JBoss.orgCommunity Documentation
This chapter describes the authentication mechanisms in JBoss Portal
JBoss Portal is heavily standard based so it leverages Java Authentication and Authorization Service (JAAS) in JBoss Application Server. Because of this it can be configured in a very flexible manner and other authentication solutions can be plugged in easily. To better understand authentication mechanisms in JBoss Portal please refer to Security chapter. To learn more about JAAS look for proper documentation on Java Security website. To learn more about security in JBoss Application Server please read JBossSX documentation.
You can configure the JAAS authentication stack in jboss-portal.sar/conf/login-config.xml. It is important to remember that authorization in portal starts at the JAAS level - configured LoginModules apply proper Principal objects representing the roles of authenticated user. As you can see in jboss-portal.sar/portal-server.war/WEB-INF/web.xml portal servlet is secured with specified role ("Authenticated"). In the default portal configuration this role is dynamically added by IdentityLoginModule. If you reconfigure the default JAAS authentication chain with other LoginModule implementations, you should remember that you must deal with that security constraints in order to be able to access portal. For example if you place only one LoginModule that will authenticate users against LDAP server you may consider adding all users in your LDAP tree to such role.
JBoss Portal comes with a few implementations of JAAS LoginModule interface
This is the standard portal LoginModule implementation that uses portal identity modules in order to search users and roles. By default it is the only configured LoginModule in the portal authentication stack. Its behavior can be altered with the following options:
This LoginModule implementation extends JBossSX org.jboss.security.auth.spi.DatabaseServerLoginModule and can be used to authenticate against Database. The main purpose of this module is to be configured directly against portal database (instead of using portal identity modules like in IdentityLoginModule). So if you are using custom LoginModule implementation you can place this module with "sufficient" flag. This can be extremely useful. For example if you authenticate against LDAP server using JBossSX LdapLoginModule you can fallback to users present in portal database and not present in LDAP like "admin" user. Please look into this wiki page to learn more about DatabaseServerLoginModule configuration
Options are:
Configuration using portal database will look like this:
<login-module code = "org.jboss.portal.identity.auth.DBIdentityLoginModule" flag="sufficient"> <module-option name="dsJndiName">java:/PortalDS</module-option> <module-option name="principalsQuery"> SELECT jbp_password FROM jbp_users WHERE jbp_uname=? </module-option/> <module-option name="rolesQuery"> SELECT jbp_roles.jbp_name, 'Roles' FROM jbp_role_membership INNER JOIN jbp_roles ON jbp_role_membership.jbp_rid = jbp_roles.jbp_rid INNER JOIN jbp_users ON jbp_role_membership.jbp_uid = jbp_users.jbp_uid WHERE jbp_users.jbp_uname=? </module-option> <module-option name="hashAlgorithm">MD5</module-option> <module-option name="hashEncoding">HEX</module-option> <module-option name="additionalRole">Authenticated</module-option> </login-module>
This module can be used instead of the IdentityLoginModule to bind to LDAP. org.jboss.portal.identity.auth.SynchronizingLDAPLoginModule class is a wrapper around LdapLoginModule from JBossSX. It extends it so all configuration that can be applied to LdapExtLoginModule remains valid here. For a user that was authenticated successfully it will try to call the identity modules from portal, then check if such user exists or not, and if does not exist it will try to create it. Then for all roles assigned to this authenticated principal it will try to check and create them using identity modules. This behavior can be altered using following options:
For obvious reasons this is designed to use with portal identity modules configured with DB and not LDAP
All options that apply for SynchronizingLdapLoginModule also apply here. It's the same kind of wrapper made around LdapExtLoginModule from JBossSX. Sample configuration can look like this:
<login-module code="org.jboss.portal.identity.auth.SynchronizingLDAPExtLoginModule" flag="required"> <module-option name="synchronizeIdentity">true</module-option> <module-option name="synchronizeRoles">true</module-option> <module-option name="additionalRole">Authenticated</module-option> <module-option name="defaultAssignedRole">User</module-option> <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option> <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option> <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule </module-option> <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule </module-option> <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory </module-option> <module-option name="java.naming.provider.url">ldap://example.com:10389/ </module-option> <module-option name="java.naming.security.authentication">simple</module-option> <module-option name="bindDN">cn=Directory Manager</module-option> <module-option name="bindCredential">secret</module-option> <module-option name="baseCtxDN">ou=People,dc=example,dc=com</module-option> <module-option name="baseFilter">(uid={0})</module-option> <module-option name="rolesCtxDN">ou=Roles,dc=example,dc=com</module-option> <module-option name="roleFilter">(member={1})</module-option> <module-option name="roleAttributeID">cn</module-option> <module-option name="roleRecursion">-1</module-option> <module-option name="searchTimeLimit">10000</module-option> <module-option name="searchScope">SUBTREE_SCOPE</module-option> <module-option name="allowEmptyPasswords">false</module-option> </login-module>
This module is designed to provide synchronization support for any other LoginModule placed in the authentication stack. It leverages the fact that in JAAS authentication process occurs in two phases. In first phase when login() method is invoked it always returns "true". Because of this behavior SynchronizingLoginModule should be always used with "optional" flag. More over it should be placed after the module we want to leverage as a source for synchronization and that module should have "required" flag set. During the second phase when commit() method is invoked it gets user Subject and its Principals and tries to synchronize them into storage configured for portal identity modules. For this purposes such options are supported: