Using the operating system to authenticate users on Red Hat JBoss Enterprise Application Platform (EAP) ?

Recently, I was searching for a solution to configure the security domain of Red Hat JBoss Enterprise Application Platform with the local operating system based user registry so that the application could directly authenticate its users with local operating system users. I understood that it would be difficult to implement a generic solution, as authentication mechanisms are strikingly different between Windows and Unix/Linux.

After checking several blogs and forums, I decided to implement this using JPAM for Unix/Linux and Waffle for Windows.

Editor’s note: JBoss Enterprise Application Platform is available at no cost for developers who sign up for the Red Hat Developer program (100% free.)

Implementation for Linux and UNIX

Before we start configuring the server, we need to also configure the operating system to use the JPAM module. These are the steps to do so:

  1. Download the appropriate JPAM module for your system architecture. I compiled the code for JPAM version 1.1.
  2. Place the resulting jpam-X.X.jar into your classpath (along with any libraries required to satisfy dependencies — in this case, commons-logging.jar is required.)
  3. Copy the native library to the Java Native Library path. See the table below. (For example, on a Red Hat Enterprise Linux i386 server, place libjpam.so at $JAVA_HOME/lib/i386/server and $JAVA_HOME/lib/i386/client)
  4. Copy .java.login.config to your home (~/) directory.
  5. Copy the net-sf-jpam PAM configuration to /etc/pam.d

For more info about jpam please check http://jpam.sourceforge.net/documentation/configuration.html

JBoss EAP configuration for JPAM

Now that we have the operating system prepared, it’s time to configure JBoss EAP to use JPAM for user authentication. These are the steps:

  1. We need to create a JPAM Module in the EAP server modules directory:mkdir $JBOSS_HOME/modules/com/jpam/main
  2. Copy the necessary JARs (copied commons-logging and JPam) into this directory and create a module.xml file with the following contents:
    <module xmlns="urn:jboss:module:1.1" name="com.jpam">
     <resources>
     <resource-root path="JPam.jar"/>
     <resource-root path="commons-logging.jar"/>
     </resources>
    </module>

Here is the code for authentication using JPAM

import java.security.acl.Group;
import javax.security.auth.login.LoginException;
import net.sf.jpam.Pam;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.spi.UsernamePasswordLoginModule;

public class LoginLx extends UsernamePasswordLoginModule {

    private SimplePrincipal user;
    private boolean guestOnly;

    protected boolean validatePassword(String password, String username) {
         boolean isValid = false;
         if (password == null) {
             this.guestOnly = true;
             isValid = true;
             this.user = new SimplePrincipal("guest");
         } else {
             isValid = this.isValidUser(username, password);
         }
         return isValid;
    }

    public boolean isValidUser(String username, String password) {
         try {
             Pam pam = new Pam();
             System.out.println("Pam created " + (Object)pam);
             boolean authenticated = pam.authenticateSuccessful(username, password);
             if (authenticated) {
                 System.out.println("Authentication Result: " + authenticated);
                 System.out.println("Authentication is successful");
                 return true;
             }
         }
         catch (LinkageError e) {
             System.out.println("Please check PAM library is setup properly");
             e.printStackTrace();
         }
         return false;
    }

    protected String getUsersPassword() throws LoginException {
         return this.getUsername();
    }

    @Override
    protected Group[] getRoleSets() throws LoginException {
        throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
    }
 }

This code can be compiled using maven:

  1. Create a project using maven by executing the below command:
    mvn archetype:generate -DgroupId=com.sid.localos -DartifactId=localos -DarchetypeArtifactId=maven-archetype-quickstart -DinteractiveMode=false
  2. Place the LoginLx.java file inside src/main/java/com/sid/localos
  3. Edit the pom.xml and add the following dependencies:
    <dependencies>
     <dependency>
      <groupId>net.sf.jpam</groupId>
      <artifactId>jpam</artifactId>
      <version>1.1</version>
     </dependency>
     <dependency>
      <groupId>org.picketbox</groupId>
      <artifactId>picketbox</artifactId>
      <version>4.9.6.Final</version>
     </dependency>
    </dependencies>
  4. Execute the following command to build the project (This will generate a jar with name localos-1.0-SNAPSHOT.jar in the target folder):
    $ mvn clean install

Now, in order for our server to utilize this functionality, we need to create another module for local OS based authentication implementation:

<module xmlns="urn:jboss:module:1.1" name="com.customOS">
 <resources>
  <resource-root path="localos-1.0-SNAPSHOT.jar"/>
 </resources>
 <dependency>
  <module name="com.jpam"/>
  <module name=”org.picketbox”/>
 </dependency>
</module>

In your server’s standalone.xml file (located in $JBOSS_HOME/standalone/configuration/standalone.xml), create a security domain with the name os-auth, like below:

