SUBT REE_SCOPE
SUBT REE_SCOPE The search scope to use.
allowEm ptyPasswor ds
true or false true Whether to allow empty passwords. Most LDAP
Description Maps a role which is the end result of the
authentication process to a declarative role. This module must be flagged as optional when you add it to the security domain.
Table 10.20. RoleMapping Module Options
Option Type Default Description
rolesProperties The fully-qualified file path and name of a properties file or resource
roles.properties The fully-qualified file path and name of a properties file or resource which maps roles to replacement roles. The format is original_role=ro le1,role2,role3 replaceRole true or false false Whether to add to the
current roles, or replace the current roles with the mapped ones. Replaces if set to true.
Description A helper module that pushes a run as role onto
the stack for the duration of the login phase of authentication, and pops the run as role off the stack in either the commit or abort phase. This login module provides a role for other login modules that must access secured resources in order to perform their authentication, such as a login module which accesses a secured EJB.
RunAsLoginModule must be configured before the login modules that require a run as role to be established.
Table 10.22. RunAs Options
Option Type Default Description
roleNam e A role name. nobody The name of the role to
use as the run as role during the login phase.
Table 10.23. Simple
Code Sim ple
Class org.jboss.security.auth.spi.Sim pleSe
rverLoginModule
Description A module for quick setup of security for testing
purposes. It implements the following simple algorithm:
f the password is null, authenticate the user and assign an identity of guest and a role of guest.
Otherwise, if the password is equal to theuser, assign an identity equal to the username and both and and guest roles.
Otherwise, authentication fails.
Sim ple Module Options
The Simple module has no options.
Table 10.24 . ConfiguredIdentity
Code ConfiguredIdentity
Class org.picketbox.datasource.security.Co
nfiguredIdentityLoginModule
Description Associates the principal specified in the module
options with any subject authenticated against the module. The type of Principal class used is org.jboss.security.Sim plePrincipal.
Table 10.25. ConfiguredIdentity Module Options
Option Type Default Description
principal Name of a principal. guest The principal which will be associated with any subject authenticated against the module.
Table 10.26. SecureIdentity
Code SecureIdentity
Class org.picketbox.datasource.security.Se
cureIdentityLoginModule
Description This module is provided for legacy purposes. It
allows you to encrypt a password and then use the encrypted password with a static principal. If your application uses SecureIdentity, consider using a password vault mechanism instead.
Table 10.27. SecureIdentity Module Options
Option Type Default Description
usernam e string none The username for
authentication.
password encrypted string none The password to use
for authentication. To encrypt the password, use the module directly at the command line.
java
org.picketbox.d atasource.secur ity.SecureIdent ityLoginModule password_to_enc rypt
Paste the result of this command into the module option's value field.
m anagedConnectio nFactoryNam e
A JCA resource none The name of the JCA
connection factory for your datasource.
Table 10.28. PropertiesUsers
Code PropertiesUsers
Class org.jboss.security.auth.spi.Properti
esUsersLoginModule
Description Uses a properties file to store usernames and
passwords for authentication. No authorization (role mapping) is provided. This module is only appropriate for testing.
Table 10.29. PropertiesUsers Module Options
Option Type Default Description
properties The fully-qualified file path and name of a Java properties file or resource.
none The properties file
containing the usernames and clear-text passwords to be used for authentication.
Table 10.30. SimpleUsers
Code Sim pleUsers
Class org.jboss.security.auth.spi.Sim pleUs
ersLoginModule
Description This login module stores the username and
clear-text password in a Java properties file. It is included for testing only, and is not appropriate for a production environment.
Table 10.31. SimpleUsers Module Options
Option Type Default Description
usernam e string none The username to use
for authentication.
password string none The clear-text
password to use for authentication.
Table 10.32. LdapUsers
Code LdapUsers
Class org.jboss.security.auth.spi.LdapUsers
LoginModule
Description The LdapUsers module is superseded by the
ExtendedLDAP and AdvancedLdap modules.
Table 10.33. Kerberos
Code Kerberos
Class com .sun.security.auth.m odule.Krb5Log
inModule
Description Performs Kerberos login authentication, using
GSSAPI. This module is part of the security framework from the API provided by Sun Microsystems. Details can be found at
http://docs.oracle.com/javase/1.4.2/docs/guide/se curity/jaas/spec/com/sun/security/auth/module/Kr b5LoginModule.html. This module needs to be paired with another module which handles the authentication and roles mapping.
Table 10.34 . Kerberos Module Options
Option Type Default Description
storekey true or false false Whether or not to add
the KerberosKey to the subject's private credentials.
doNotProm pt true or false false If set to true, the user is not prompted for the password.
useT icketCache Boolean value of true or false .
false If true, the GTG is
obtained from the ticket cache. If false, the ticket cache is not used.
ticketcache A file or resource representing a Kerberos ticket cache.
The default depends on which operating system you use.
Red Hat Enterprise Linux / Solaris:
/tm p/krb5cc_uid , using the numeric UID value of the operating system.
The location of the ticket cache.
useKeyT ab true or false false Whether to obtain the
principal's key from a key table file.
keytab A file or resource representing a Kerberos keytab.
the location in the operating system's Kerberos configuration file, or
/hom e/user/krb5.k eytab
The location of the key table file.
principal A string none The name of the
principal. This can either be a simple user name or a service name such as host/testserver.a cm e.com . Use this instead of obtaining the principal from the key table, or when the key table contains more than one principal.
useFirstPass true or false false Whether to retrieve the username and password from the module's shared state, using
javax.security.au th.login.nam e and javax.security.au th.login.password as the keys. If
authentication fails, no retry attempt is made.
tryFirstPass true or false false Same as
useFirstPass, but if authentication fails, the
module uses the fails, the failure is reported to the calling application.
storePass true or false false Whether to store the
username and password in the module's shared state.
