I have encrypted the datasource as follows:
Standalone.xml:
<datasource jndi-name="java:/OracleDS" pool-name="OracleDS" enabled="true">
<connection-url>jdbc:oracle:thin:#abc.com:1001:DEV1</connection-url>
<driver>oracle</driver>
<security>
<security-domain>encrypted-ds</security-domain>
</security>
<validation>
<valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker"/>
<validate-on-match>true</validate-on-match>
<background-validation>false</background-validation>
<stale-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnectionChecker"/>
<exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter"/>
</validation>
</datasource>
->added the security-domain in security-domains tag:
<security-domain name="encrypted-ds" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="308c162f7c2ec7f"/>
<module-option name="password" value="308c162f7c2ec7f"/>
<module-option name="managedConnectionFactoryName" value="jboss.jca:service=LocalTxCM,name=OracleDS"/>
</login-module>
</authentication>
</security-domain>
I want the username password to be plain text / '*'(in case of password) in management console.
Is it possible. ?? Any other encryption technique that I can use to do the same??
In Jboss EAP 6 you can use the SecureIdentityLoginModule to add an encrypted password domain. For instance, you can define a security domain in standalone.xml or domain.xml:
<security-domain name="EncryptedPassword">
<authentication>
<login-module code="SecureIdentity" flag="required">
<module-option name="username" value="test"/>
<module-option name="password" value="encrypted_password"/>
</login-module>
</authentication>
</security-domain>
Then you can add this security domain in your particular data source that uses this userid/pwd combination in standalone.xml or domain.xml:
<datasource ... >
.....
<security>
<security-domain>EncryptedPassword</security-domain>
</security>
</datasource>
To encrypt the password itself, you can run this command (please verify the versions of picketbox jar and logging jar in your particular AS7 download to substitute accordingly):
java -cp $JBOSS_HOME/modules/org/picketbox/main/picketbox-4.0.6.<beta|final>.jar:$JBOSS_HOME/modules/org/jboss/logging/main/jboss-logging-3.1.0.<some_version>.jar:$CLASSPATH org.picketbox.datasource.security.SecureIdentityLoginModule password
This will return an encrypted password back that you can use in your security domain.
You can read more about JBoss AS7 security subsystem here
Since open source rocks, you can see how the encoding code works in the source code of SecureIdentityLogin. You will notice in the source code that it uses Blowfish for encryption.
Related
Can someone spot if I'm missing anything else?
Following the direction from https://learn.microsoft.com/en-us/aspnet/samesite/system-web-samesite, this is the IIS web.config I got for Strict:
<system.web>
<anonymousIdentification cookieRequireSSL="true" />
<authentication>
<forms cookieSameSite="Strict" requireSSL="true" />
</authentication>
<sessionState cookieSameSite="Strict" />
<httpCookies sameSite="Strict" requireSSL="true" />
<roleManager cookieRequireSSL="true" />
<compilation targetFramework="4.7">
...
</compilation>
...
<httpRuntime targetFramework="4.7"/>
</system.web>
And the result (Sorry, I couldn't embed image directly. Got error "couldn't reach Imgur"):
samesite="Strict" image
For SameSite="None", I simply change all the "Strict" to "None":
<system.web>
<anonymousIdentification cookieRequireSSL="true" />
<authentication>
<forms cookieSameSite="None" requireSSL="true" />
</authentication>
<sessionState cookieSameSite="None" />
<httpCookies sameSite="None" requireSSL="true" />
<roleManager cookieRequireSSL="true" />
<compilation targetFramework="4.7">
...
</compilation>
...
<httpRuntime targetFramework="4.7"/>
</system.web>
But it is not being added to the cookies:
samesite="None" image
Thanks in advance. Appreciate your help.
There was a comment in another thread that I was thinking of trying as the last resort due to the trouble of installing any software on the machine. It doesn't exactly match my scenario as it didn't work even when he was using "Strict". However, it does fix my problem after installing URL Rewrite.
I tried with <httpCookies sameSite="Strict" /> in .Net 4.7.2 but it did not work for the Asp.Net Identity cookie. This rewrite rule did. – Augusto Barreto Nov 22 '18 at 22:30
#AugustoBarreto Asp.Net Identity ignore the .config settings. Solution is to implement your own Cookie Handler. Derive from System.IdentityModel.Services.CookieHandler and implement WriteInternal method. – Saftpresse99 Mar 18 '19 at 12:18
Thanks, Augusto!
