After some research it turned out 2 options were available:
- Kerberos/SPNEGO-based SSO.
- Authentication using LDAP protocol.
The former option seemed more tempting at first - it would provide passwordless (yes, no login form!) integration for Windows domain users, but unfortunately it required changes in web browser configuration for each user. As no automatic provision of such configuration was possible I headed for the latter option. As the local admin wanted to "opt out as much as possible" of the project the provision of application roles was to be done in a local database (will hopefully be described in another post)
Now, what I needed to do was to configure the JBoss security domain and the ldap authentication module in standalone.xml:
java.naming.provider.url - the URL of ldap one wants to connect to. It is important - at least using DIGEST-MD5 - that it is set to hostname, which the Active Directory server recognizes. In particular the IP address shouldn't be used. Otherwise one would get:
In case of SASL authentication the domain login (e.g. kroman in my case) is used as username.
javax.security.sasl.qop - security level of the protocol, valid options:
password-stacking - setting this to useFirstPass will result in retrieving roles from the next login-module (will be described in another post)
Now, what I needed to do was to configure the JBoss security domain and the ldap authentication module in standalone.xml:
<security-domain name="LDAPRealm">
<authentication>
<login-module code="Ldap" flag="required">
<module-option name="java.naming.provider.url" value="ldap://hostname:389/"/>
<module-option name="java.naming.security.authentication" value="DIGEST-MD5"/>
<module-option name="javax.security.sasl.qop" value="auth-conf"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<!-- Database module to retrieve user roles - will be described in another post -->
</authentication>
</security-domain>java.naming.provider.url - the URL of ldap one wants to connect to. It is important - at least using DIGEST-MD5 - that it is set to hostname, which the Active Directory server recognizes. In particular the IP address shouldn't be used. Otherwise one would get:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090303: LdapErr: DSID-0C090420, comment: The digest-uri does not match any LDAP SPN's registered for this server., data 0, vecejava.naming.security.authentication - type of authentication to use:
- none - no authentication. That's not what I want - I do want to authenticate the user
- simple - plain text authentication using Distinguished Name as username, e.g. in my case this would be CN=Kamil Roman,CN=Users,DC=mydomain,DC=com. Please note that the domain username is not used in the login string.
- one (or more) SASL authentication mechanism. For most LDAPs including Active Directory you can check the supported mechanisms by issuing
kamil@localhost:~$ ldapsearch -H ldap://192.168.1.100 -x -b "" -s base -LLL supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5as long as DIGEST-MD5 is returned on the list it is fine
In case of SASL authentication the domain login (e.g. kroman in my case) is used as username.
javax.security.sasl.qop - security level of the protocol, valid options:
- auth - Authentication only (default)
- auth-int - Authentication with integrity protection
- auth-conf - Authentication with integrity and privacy protection
0002028: LdapErr: DSID-0C090169, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, veceAnyway, using auth-conf seems the most secure option and thus the best as long as it is supported by the LDAP server.
password-stacking - setting this to useFirstPass will result in retrieving roles from the next login-module (will be described in another post)
That's it on the app server side! Now we need to specify to use the newly configured security domain in the WEB-INF/jboss-web.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<security-domain>java:/jaas/LDAPRealm</security-domain>
</jboss-web>
Troubleshooting
- set logging level on org.jboss.security and org.jboss.as.web.security to TRACE or ALL
- JBoss swallows the root cause authentication exception and in the log file you will always get only
DEBUG [org.jboss.security] (http-/0.0.0.0:8080-5) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
and ajavax.servlet.ServletException: JBWEB000053: Failed to authenticate a principal thrown from the HttpServletRequest.login() if you use this method for authentication.
In order to know the root cause and/or message received from the AD server you need to debug the LdapLoginModule.validatePassword method and especially its catch(Throwable e){} block