This does not happen if the keys already exist in the shared state, or if authentication fails.
clearPass true or false false Set this to true to
clear a the username and password from the shared state after both phases of
Description Allows SPNEGO authentication to a Microsoft
Active Directory server or other environment which supports SPNEGO. SPNEGO can also carry Kerberos credentials. This module needs to be paired with another module which handles authentication and role mapping.
Table 10.36. SPNEGO Module Options
Option Type Default Description
storeKey true or false false Whether or not to store
the key.
useKeyT ab true or false false Whether to use a key
table.
principal String reperesenting a principal for Kerberos auhentication.
none The name of the
principal for authentication.
keyT ab A file or resource representing a keytab.
none The location of a key
table.
doNotProm pt true or false false Whether to prompt for a password.
debug true or false false Whether to record more
verbose messages for
Description A module which provides additional functionality,
such as SASL and the use of a JAAS security domain.
Table 10.38. AdvancedLdap Module Options
Option Type Default Description
bindAuthenticatio n
string none The type of SASL
authentication to use for binding to the directory server.
jassSecurityDom ai n
string none The name of the JAAS
security domain to use.
java.nam ing.provi der.url
string none The URI of the
directory server.
baseCtxDN A fully qualified Distinguished Name (DN).
none The distinguished
name to use as the base for searches.
baseFilter String representing a LDAP search filter.
none The filter to use to
narrow down search results.
roleAttributeID A string representing an LDAP attribute.
none The LDAP attribute
which contains the names of authorization roles.
roleAttributeIsDN true or false false Whether the role attribute is a
none The attribute contained
within the
RoleAttributeId which contains the actual role attribute.
recurseRoles true or false false Whether to recorsively search the
Description This module extends the AdvancedLdap login
module, and adds extra parameters that are relevant to Microsoft Active Directory.
Table 10.4 0. AdvancedADLdap Module Options
Option Type Default Description
prim aryGroupID A string representing a Microsoft Active Directory group ID.
none A primary group for
limiting authorization.
The primary group ID is used to obtain the objectSid of the user, for authorization.
Table 10.4 1. UsersRoles
Code UsersRoles
Class org.jboss.security.auth.spi.UsersRole
sLoginModul
Description A simple login module that supports multiple
users and user roles stored in two different properties files.
Table 10.4 2. UsersRoles Module Options
Option Type Default Description
usersProperties Path to a file or resource.
users.properties The file or resource which contains the rolesProperties Path to a file or
resource.
roles.properties The file or resource which contains the user-to-role mappings.
The format of the file is usernam e=role1,ro le2,role3
password-stacking useFirstPass or false
false A value of
useFirstPass indicates that this login module should first look to the information stored in the
LoginContext for the identity. This option can be used when stacking other login modules with this one.
hashAlgorithm A string representing a password hashing password. There is no default so this option must be explicitly set to enable hashing. When hashAlgorithm is specified, the clear text password obtained from the
CallbackHandler is hashed before it is passed to
Usernam ePasswordL oginModule.valida tePassword as the inputPassword argument. The
password stored in the users.properties file must be comparably hashed.
hashEncoding base64 or hex base64 The string format for the hashed password, if hashAlgorithm is also set.
hashCharset A string The default encoding set in the container's runtime environment
The encoding used to convert the clear-text password to a byte array.
unauthenticatedId entity
A principal name none Defines the principal
name assigned to methods on EJBs that do not require a
specific role. Such a principal has no associated roles and can only access unsecured EJBs or EJB methods that are associated with the unchecked perm ission constraint.
Custom Authentication Modules
Authentication modules are implementations of org.jboss.security.LoginModule. Refer to the API documentation for more information about creating a custom authentication module.
Report a bug
10.2. Included Authorization Modules
The following modules provide authorization services.
Code Class
DenyAll org.jboss.security.authorization.modules.AllDenyA
uthorizationModule
PermitAll org.jboss.security.authorization.modules.AllPermit
AuthorizationModule
Delegating org.jboss.security.authorization.modules.Delegati
ngAuthorizationModule
Web org.jboss.security.authorization.modules.WebAuth
orizationModule
JACC org.jboss.security.authorization.modules.JACCAut
horizationModule
Report a bug
10.3. Included Security Mapping Modules
The following security mapping roles are provided in the JBoss Enterprise Application Platform.
Code Class
PropertiesRoles org.jboss.security.mapping.providers.role.Properti esRolesMappingProvider
SimpleRoles org.jboss.security.mapping.providers.role.SimpleR
olesMappingProvider
DeploymentRoles org.jboss.security.mapping.providers.Deployment
RolesMappingProvider
DatabaseRoles org.jboss.security.mapping.providers.role.Databas
eRolesMappingProvider
LdapRoles org.jboss.security.mapping.providers.role.LdapRol
esMappingProvider
Report a bug
10.4. Included Security Auditing Provider Modules
The JBoss Enterprise Application Platform provides one security auditing provider.
Code Class
LogAuditProvider org.jboss.security.audit.providers.LogAuditProvide r