Hi all,
I found it very difficult to establish a JAAS LDAP-based login context as well but finally managed to do so. I think the current documentation is out of date but that's okay as long as the next batch tidies things up.
I'll post the work I did to establish EJB-based and web-based login contexts below. I use the LDAP login module so I don't think it carries over to database login (for example).
A. How to Establish a JAAS LDAP Login Context (
EJB)
=======================================================
Step 1. Define the JNDI Connection
----------------------------------
In the /conf/login-config.xml of your selected JBoss server, specify your JNDI LDAP connection something like the following:
<application-policy name="AdminRealm">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">
ldap://url.goes.here:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<!--<module-option name="java.naming.security.protocol"></module-option>-->
<!--<module-option name="java.naming.security.principal"></module-option>-->
<!--<module-option name="java.naming.security.credentials"></module-option>-->
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">,ou=Accounts,o=talonline.ca</module-option>
<!--<module-option name="useObjectCredential">false</module-option>-->
<module-option name="rolesCtxDN">ou=Roles,o=business.com</module-option>
<module-option name="roleAttributeID">description</module-option>
<module-option name="uidAttributeID">sn</module-option>
<module-option name="matchOnUserDN">false</module-option>
<!--<module-option name="unauthenticatedIdentity">guest</module-option>-->
<!--<module-option name="password-stacking"></module-option>-->
<!--<module-option name="hashAlgorithm">SHA</module-option>-->
<!--<module-option name="hashEncoding">base64</module-option>-->
<!--<module-option name="hashCharset"></module-option>-->
</login-module>
</authentication>
</application-policy>
Step 2. Specify the Security Realm in the jboss.xml files
-----------------------------------------------------------------
Next, for each EJB jar file that you create, place a jboss.xml in it. Specify in the jboss.xml file the names of all EJBs in the JAR along with the security realm(s) used by the EJB. This tells JBoss at deployment that the above-named EJB's will use the specified security realm(s) to do its authentication and/or authorization. Here is an example config file.
<jboss>
<security-domain>
java:/jaas/AdminRealm</security-domain>
<enterprise-beans>
<entity>
<ejb-name>AccountEJB</ejb-name>
<local-jndi-name>AccountHomeLocal</local-jndi-name>
</entity>
</enterprise-beans>
</jboss>
That's all there is to it. Once these are set, then you can modify the EJB code and its other configuration files (ex. ejb-jar.xml) to set up role-based security, perform authentication and authorization, etc.
B. How to Establish a JAAS LDAP Login Context (Web)
=======================================================
Step 1. Specify the JNDI LDAP Connection
----------------------------------------
In the /conf/login-config.xml of your selected JBoss server, specify your JNDI LDAP connection along the lines of the previous example.
Step 2. Modify the Security Requirements in web.xml
---------------------------------------------------------
Modify the web application's web.xml file so that it contains the security characteristics you want to have applied to the application. See the second attachment for an example of security information you might add to web.xml container if you want to prompt users attempting to access any resource in the application using HTTP GET and POST for basic authentication in the AdminRealm.
<!--*********************************************************************-->
<!---->
<!--Configure the web application's security environment.-->
<!---->
<!--*********************************************************************-->
<security-constraint>
<display-name>Constraints of the Administration Console's Security Environment</display-name>
<!--URI security
patterns and the HTTP methods to protect on them.-->
<web-resource-collection>
<web-resource-name>Protected Admininistration Console Resources</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!--Anyone with these roles may enter this area.-->
<auth-constraint>
<role-name>Administrator</role-name>
</auth-constraint>
<user-data-constraint>
<description>no description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>AdminRealm</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>Administrator</role-name>
</security-role>
Step 3. Specify the name of the Web App's Security Realm in the jboss-web.xml file.
--------------------------------------------------------------------------------------------
Finally, modify or create a jboss-web.xml so that it contains the name(s) of the security realm(s) that the secured web application will work off of. JBoss uses this to associate the appropriate JNDI realm(s) with this application.
<jboss-web>
<security-domain>java:/jaas/AdminRealm</security-domain>
</jboss-web>
Cheers,
Darryl