From portal-commits at lists.jboss.org Mon Mar 5 12:24:31 2007 Content-Type: multipart/mixed; boundary="===============5702334992415926000==" MIME-Version: 1.0 From: portal-commits at lists.jboss.org To: portal-commits at lists.jboss.org Subject: [portal-commits] JBoss Portal SVN: r6543 - docs/trunk/referenceGuide/en/modules. Date: Mon, 05 Mar 2007 12:24:31 -0500 Message-ID: --===============5702334992415926000== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Author: bdaw Date: 2007-03-05 12:24:31 -0500 (Mon, 05 Mar 2007) New Revision: 6543 Modified: docs/trunk/referenceGuide/en/modules/authentication.xml docs/trunk/referenceGuide/en/modules/security.xml Log: addons for Authentication chapter Modified: docs/trunk/referenceGuide/en/modules/authentication.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- docs/trunk/referenceGuide/en/modules/authentication.xml 2007-03-05 17:0= 4:16 UTC (rev 6542) +++ docs/trunk/referenceGuide/en/modules/authentication.xml 2007-03-05 17:2= 4:31 UTC (rev 6543) @@ -11,6 +11,7 @@ Authentication in JBoss Portal TODO + To understand authentication mechanisms in JBoss Portal better= please refer to Securit= y chapter Configuration You can configure JAAS authentication stack in jb= oss-portal.sar/conf/login-config.xml @@ -22,11 +23,83 @@ JBoss Portal comes with few implementations of JAAS = LoginModule interface org.jboss.portal.identity.auth.IdentityLoginModule - TODO + This is standard portal LoginModule implementation, that us= e portal identity modules to search for users and roles. By default it's th= e only + configured LoginModule in the portal authentication stack. Its be= haviour can be altered with following options: + + + userModuleJNDIName - = JNDI name of portal UserModule. + + + roleModuleJNDIName - = JNDI name of portal RoleModule. + + + membershipModuleJNDIName - JNDI name of portal MembershipModule. + + + additionalRole - addi= tional user Principal that will be added to user Subject. + This is important as in default portal configuration it = is the role that portal servlet is secured with. + + + havingRole - only use= rs belonging to role specified with this option will be authenticated. + + + unauthenticatedIdentity - the principal to use when a null username and password are seen. + + + IdentityLoginModule extends org.jboss.security.auth.spi.= UsernamePasswordLoginModule so if you are familiar with JBossSX you can app= ly + few other options like "password-stacking". Please refer to JB= ossSX documentation. + org.jboss.portal.identity.auth.DBIdentityLoginModule</titl= e> - <para>TODO</para> + <para>This <emphasis>LoginModule</emphasis> implementation extend= s JBossSX <emphasis>org.jboss.security.auth.spi.DatabaseServerLoginModule</= emphasis> and can be + used to authenicate against Database. The main purpose of this mo= dule is to be configured directly against portal database (instead of using= portal identity + modules like in IdentityLoginModule). So if you are using custom = LoginModule implementation you can place this module with "sufficient" flag= . This can + be extremely useful. For example if you authenticate against LDAP= server using JBossSX <emphasis>LdapLoginModule</emphasis> you can + fallback to users present in portal database and not present in L= DAP like "admin" user. Please look into + <ulink url=3D"http://wiki.jboss.org/wiki/Wiki.jsp?page=3DDatabase= ServerLoginModule">this</ulink> wiki page to learn more about = + <emphasis>DatabaseServerLoginModule</emphasis> configuration</par= a> + <para> + Options are: + <itemizedlist> + <listitem> + <emphasis role=3D"bold">dsJndiName</emphasis> - The name= of the DataSource of the database containing the Principals and Roles tabl= es + </listitem> + <listitem> + <emphasis role=3D"bold">principalsQuery</emphasis> - The= prepared statement query, equivalent to: <emphasis>"select Password from P= rincipals where PrincipalID=3D?"</emphasis> + </listitem> + <listitem> + <emphasis role=3D"bold">rolesQuery</emphasis> - The prep= ared statement query, equivalent to: <emphasis>"select Role, RoleGroup from= Roles where PrincipalID=3D?"</emphasis> + </listitem> + <listitem> + <emphasis role=3D"bold">hashAlgorithm</emphasis> - The n= ame of the <emphasis>java.security.MessageDigest</emphasis> algorithm to us= e to hash the password. + There is no default so this option must be specified to = enable hashing. When hashAlgorithm is specified, the clear text password ob= tained from the <emphasis>CallbackHandler</emphasis> + is hashed before it is passed to UsernamePasswordLoginMo= dule.validatePassword as the inputPassword argument. The expectedPassword a= s stored in the users.properties + file must be comparably hashed. + </listitem> + <listitem> + <emphasis role=3D"bold">hashEncoding</emphasis> - The st= ring format for the hashed pass and must be either "base64" or "hex". Base6= 4 is the default. + </listitem> + <listitem> + <emphasis role=3D"bold">additionalRole</emphasis> - addi= tional user <emphasis>Principal</emphasis> that will be added to user <emph= asis>Subject</emphasis>. + </listitem> + </itemizedlist> + </para> + <para> + Configuration using portal database will look like this: + <programlisting> + <![CDATA[ + <login-module code =3D "org.jboss.portal.identity.auth.DBId= entityLoginModule" flag=3D"sufficient"> + <module-option name=3D"dsJndiName">java:/PortalDS</modul= e-option> + <module-option name=3D"principalsQuery">SELECT jbp_passw= ord FROM jbp_users WHERE jbp_uname=3D?</module-option> + <module-option name=3D"rolesQuery">SELECT jbp_roles.jbp_= name, 'Roles' FROM jbp_role_membership INNER JOIN jbp_roles ON jbp_role_me= mbership.jbp_rid =3D jbp_roles.jbp_rid INNER JOIN jbp_users ON jbp_role_mem= bership.jbp_uid =3D jbp_users.jbp_uid WHERE jbp_users.jbp_uname=3D?</module= -option> + <module-option name=3D"hashAlgorithm">MD5</module-option> + <module-option name=3D"hashEncoding">HEX</module-option> + <module-option name=3D"additionalRole">Authenticated</mo= dule-option> + </login-module> + ]]> + </programlisting> + </para> </sect2> <sect2> <title>org.jboss.portal.identity.auth.SynchronizingLdapLoginModul= e Modified: docs/trunk/referenceGuide/en/modules/security.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- docs/trunk/referenceGuide/en/modules/security.xml 2007-03-05 17:04:16 U= TC (rev 6542) +++ docs/trunk/referenceGuide/en/modules/security.xml 2007-03-05 17:24:31 U= TC (rev 6543) @@ -112,7 +112,7 @@ = - + Authentication with JBoss Portal JBoss Portal relies on Java EE for the authentication of users= . The Java EE authentication has its advantages and drawbacks. The main motivation for using Java EE security is the= integration with the application server and the --===============5702334992415926000==--