and the project's web.xml both points to existing security domain: db-domain. And I can only specify one security domain there. Question: How can I programmatically tell jboss to point to a particular login class based on user selection, meaning if user choose to go have ldap auth, the LDAPLoginModule class is called? Or is there any other better way to have a mix mode authentication?
Thank in advance
Meanwhile, I found a work around. I can specify both the login module in single security domain and change the flag from "required" to sufficient".
<security-domain name="common-domain">
<authentication>
<login-module code="LDAPLoginModule" flag="sufficient" module="LDAPModulePackage">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
<module-option name="java.naming.security.authentication" value="simple" />
<module-option name="bindCredential" value="secret" />
<module-option name="password-stacking" value="useFirstPass" />
</login-module>
<login-module code="mydbLoginModuleClass" flag="sufficient" module="packageForClass">
<module-option name="hashAlgorithm" value="SHA-256" />
<module-option name="hashEncoding" value="base64" />
<module-option name="password-stacking" value="useFirstPass" />
</login-module>
</authentication>
</security-domain>
By doing this the jboss security will pick up the login sequentially in the order it is configured in standalone.xml file(first ldap and then dblogin) and stops whenever the login is successful
For any web application say it is developed under JAVA, there is web.xml file where you can define multiple security role but Security authentication will be only one. So, that means at a time you can use only one security domain for your web application. Although JBOSS configuration file can have multiple Security domain but in your jboss-web.xml you can only use one. See, the below JBOSS documents for confirmation: https://docs.oracle.com/cd/E19226-01/820-7627/6nisfjn8c/index.html Go under Specifying an Authentication Mechanism:
So, in order to manage two login module below either things can be done (any one from below):
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With