Saturday, June 20, 2015

Authenticate web application with Active Directory in JBoss EAP 6

This is so embarrassing. In my previous post, I though I have already done the AD configuration, but that was only for management, not the application. There are 2 different story. Assume I have the following AD configuration:
    dn: CN=user1,OU=Users,DC=huahsin68,DC=org
    objectClass: user
    objectClass: organizationalPerson
    objectClass: person
    objectClass: top
    memberOf: CN=Role_1,OU=Groups,OU=Users,DC=huahsin68,DC=org
    sAMAccountName: user1
    ...
     
    dn: CN=Role_1,OU=Groups,OU=Users,DC=huahsin68,DC=org
    objectClass: group
    objectClass: top
    cn: Role_1
    member: CN=user1,OU=Users,DC=huahsin68,DC=org
    name: Role_1
    ...
For web application, there are 2 things need to be done in order to authenticate users through Active Directory (AD) in JBoss. One is deployment descriptor (web.xml) configuration, and the other one is JBoss configuration (either in domain.xml or standalone.xml). In deployment descriptor, the following configuration shows the regular piece in securing a web application:
      <security-constraint>
     <web-resource-collection>
      <web-resource-name>Authentication</web-resource-name>
      <description>Please login</description>
      <url-pattern>/pages/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
      <role-name>Role_1</role-name>
      <role-name>Role_2</role-name>
     </auth-constraint>
      </security-constraint>
    
      <login-config>
     <auth-method>FORM</auth-method>
     <form-login-config>
      <form-login-page>/login.xhtml</form-login-page>
      <form-error-page>/error.xhtml</form-error-page>
     </form-login-config>
      </login-config>
     
      <security-role>
     <role-name>Role_1</role-name>
      </security-role>
      <security-role>
     <role-name>Role_2</role-name>
      </security-role>
Next is JBoss configuration. It has been a hard time for me to configure this as I mess up the role configuration causing me keep hitting HTTP 403. This is not fun at all, but at last I managed to find the solution. Configuration below shows how this is done in order to authenticate through AD.
    <security-domain name="ADRealm" cache-type="default">
       <authentication>
          <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
             <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
             <module-option name="java.naming.security.authentication" value="simple"/>
             <module-option name="java.naming.provider.url" value="ldap://127.0.0.1:10389"/>
             <module-option name="debug" value="true"/>
             <module-option name="bindDN" value="CN=huahsin,OU=Users,DC=huahsin68,DC=org"/>
             <module-option name="bindCredential" value="Abcd1234"/>
             <module-option name="baseCtxDN" value="OU=Users,DC=huahsin68,DC=org"/>
             <module-option name="baseFilter" value="(sAMAccountName={0})"/>
             <module-option name="searchScope" value="SUBTREE_SCOPE"/>
             <module-option name="allowEmptyPasswords" value="false"/>
             <module-option name="roleAttributeIsDN" value="true"/>
             <module-option name="rolesCtxDN" value="OU=Groups,OU=Users,DC=huahsin68,DC=org"/>
             <module-option name="roleFilter" value="(member={1})"/>
             <module-option name="roleAttributeID" value="memberOf"/>
          </login-module>
       </authentication>
    </security-domain>
A new security domain is created under the <subsystem xmlns="urn:jboss:domain:security:1.1">, don't confuse with the management's configuration. There are 2 different entity. Last but not least, remember to link ADRealm which is define in JBoss configuration in jboss-web.xml (as shown in the following code), otherwise the web application would not be able to authenticate though the AD.
   <jboss-web>
      <security-domain>java:/jaas/ADRealm</security-domain>
   </jboss-web>
Some site info, when the role is found in AD, following log could be seen in server log.
    15:21:48,811 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-2)   Checking roles GenericPrincipal[huahsin68(Role_1,)] 
    15:21:48,811 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-2) JBWEB000017: User [user1] has role [Role_1]
    15:21:48,811 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-2) Role found:  Role_1
But if it doesn’t found, following log would be seen in server log:
    11:32:40,401 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-2)   Checking roles GenericPrincipal[huahsin68()]
    11:32:40,415 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-2) JBWEB000016: User [user1] does not have role [Role_1]
    11:32:40,415 DEBUG [org.apache.catalina.realm] (http-localhost/127.0.0.1:8080-2) No role found:  Role_1

No comments: