<html>
<head>
<base href="https://docs.jboss.org/author">
<link rel="stylesheet" href="/author/s/en/2172/19/5/_/styles/combined.css?spaceKey=TEIID&forWysiwyg=true" type="text/css">
</head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
<h2><a href="https://docs.jboss.org/author/display/TEIID/LoginModules">LoginModules</a></h2>
<h4>Page <b>edited</b> by <a href="https://docs.jboss.org/author/display/~jdurani">Juraj DurĂ¡ni</a>
</h4>
<div id="versionComment">
<b>Comment:</b>
fixed module-option's value definition in example of LDAP login module<br />
</div>
<br/>
<h4>Changes (15)</h4>
<div id="page-diffs">
<table class="diff" cellpadding="0" cellspacing="0">
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" >Teiid can be configured with multiple named application policies that group together relevant LoginModules. These security-domain names can be referenced on a per vdb or per transport basis. <br> <br></td></tr>
<tr><td class="diff-changed-lines" >The <span class="diff-changed-words">security<span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">\</span>-domain</span> attribute under the transport element in "teiid" subsystem in the <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">{{<jboss\-install>/standalone/configuration/standalone\-teiid.xml}}</span> <span class="diff-added-words"style="background-color: #dfd;">{{<jboss-install>/standalone/configuration/standalone-teiid.xml}}</span> file is used set the security-domain name. For example, in default configuration under "teiid" subsystem you will find <br></td></tr>
<tr><td class="diff-unchanged" > <br>{code:XML} <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" > <br>{tip} <br></td></tr>
<tr><td class="diff-changed-lines" >The <span class="diff-changed-words">"security<span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">\</span>-domain"</span> defined for each transport type can be different under Teiid. So, effectively one can configure different transports for JDBC or ODBC or multiple JDBC ports with different security domains. <br></td></tr>
<tr><td class="diff-unchanged" >{tip} <br> <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" > <br>{warning} <br></td></tr>
<tr><td class="diff-changed-lines" >In existing installations an appropriate security domain may already be configured for use by administrative clients <span class="diff-changed-words"><span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">\</span>(typically</span> for <span class="diff-changed-words">"admin<span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">\</span>-console").</span> If the admin connections <span class="diff-changed-words"><span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">\</span>(CLI</span> and adminshell) are not secured, it is recommended that you secure that interface by executing "add-user.sh" script in the "bin/scripts" directory. <br></td></tr>
<tr><td class="diff-unchanged" >{warning} <br> <br></td></tr>
<tr><td class="diff-changed-lines" >h1. <span class="diff-changed-words">Built<span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">\</span>-in</span> LoginModules <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;"> <br></td></tr>
<tr><td class="diff-unchanged" >JBossAS provides several LoginModules for common authentication needs, such as authenticating from a [#Text Based LoginModule] or a [#LDAP Based LoginModule]. <br> <br></td></tr>
<tr><td class="diff-changed-lines" >You can install multiple login modules as part of single security domain configuration and configure them to be part of the login process. For example, for <span class="diff-changed-words">"teiid<span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">\</span>-security"</span> domain, you can configure a file based and also LDAP based login modules, and have your user authenticated with either or both login modules. If you want to write your own custom login module, refer to the [Developer's Guide] for instructions. <br></td></tr>
<tr><td class="diff-unchanged" > <br>For all the available login modules refer to [http://community.jboss.org/docs/DOC-11287]. <br> <br>h2. Realm Based LoginModule <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">The _RealmDirectLoginModule_ utilizes a separately configured security realm, by default ApplicationRealm, to perform authentication. The below XML fragment under "security" subsystem shows a realm based login module. <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">The _RealmDirectLoginModule_ utilizes a separately configured security realm, by default ApplicationRealm, to perform authentication. The below XML fragment under "security" subsystem shows a realm based login module. <br> <br></td></tr>
<tr><td class="diff-unchanged" >{code:XML|title=standalone-teiid.xml} <br> <subsystem xmlns="urn:jboss:domain:security:1.1"> <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" > <br>h2. Text Based LoginModule <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">Refer to [http://community.jboss.org/docs/DOC-12510]. The _UsersRolesLoginModule_ utilizes simple text files to authenticate users and to define their groups. The below XML fragment under "security" subsystem shows a Text based login module. <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">Refer to [http://community.jboss.org/docs/DOC-12510]. The _UsersRolesLoginModule_ utilizes simple text files to authenticate users and to define their groups. The below XML fragment under "security" subsystem shows a Text based login module. <br> <br></td></tr>
<tr><td class="diff-unchanged" >{code:XML|title=standalone-teiid.xml} <br> <subsystem xmlns="urn:jboss:domain:security:1.1"> <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" > <br> <br></td></tr>