<security-domain name="os-auth" cache-type="default">
 <authentication>
  <login-module code="com.sid.localos.loginlx" flag="required" module="com.customOS" />
 </authentication>
</security-domain>

Now, in your web project’s WEB-INF/jboss-web.xml configuration file, you can use this security domain:

<jboss-web>
 <security-domain>os-auth</security-domain>
</jboss-web>

Implementation for Windows

For implementing local OS based registry in windows, we don’t have to configure anything in operating system level. For windows operating system we are using waffle module (http://waffle.codeplex.com/)

JBOSS Configuration

You’ll need to create a module for Waffle. This module has dependencies on three libraries (guava.jar, jna.jar, jna-platform.jar). Place all of these JARS in the main folder of the Waffle module, and create a module.xml file, just like we did in the previous example, at $JBOSS_HOME/modules/com/waffle/main/.

<module xmlns="urn:jboss:module:1.1" name="com.waffle">
 <resources>
  <resource-root path="waffle-jna.jar"/>
  <resource-root path="guava.jar"/>
  <resource-root path="jna.jar"/>
  <resource-root path="jna-platform.jar"/>
 </resources>
</module>

Now create another module for our custom login module at $JBOSS_HOME/modules/com/customOS/main/, and include dependencies on Waffle and Picketbox. You’ll need to copy localos-1.0-SNAPSHOT.jar into this directory as well, which we will create in the next step. Include the following module.xml file in this directory:

<module xmlns="urn:jboss:module:1.1" name="com.customOS">
 <resources>
  <resource-root path="localos-1.0-SNAPSHOT.jar"/>
 </resources>
 <dependency>
  <module name="com.waffle"/>
  <module name=”org.picketbox”/>
 </dependency>
</module>

Here is the code for Windows based authentication

package com.sid.localos;

import java.security.acl.Group;
import javax.security.auth.login.LoginException;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.spi.UsernamePasswordLoginModule;
import waffle.windows.auth.IWindowsIdentity;
import waffle.windows.auth.impl.WindowsAuthProviderImpl;

public class loginW extends UsernamePasswordLoginModule {

    private SimplePrincipal user;
    private boolean guestOnly;

    protected boolean validatePassword(String password, String username) {
        boolean isValid = false;
        if (password == null) {
            this.guestOnly = true;
            isValid = true;
            this.user = new SimplePrincipal("guest");
        } else {
            isValid = this.isValidUser(username, password);
        }
        return isValid;
    }

    public boolean isValidUser(String username, String password) {
        WindowsAuthProviderImpl authenticationlevel = new WindowsAuthProviderImpl();
        IWindowsIdentity loggedOnUser = authenticationlevel.logonUser(username, password);
        if (!loggedOnUser.isGuest()) {
            System.out.println("Authentication Successful");
            return true;
        }
        return false;
    }

    protected String getUsersPassword() throws LoginException {
        return this.getUsername();
    }

    @Override
    protected Group[] getRoleSets() throws LoginException {
        throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
    }
}

This code can be compiled using Maven:

  1. Create a project using maven by executing the below command:
    mvn archetype:generate -DgroupId=com.sid.localos -DartifactId=localos -DarchetypeArtifactId=maven-archetype-quickstart -DinteractiveMode=false
  2. Place the LoginLx.java file inside src/main/java/com/sid/localos
  3. Edit the pom.xml to include the following dependencies:
    <dependencies>
     <dependency>
      <groupId>com.github.dblock.waffle</groupId>
      <artifactId>waffle-jna</artifactId>
      <version>1.8.1</version>
     </dependency>
     <dependency>
      <groupId>org.picketbox</groupId>
      <artifactId>picketbox</artifactId>
      <version>4.9.6.Final</version>
     </dependency>
    </dependencies>
  4. Execute the following command to build the project. This will create the localos-1.0-SNAPSHOT.jar for inclusion in the com.localos module above.
    $ mvn clean install

Now we can configure security domain in EAP to use this new login module.

<security-domain name="os-auth" cache-type="default">
<authentication>
<login-module code="com.sid.localos.loginW" flag="required" module="com.customOS" />
</authentication>
</security-domain>

Now using the WEB-INF/jboss-web.xml file, your application can use this security domain:

<jboss-web>
 <security-domain>os-auth</security-domain>
</jboss-web>

Both of these modules and configurations can be bundled together to use as a single solution.  I hope this will be helpful to implement local, operating system based security in JBoss Enterprise Application Platform. The same mechanism can be used for Realm as well.

Regards,
Siddhartha


Join the Red Hat Developer Program (it’s free) and get access to related cheat sheets, books, and product downloads.

 

Share

Leave a Reply