Skip to end of metadata
Go to start of metadata

This section of the document contains a couple of examples for the most common scenarios likely to be used with the security realms, please feel free to raise Jira issues requesting additional scenarios or if you have configured something not covered here please feel free to add your own examples - this document is editable after all

At the moment these examples are making use of the 'ManagementRealm' however the same can apply to the 'ApplicationRealm' or any custom realm you create for yourselves.

LDAP Authentication

The following example demonstrates an example configuration making use of Active Directory to verify the users username and password.

For simplicity the <local/> configuration has been removed from this example, however there it is fine to leave that in place for local authentication to remain possible.

Enable SSL

The first step is the creation of the key, by default this is going to be used for both the native management interface and the http management interface - to create the key we can use the keyTool, the following example will create a key valid for one year.

Open a terminal window in the folder {jboss.home}/standalone/configuration and enter the following command: -

keytool -genkey -alias server -keyalg RSA -keystore server.keystore -validity 365

In this example I choose 'keystore_password'.

Of all of the questions asked this is the most important and should match the host name that will be entered into the web browser to connect to the admin console.

Answer the remaining questions as you see fit and at the end for the purpose of this example I set the key password to 'key_password'.

The following example shows how this newly created keystore will be referenced to enable SSL.

The contents of the <authentication /> have not been changed in this example so authentication still occurs using either the local mechanism or username/password authentication using Digest.

Add Client-Cert to SSL

To enable Client-Cert style authentication we just now need to add a <truststore /> element to the <authentication /> element referencing a trust store that has had the certificates or trusted clients imported.

In this scenario if Client-Cert authentication does not occur clients can fall back to use either the local mechanism or username/password authentication. To make Client-Cert based authentication mandatory just remove the <local /> and <properties /> elements.

Labels:
None
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
  1. Mar 14, 2015

    How to: Secure a webapp using users and groups from MS Active Directory LDAP

    Just in case somebody else has the same misunderstanding like me ...

    I'm a complete wildfly beginner and I tried to deploy a webapp to wildfly.
    The webapp has some resources which are protected with <security-constraint>s in the web.xml.

    The users allowed to access these resources are stored in our company's LDAP (MS Active Directory).
    So I tried to teach wildfly to use LDAP and found this page.
    I followed the LDAP Authentication example from above to configure wildfly.

    I was successful in connecting to the LDAP.
    This means: The server recognized that I've entered a valid username-password combination but showed that I was not allowed to access the requested resource (webpage).

    After some hours of trial and error I found that I was missing the authorization part of it.
    This means: I was authenticated but not authorized. These are 2 different things. Of course they are.
    If you also want to do authorization (not only authentication) with LDAP (i.e. use the groups stored in LDAP) then you have to add some more line of code to the LDAP authentication example from above.

    A good tutorial which explains everything:LDAP SecurityRealm Examples Read it carefully and you will succeed. :-)

    Finally I ended up with this standalone.xml:
    Just an example. You proably have to customize this for your needs.

    With this setup the simple names of the groups from the LDAP match 1:1 with the groupnames in the web.xml.

    Here's the web.xml

    Have fun.