在JBoss中使用多个登录模块 [英] Using Multiple login module in JBoss

问题描述

我是认证和安全领域的新进展，我正在尝试扩展我的应用程序的身份验证机制，该应用程序目前提供传统的用户名/密码身份验证，以便用户通过LDAP服务器进行身份验证。

在当前实现中，应用程序使用Server API中的 j_security_check 线程来验证用户。
Jboss的 standalone.xml 文件有一个登录模块，指向一个 myLoginModuleClass 类，它扩展了 jboss.security.auth.spi.UsernamePasswordLoginModule 。

 < security-domain name =db-domain> <验证> < login-module code =myLoginModuleClassflag =requiredmodule =packageForClass> < module-option name =hashAlgorithmvalue =SHA-256/> < module-option name =hashEncodingvalue =base64/> < module-option name =password-stackingvalue =useFirstPass/> < /登录模块> < / authentication>< / security-domain>  

在另一个安全性中添加了另一个名为LDAP登录模块的登录模块。

 < security-domain name =ldap-domain> <验证> < login-module code =LDAPLoginModuleflag =requiredmodule =LDAPModulePackage> < module-option name =java.naming.factory.initialvalue =com.sun.jndi.ldap.LdapCtxFactory/> < module-option name =java.naming.security.authenticationvalue =simple/> < module-option name =bindCredentialvalue =secret/> < module-option name =password-stackingvalue =useFirstPass/> < /登录模块> < / authentication>< / security-domain>  

我正在面临的问题如下： jboss-web.xml 和项目的 都指向现有的安全域：db-domain。我只能在那里指定一个安全域。
问题：我如何以编程方式告诉jboss根据用户选择指向特定的登录类，这意味着如果用户选择使用ldap auth，LDAPLoginModule类将被调用？还是有其他更好的方式来进行混合模式认证？

提前感谢

解决方案

同时，我发现了一个工作。
我可以在单个安全域中指定登录模块，并将标志从必需更改为足够。

  security-domain name =common-domain>< authentication>< login-module code =LDAPLoginModuleflag =enoughmodule =LDAPModulePackage>< module-option name =java.naming。 factory.initialvalue =com.sun.jndi.ldap.LdapCtxFactory/>< module-option name =java.naming.security.authenticationvalue =simple/>< module-option name =bindCredentialvalue =secret/>< module-option name =password-stackingvalue =useFirstPass/>< / login-module>< login-module code =mydbLoginModuleClass =够module =packageForClass>< module-option name =hashAlgorithmvalue =SHA-256/>< module-option name =hashE ncodingvalue =base64/> < module-option name =password-stackingvalue =useFirstPass/> < /登录模块> < / authentication>< / security-domain>  

执行此操作时，jboss安全性将按照在standalone.xml文件（第一个ldap，然后是dblogin）中配置的顺序顺序接收登录，并在登录成功时停止

I am new to authentication and security area and I am trying to extend the authentication mechanism of my application, which currently provides traditional user name/password authentication, to provide user to authenticate via LDAP Server.

In the current implementation, the application uses j_security_check thread from Server API to authenticate the user. The standalone.xml file of Jboss has a login module pointing to a myLoginModuleClass class which extends the jboss.security.auth.spi.UsernamePasswordLoginModule.

<security-domain name="db-domain">
  <authentication>
    <login-module code="myLoginModuleClass" flag="required" module="packageForClass">
      <module-option name="hashAlgorithm" value="SHA-256" />
      <module-option name="hashEncoding" value="base64" />
      <module-option name="password-stacking" value="useFirstPass" />
    </login-module>
  </authentication>
</security-domain>

I have added another login-module called LDAP Login module in a separate security.

<security-domain name="ldap-domain">
  <authentication>
    <login-module code="LDAPLoginModule" flag="required" module="LDAPModulePackage">
      <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
      <module-option name="java.naming.security.authentication" value="simple" />
      <module-option name="bindCredential" value="secret" />
      <module-option name="password-stacking" value="useFirstPass" />
    </login-module>
  </authentication>
</security-domain>

The issue I am currently facing is following: the jboss-web.xml and the project's web.xml both points to existing security domain: db-domain. And I can only specify one security domain there. Question: How can I programmatically tell jboss to point to a particular login class based on user selection, meaning if user choose to go have ldap auth, the LDAPLoginModule class is called? Or is there any other better way to have a mix mode authentication?

Thank in advance

解决方案

Meanwhile, I found a work around. I can specify both the login module in single security domain and change the flag from "required" to sufficient".

<security-domain name="common-domain">
  <authentication>
    <login-module code="LDAPLoginModule" flag="sufficient" module="LDAPModulePackage">
      <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
      <module-option name="java.naming.security.authentication" value="simple" />
      <module-option name="bindCredential" value="secret" />
      <module-option name="password-stacking" value="useFirstPass" />
    </login-module>

    <login-module code="mydbLoginModuleClass" flag="sufficient" module="packageForClass">
      <module-option name="hashAlgorithm" value="SHA-256" />
      <module-option name="hashEncoding" value="base64" />
      <module-option name="password-stacking" value="useFirstPass" />
    </login-module>

  </authentication>
</security-domain>

By doing this the jboss security will pick up the login sequentially in the order it is configured in standalone.xml file(first ldap and then dblogin) and stops whenever the login is successful

这篇关于在JBoss中使用多个登录模块的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！