<tr><td class="diff-changed-lines" >User names and passwords are stored in the <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">_<jboss\-as>/standalone/configuration/teiid\-security\-users.properties_</span> <span class="diff-added-words"style="background-color: #dfd;">_<jboss-as>/standalone/configuration/teiid-security-users.properties_</span> file. <br></td></tr>
<tr><td class="diff-unchanged" > <br>{code:title=Example user.properties file} <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
<tr><td class="diff-changed-lines" >JAAS role assignments are stored in the <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">_<jboss\-as>/standalone/configuration/teiid\-security\-roles.properties_</span> <span class="diff-added-words"style="background-color: #dfd;">_<jboss-as>/standalone/configuration/teiid-security-roles.properties_</span> file. <br></td></tr>
<tr><td class="diff-unchanged" > <br>{code:title=Example user.properties file} <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
<tr><td class="diff-changed-lines" >User and role names are entirely up to the needs of the given deployment. For example each application team can set their own security constraints for their VDBs, by mapping their VDB data roles to application specific JAAS roles, e.g. <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">app\_role\_1=user1,user2,user3.</span> <span class="diff-added-words"style="background-color: #dfd;">app_role_1=user1,user2,user3.</span> <br></td></tr>
<tr><td class="diff-unchanged" > <br>{note} <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" >See [LDAP LoginModule configuration|http://community.jboss.org/docs/DOC-11253] for the AS community guide. The following are streamlined installation instructions. <br> <br></td></tr>
<tr><td class="diff-changed-lines" >Configure LDAP authentication by editing <span class="diff-changed-words">_standalone<span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">\</span>-teiid.xml_</span> under "security" sub system. Once the security-domain is defined, then edit the "security-domain" attribute for Teiid's "transport" for which you want use this LDAP login. <br></td></tr>
<tr><td class="diff-unchanged" > <br>{code:XML|title=standalone-teiid.xml} <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" > <module-option name="baseFilter" value="(cn={0})" /> <br> <module-option name="rolesCtxDN" value="ou=Webapp-Roles,ou=Groups,dc=XXXX,dc=ca" /> <br></td></tr>
<tr><td class="diff-changed-lines" ><module-option name="roleFilter" <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">value=(member={1}) "</span> <span class="diff-added-words"style="background-color: #dfd;">value="(member={1})"</span> /> <br></td></tr>
<tr><td class="diff-unchanged" > <module-option name="uidAttributeID" value="member" /> <br> <module-option name="roleAttributeID" value="cn" /> <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
</table>
</div> <h4>Full Content</h4>
<div class="notificationGreySide">
<p>LoginModules are an essential part of the JAAS security framework and provide Teiid customizable user authentication and the ability to reuse existing LoginModules defined for JBossAS. Refer to the JBoss Application Server security documentation for information about configuring security in JBoss Application Server, <a href="http://docs.jboss.org/jbossas/admindevel326/html/ch8.chapter.html" class="external-link" rel="nofollow">http://docs.jboss.org/jbossas/admindevel326/html/ch8.chapter.html</a>.</p>
<p>Teiid can be configured with multiple named application policies that group together relevant LoginModules. These security-domain names can be referenced on a per vdb or per transport basis.</p>
<p>The security-domain attribute under the transport element in "teiid" subsystem in the <tt><jboss-install>/standalone/configuration/standalone-teiid.xml</tt> file is used set the security-domain name. For example, in default configuration under "teiid" subsystem you will find</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: xml; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<transport name="jdbc" protocol="teiid" socket-binding="teiid-jdbc">
<ssl mode="login"/>
<authentication security-domain="teiid-security"/>
</transport>
</pre>
</div></div>
<p>If no domain can authenticate the user, the login attempt will fail. Details of the failed attempt including invalid users, which domains were consulted, etc. will be in the server log with appropriate levels of severity.</p>
<div class='panelMacro'><table class='tipMacro'><colgroup><col width='24'><col></colgroup><tr><td valign='top'><img src="/author/images/icons/emoticons/check.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td>The "security-domain" defined for each transport type can be different under Teiid. So, effectively one can configure different transports for JDBC or ODBC or multiple JDBC ports with different security domains.</td></tr></table></div>
<div class='panelMacro'><table class='tipMacro'><colgroup><col width='24'><col></colgroup><tr><td valign='top'><img src="/author/images/icons/emoticons/check.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td>Starting from Teiid 8.7 version, a VDB can be configured to use a separate security-domain than security-domain defined on the transport that it is being accessed on. This configuration is defined in the vdb.xml file, see <a href="/author/display/TEIID/VDB+Definition" title="VDB Definition">VDB Definition</a> for more information. The security-domain defined on transport configuration will be used as default security-domain, if a security-domain is not configured for a specific VDB.