I currently have a working SPNEGO-configuration to login with a kerberos ticket. Now I want to fallback to FORM-based authentication using j_security_check and authenticate username/password against AD/LDAP.
If I set <auth-method>SPNEGO,FORM</auth-method> I'm redirected to the login page. Now I have no idee how to proceed from here?
Do I need a bean at all for my login form or are the values passed to the server automatically?
What configuration is needed in the standalone.xml?
Any help is highly appreciated. Using Wildfly 11.
My current configuration:
web.xml
<security-constraint>
<display-name>Security Constraint on Conversation</display-name>
<web-resource-collection>
<web-resource-name>MyApp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>SPNEGO</realm-name>
</login-config>
<security-role>
<description>Role required to log in to the Application</description>
<role-name>*</role-name>
</security-role>
jboss-web.xml
<jboss-web version="8.0" xmlns="http://www.jboss.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/schema/jbossas/jboss-web_8_0.xsd">
<context-root>/MyApp</context-root>
<default-encoding>UTF-8</default-encoding>
<security-domain>SPNEGO</security-domain>
<jacc-star-role-allow>true</jacc-star-role-allow>
</jboss-web>
standalone.xml
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="required">
<module-option name="serverSecurityDomain" value="host"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required" module="org.jboss.security.negotiation">
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="keyTab" value="${jboss.server.config.dir}/wildfly.keytab"/>
<module-option name="storeKey" value="true"/>
<module-option name="principal" value="HTTP/me.example.com#EXAMPLE.COM"/>
<module-option name="debug" value="true"/>
</login-module>
</authentication>
</security-domain>
login.xhtml
<form method="post" action="j_security_check">
<h:form prependId="false" >
<h:outputText value="Username"/>
<p:password id="j_username" value="#{login.username}" />
<p/>
<h:outputText value="Passwort"/>
<p:password id="j_password" value="#{login.password}" />
<p/>
<p:commandButton ajax="false" value="Login" action="#{login.login()}" />
</h:form>
</form>
Haven't seen any WildFly code, but that is not possible with CMS (container-managed security). The element auth-method is singular, not plural.
You have to peform a hybrid authentication which supports SPNEGO and then falls back to form auth. But this will be very tricky because how do you know that the client has not provided a SPNEGO ticket? You have to maintain a per connection state for this and redirect to the form. If you send a form upfront with the WWW-Authenticate: Negotiate then client will never re-retrieve your resource and your form won't kick it b/c SPNEGO has kicked it.
I would recommend against and combine Negotiate with Basic. This is little/less headache.
I am trying to configure a security domain for my JBoss EAP 6 application in which the primary means of authentication will be a Smart Card, but in the absence of the card will accept LDAP authentication.
I have been able to do either one, but not both. The password stacking option is supposed to allow each module to be run, to allow the LDAP module, for instance, to retrieve the roles even when the Certificate module has returned the user identity.
However, the application's web.xml needs to specify a login-config with an auth-method. In the case of Certificate, this is CLIENT-CERT, and with LDAP it's BASIC.
Has anyone found a way to allow both of these modules to be chained together successfully?
My standalone security domain looks like this:
<security-domain name="MySecurityDomain" cache-type="default">
<authentication>
<login-module code="Certificate" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="securityDomain" value="MySecurityDomain"/>
<module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
</login-module>
<login-module code="LdapExtended" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="java.naming.provider.url" value="ldap://my.fully.qualified.domain:389"/>
<module-option name="bindDN" value="FULLY\username"/>
<module-option name="bindCredential" value="mypassword"/>
<module-option name="baseCtxDN" value="CN=Users,DC=fully,DC=qualified,DC=domain"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="CN=Users,DC=fully,DC=qualified,DC=domain"/>
<module-option name="roleFilter" value="(member={1})"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleNameAttributeID" value="name"/>
<module-option name="allowEmptyPasswords" value="false"/>
</login-module>
<login-module code="org.picketlink.identity.federation.bindings.jboss.auth.RegExUserNameLoginModule" flag="optional">
<module-option name="regex" value="CN=(.*?),"/>
</login-module>
<login-module code="Database" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="dsJndiName" value="java:jboss/datasources/myDS"/>
<module-option name="rolesQuery" value="select role, 'Roles' from Principal where name=?"/>
</login-module>
</authentication>
<jsse truststore-password="mykeypass" truststore-url="${jboss.server.config.dir}/truststore.jks" client-auth="true"/>
<audit>
<provider-module code="LogAuditProvider"/>
</audit>
password-stacking
optional
Set to useFirstPass to indicate that this login module should look for information stored in the LoginContext to use as the identity. This option can be used when stacking other login modules with this one. Default is false
i thin kin ldap module do not put this optional value
I created a web application using JSF,EJB and JAAS with JBoss 7.1.1Final.
I am trying to add a security domain for login, so I edited the META-INF/jboss-web.xml like this:
<jboss-web>
<context-root>A3App</context-root>
<!-- Realm that will be used -->
<security-domain>A3AppRealm</security-domain> // Also tried with java:/jaas/A3AppRealm
</jboss-web>
The security domain part of my standalone.xml looks like this: (I only added the first security domain and disabled other security domain)
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="A3AppRealm" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName" value="CrudDSS"/>
<module-option name="principalsQuery" value="select password from users where email=?"/>
<module-option name="rolesQuery" value="select role, 'Roles' from users u where u.email=?"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Disabled" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmUsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
<module-option name="realm" value="ApplicationRealm"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
However, the exception I receive is:
The security domain other has been disabled. All authentication will
fail. Please check your configuration to make sure this is expected.
I also tried with this configuration:
<subsystem xmlns="urn:jboss:domain:security:1.0">
<security-domains>
<security-domain name="A3AppRealm" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName" value="CrudDSS"/>
<module-option name="principalsQuery" value="select password from users where email=?"/>
<module-option name="rolesQuery" value="select role, 'Roles' from users u where u.email=?"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Disabled" flag="required"/>
</authentication>
</security-domain>
</security-domains>
</subsystem>
The connection to the db works fine.
It seems not to use the security domain I have added.
Please help me solve it.
Thank you!
I solved it by configuring my standalone.xml like this:
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/CrudDSS"/>
<module-option name="principalsQuery" value="select password from users where email=?"/>
<module-option name="rolesQuery" value="select role, 'Roles' from users u where u.email=?"/>
</login-module>
</authentication>
</security-domain>
And removing all the security domains,besides other, the login-module being under other security domain And also changed the jboss-web.xml like this:
<security-domain>other</security-domain>
I solved the problem only by removing the default's settings on security domain in standalone.xml
<default-security-domain value="other"/>
I still have the other security domain.
I'm doing a project and I'm using LDAP+CAS for authentification.
I created a facade Class for LDAP Query ( to get the user, name & mail ).
My question is : how to test after the authentification if the user is allowed to access to this page & exist in the application database before showing the jsf page. (how can I configure my application to test before showing jsf page).
Thank you :)
I'm sorry I don't know what does CAS mean, but I use JAAS+LDAP+JBoss to Authorize & Authenticate a JSF2 web, I hope this help you:
In your LDAP server create next hierarchy:
+ o=your-organization-name (partition)
+ ou=users (organizationalUnit)
- uid=your-id-user (inetOrgPerson), add userPassword attribute
+ ou=groups (organizationalUnit)
- cn=your-user-role (groupOfNames), add the uid before created
security-domain on JBoss 7.1 (standalone.xml):
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
...
<security-domain name="SecurityRealm" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://host-ldap-server:port-ldap-server/"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="principalDNPrefix" value="uid="/>
<module-option name="principalDNSuffix" value=",ou=users,o=your-organization-name"/>
<module-option name="rolesCtxDN" value="ou=groups,o=your-organization-name"/>
<module-option name="uidAttributeID" value="member"/>
<module-option name="matchOnUserDN" value="true"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="roleAttributeIsDN" value="false"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
in your jboss-web.xml
<security-domain>SecurityRealm</security-domain>
and the most important: is the user allowed to access to this page? (web.xml):
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<!-- Protected Areas -->
<security-constraint>
<display-name>Protected</display-name>
<web-resource-collection>
<url-pattern>url-pages-you-want-protect</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>your-user-role</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Validation By Form -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>your-login-page</form-login-page>
<form-error-page>your-error-page</form-error-page>
</form-login-config>
</login-config>
<!-- Allowed Roles -->
<security-role>
<role-name>your-user-role</role-name>
</security-role>
</web-app>