问题
I am new to authentication and security area and I am trying to extend the authentication mechanism of my application, which currently provides traditional user name/password authentication, to provide user to authenticate via LDAP Server.
In the current implementation, the application uses j_security_check thread from Server API to authenticate the user. The standalone.xml file of Jboss has a login module pointing to a myLoginModuleClass class which extends the jboss.security.auth.spi.UsernamePasswordLoginModule.
<security-domain name="db-domain">
<authentication>
<login-module code="myLoginModuleClass" flag="required" module="packageForClass">
<module-option name="hashAlgorithm" value="SHA-256" />
<module-option name="hashEncoding" value="base64" />
<module-option name="password-stacking" value="useFirstPass" />
</login-module>
</authentication>
</security-domain>I have added another login-module called LDAP Login module in a separate security.
<security-domain name="ldap-domain">
<authentication>
<login-module code="LDAPLoginModule" flag="required" module="LDAPModulePackage">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
<module-option name="java.naming.security.authentication" value="simple" />
<module-option name="bindCredential" value="secret" />
<module-option name="password-stacking" value="useFirstPass" />
</login-module>
</authentication>
</security-domain>The issue I am currently facing is following: the jboss-web.xml and the project's web.xml both points to existing security domain: db-domain. And I can only specify one security domain there. Question: How can I programmatically tell jboss to point to a particular login class based on user selection, meaning if user choose to go have ldap auth, the LDAPLoginModule class is called? Or is there any other better way to have a mix mode authentication?
Thank in advance
回答1:
Meanwhile, I found a work around. I can specify both the login module in single security domain and change the flag from "required" to sufficient".
<security-domain name="common-domain">
<authentication>
<login-module code="LDAPLoginModule" flag="sufficient" module="LDAPModulePackage">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
<module-option name="java.naming.security.authentication" value="simple" />
<module-option name="bindCredential" value="secret" />
<module-option name="password-stacking" value="useFirstPass" />
</login-module>
<login-module code="mydbLoginModuleClass" flag="sufficient" module="packageForClass">
<module-option name="hashAlgorithm" value="SHA-256" />
<module-option name="hashEncoding" value="base64" />
<module-option name="password-stacking" value="useFirstPass" />
</login-module>
</authentication>
</security-domain>By doing this the jboss security will pick up the login sequentially in the order it is configured in standalone.xml file(first ldap and then dblogin) and stops whenever the login is successful
回答2:
For any web application say it is developed under JAVA, there is web.xml file where you can define multiple security role but Security authentication will be only one. So, that means at a time you can use only one security domain for your web application. Although JBOSS configuration file can have multiple Security domain but in your jboss-web.xml you can only use one. See, the below JBOSS documents for confirmation: https://docs.oracle.com/cd/E19226-01/820-7627/6nisfjn8c/index.html Go under Specifying an Authentication Mechanism:
So, in order to manage two login module below either things can be done (any one from below):
- Create custom login module and use your two login module logic into that (complex as developer should be aware about all methods of login (initialize, login, commit, abort).
- Add your login modules under same security domain and play with attribute named "flag". if flag-"sufficient" then that login module will not go down the stack if successful.For more information: check flag header-> https://docs.jboss.org/jbossas/docs/Server_Configuration_Guide/4/html/Security_on_JBoss-Defining_Security_Domains.html
回答3:
I remember having researched on a similar problem an year ago and did not find a solution. A workaround that i applied is to have 2 sets of jboss-web.xml files, one configured with your db-domain and one with ldap-domain. When LDAP security is to be turned off, you simply run a script to replace the web xml with db-domain one and redeploy. This was feasible because the requirement was static and not user input based or dynamic.
来源:https://stackoverflow.com/questions/35481177/using-multiple-login-module-in-jboss