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>"Example"</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: java; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<vdb name="vdb" version="1">
<property name="security-domain" value="custom-security" />
...
</vdb>
</pre>
</div></div></td></tr></table></div>
<div class='panelMacro'><table class='warningMacro'><colgroup><col width='24'><col></colgroup><tr><td valign='top'><img src="/author/images/icons/emoticons/forbidden.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td>In existing installations an appropriate security domain may already be configured for use by administrative clients (typically for "admin-console"). If the admin connections (CLI and adminshell) are not secured, it is recommended that you secure that interface by executing "add-user.sh" script in the "bin/scripts" directory.</td></tr></table></div>
<h1><a name="LoginModules-BuiltinLoginModules"></a>Built-in LoginModules</h1>
<p>JBossAS provides several LoginModules for common authentication needs, such as authenticating from a <a href="#LoginModules-TextBasedLoginModule">Text Based LoginModule</a> or a <a href="#LoginModules-LDAPBasedLoginModule">LDAP Based LoginModule</a>.</p>
<p>You can install multiple login modules as part of single security domain configuration and configure them to be part of the login process. For example, for "teiid-security" domain, you can configure a file based and also LDAP based login modules, and have your user authenticated with either or both login modules. If you want to write your own custom login module, refer to the <a href="/author/display/TEIID/Developer%27s+Guide" title="Developer's Guide">Developer's Guide</a> for instructions.</p>
<p>For all the available login modules refer to <a href="http://community.jboss.org/docs/DOC-11287" class="external-link" rel="nofollow">http://community.jboss.org/docs/DOC-11287</a>.</p>
<h2><a name="LoginModules-RealmBasedLoginModule"></a>Realm Based LoginModule</h2>
<p>The <em>RealmDirectLoginModule</em> utilizes a separately configured security realm, by default ApplicationRealm, to perform authentication. The below XML fragment under "security" subsystem shows a realm based login module.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>standalone-teiid.xml</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: xml; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="teiid-security" cache-type="default">
<authentication>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
</pre>
</div></div>
<h2><a name="LoginModules-TextBasedLoginModule"></a>Text Based LoginModule</h2>
<p>Refer to <a href="http://community.jboss.org/docs/DOC-12510" class="external-link" rel="nofollow">http://community.jboss.org/docs/DOC-12510</a>. The <em>UsersRolesLoginModule</em> utilizes simple text files to authenticate users and to define their groups. The below XML fragment under "security" subsystem shows a Text based login module.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>standalone-teiid.xml</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: xml; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="teiid-security" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="$(jboss.server.config.dir)/teiid-security-users.properties"/>
<module-option name="rolesProperties" value="$(jboss.server.config.dir)/teiid-security-roles.properties"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
</pre>
</div></div>
<div class='panelMacro'><table class='warningMacro'><colgroup><col width='24'><col></colgroup><tr><td valign='top'><img src="/author/images/icons/emoticons/forbidden.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td>The <em>UsersRolesLoginModule</em> is not recommended for production use and is strongly recommended that you replace this login module.</td></tr></table></div>
<p>User names and passwords are stored in the <em><jboss-as>/standalone/configuration/teiid-security-users.properties</em> file.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>Example user.properties file</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: java; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
# A users.properties file for use with the UsersRolesLoginModule
# username=password
fred=password
george=password
...
</pre>
</div></div>
<p>JAAS role assignments are stored in the <em><jboss-as>/standalone/configuration/teiid-security-roles.properties</em> file.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>Example user.properties file</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: java; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
# A roles.properties file for use with the UsersRolesLoginModule
# username=role1,role2,...
data_role_1=fred,sally
data_role_2=george
</pre>
</div></div>
<p>User and role names are entirely up to the needs of the given deployment. For example each application team can set their own security constraints for their VDBs, by mapping their VDB data roles to application specific JAAS roles, e.g. app_role_1=user1,user2,user3.</p>
<div class='panelMacro'><table class='noteMacro'><colgroup><col width='24'><col></colgroup><tr><td valign='top'><img src="/author/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td>Teiid data roles names are independent of JAAS roles. VDB creators can choose whatever name they want for their data roles, which are then mapped at deployment time to JAAS roles.</td></tr></table></div>
<h2><a name="LoginModules-LDAPBasedLoginModule"></a>LDAP Based LoginModule</h2>
<p>See <a href="http://community.jboss.org/docs/DOC-11253" class="external-link" rel="nofollow">LDAP LoginModule configuration</a> for the AS community guide. The following are streamlined installation instructions.</p>
<p>Configure LDAP authentication by editing <em>standalone-teiid.xml</em> under "security" sub system. Once the security-domain is defined, then edit the "security-domain" attribute for Teiid's "transport" for which you want use this LDAP login.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>standalone-teiid.xml</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: xml; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="ldap_security_domain">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
<module-option name="java.naming.provider.url" value="ldap://mydomain.org:389" />
<module-option name="java.naming.security.authentication" value="simple" />
<module-option name="bindDN" value="myuser" />
<module-option name="bindCredential" value="mypasswd" />
<module-option name="baseCtxDN" value="ou=People,dc=XXXX,dc=ca" />
<module-option name="baseFilter" value="(cn={0})" />
<module-option name="rolesCtxDN" value="ou=Webapp-Roles,ou=Groups,dc=XXXX,dc=ca" />
<module-option name="roleFilter" value="(member={1})" />
<module-option name="uidAttributeID" value="member" />
<module-option name="roleAttributeID" value="cn" />
<module-option name="roleAttributeIsDN" value="true" />
<module-option name="roleNameAttributeID" value="cn" />
<module-option name="roleRecursion" value="-1" />
<module-option name="searchScope" value="ONELEVEL_SCOPE" />
<module-option name="allowEmptyPasswords" value="false" />
<module-option name="throwValidateError" value="true" />
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
</pre>
</div></div>
<div class='panelMacro'><table class='noteMacro'><colgroup><col width='24'><col></colgroup><tr><td valign='top'><img src="/author/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td>If using SSL to the LDAP server, ensure that the Corporate CA Certificate is added to the JRE trust store.</td></tr></table></div>
<h2><a name="LoginModules-DatabaseLoginModule"></a>Database LoginModule</h2>
<p>Login module that uses Database-based authentication. Refer to <a href="http://community.jboss.org/docs/DOC-9511" class="external-link" rel="nofollow">http://community.jboss.org/docs/DOC-9511</a>.</p>
<h2><a name="LoginModules-CertLoginModule"></a>Cert LoginModule</h2>
<p>Login module that uses X509 certificate based authentication. See <a href="http://community.jboss.org/docs/DOC-9160" class="external-link" rel="nofollow">http://community.jboss.org/docs/DOC-9160</a>.</p>
<h2><a name="LoginModules-RoleMappingLoginModule"></a>Role Mapping LoginModule</h2>
<p>If the LoginModule you are using exposes role names that you wish to map to more application specific names, then you can use the RoleMappingLoginModule. This uses a properties file to inject additional role names, and optionally replace the existing role, on authenticated subjects.</p>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>standalone-teiid.xml</b></div><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: xml; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="ldap_security_domain">
<authentication>
...
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties" value="${jboss-install}/standalone/configuration/roles.properties" />
<module-option name="replaceRole" value="false" />
</login-module>
...
</authentication>
</security-domain>
</security-domains>
</subsystem>
</pre>
</div></div>
<h1><a name="LoginModules-CustomLoginModules"></a>Custom LoginModules</h1>
<p>If your authentication needs go beyond the provided LoginModules, please refer to the JAAS development guide at <a href="http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASLMDevGuide.html" class="external-link" rel="nofollow">http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASLMDevGuide.html</a>. There are also numerous guides available.</p>
<p>If you are extending one of the built-in LoginModules, refer to <a href="http://community.jboss.org/docs/DOC-9466" class="external-link" rel="nofollow">http://community.jboss.org/docs/DOC-9466</a>.</p>
</div>
<div id="commentsSection" class="wiki-content pageSection">
<div style="float: right;" class="grey">
<a href="https://docs.jboss.org/author/users/removespacenotification.action?spaceKey=TEIID">Stop watching space</a>
<span style="padding: 0px 5px;">|</span>
<a href="https://docs.jboss.org/author/users/editmyemailsettings.action">Change email notification preferences</a>
</div>
<a href="https://docs.jboss.org/author/display/TEIID/LoginModules">View Online</a>
|
<a href="https://docs.jboss.org/author/pages/diffpagesbyversion.action?pageId=18646062&revisedVersion=16&originalVersion=15">View Changes</a>
|
<a href="https://docs.jboss.org/author/display/TEIID/LoginModules?showComments=true&showCommentArea=true#addcomment">Add Comment</a>
</div>
</div>
</div>
</div>
</div>
</body>
</html>