Red Hat JBoss Enterprise Application Platform Administration I
- Section Configuring a Database Security Domain
- Guided Exercise: Securing an Application
- Configuring an LDAP Security Domain
- Guided Exercise: Configuring the LDAP Login Module
- Securing a JMS Destination
- Quiz: Securing a JMS Destination
- Configuring the Password Vault
- Guided Exercise: Encrypting a Password
- Lab: Securing JBoss EAP
- Summary
Abstract
| Goal |
Apply security configurations to enhance the security of applications deployed on JBoss EAP. |
| Objectives |
|
| Sections |
|
| Lab |
|
As a middleware application server, Red Hat JBoss Enterprise Application Platform (JBoss EAP) provides a number of security related features, such as:
Authentication
Authorization
Identity management: Identity stores and identity providers
Encryption
Single Sign-On (SSO) systems and protocols
Role-based access control (RBAC)
Refer to the references section to learn about these concepts.
There are three types of assets protected by the security components in JBoss EAP:
- Management interfaces security
Controls access to the management CLI, and the management console.
- Application server services security
Controls access to the services that the application server provides to the applications. The following is a non exhaustive list of these services:
The JMS layer, and access to queues and topics
The Enterprise Java Beans layer
The HTTP layer, implemented by Undertow
The Java Connector Architecture (JCA) layer
These services are subsystems in JBoss EAP.
- Application security
Controls the access of the deployed applications to the source of identities. The applications can authenticate and authorize users by accessing the security of the JBoss EAP application server. The security of the JBoss EAP application server can play different roles in the authentication and authorization processes for the deployed applications.
For example, JBoss EAP can be the primary source of identities, and the identity store at the same time: the default configuration defines two files in the file system as source for the usernames, passwords, and roles. In a different scenario, the JBoss EAP security can be an identity provider, but uses a different third party identity store, such as LDAP servers, or database servers. In a third scenario, JBoss EAP can be part of a SSO system, by using protocols such as OIDC, Kerberos, or SAML. Refer to the references section to learn more about SSO in JBoss EAP.
The core principle behind the design of the security is to avoid embedding the logic for authentication and authorization inside the applications. This declarative approach captures the implementation details inside reusable components that can then be referenced by the applications and subsystems at runtime. For example, you can change the authentication and authorization mechanism for an application from using a database to using an LDAP server without making any source code changes in the application.
Between JBoss EAP 6 and JBoss EAP 7.1, there was only a security subsystem within the application server.
Since JBoss EAP 7.1 a new elytron security subsystem is generally available to the JBoss EAP administrators and developers.
The legacy security subsystem is implemented by using the PicketBox open source project, and the elytron security subsystem is implemented by using the Wildfly Elytron open source project.
The management console depicts the two subsystems as follows:
 |
The JBoss EAP security implementation relies in two main components: security realms, and security domains. A security realm is an identity store that contains information to authenticate and authorize users, such as usernames, passwords, and group membership. A security domain is a set of declarative security configurations that the applications and subsystems use.
The use of security realms and security domains is different between the legacy and the elytron security subsystems.
In the elytron security subsystem the security domain can use one or more security realms.
Thus, the same elytron security domain can use different sources of identity.
JBoss EAP provides 13 types of elytron security realms, such as filesystem-realm, jdbc-realm, ldap-realm, or token-realm.
Refer to the references section to learn more about the elytron realm types.
In the elytron security subsystem, the deployed applications can use one elytron security domain.
In the legacy security subsystem, security domains can contains information about connections to the identity store by using LoginModule components.
There are many types of LoginModule components, such as the PropertiesUsers, the Database, the Kerberos, or the SPNEGO login modules.
Refer to the references section to learn more about the existing login modules.
In the legacy security subsystem, if the application needs to access different identity stores, then you must configure the application to use different security domains.
Red Hat recommends the use of the elytron security subsystem over the legacy one. Elytron has the following benefits over the legacy security:
Unifies the security across the entire application server. It is a single point for configuring security for management interfaces, application services, and deployed applications.
Works with the most recent versions of Java.
Provides easier configuration and stronger encryption for the transport layers, such as HTTPS and SASL.
Provides easier configuration to use many identity stores, by using the
aggregate-realmrealm type.
However, the legacy security subsystem is the default in the provided JBoss EAP.
By default, the JBoss EAP configuration uses the legacy security subsystem, although you can use the legacy and the elytron security subsystems in parallel.
In the default configuration, JBoss EAP contains two security realms: ManagementRealm, and ApplicationRealm.
These realms use properties files as the identity store for the usernames, passwords, and groups.
Both realms are defined twice: in the legacy security, and in the elytron security, as this snippet of the standalone.xml file shows:
<server xmlns="urn:jboss:domain:16.0"> ...output omitted... <management> <security-realms><security-realm name="ManagementRealm"><authentication> ...output omitted... </authentication> <authorization map-groups-to-roles="false"> ...output omitted... </authorization> </security-realm>
<security-realm name="ApplicationRealm"><server-identities> ...output omitted... </server-identities> <authentication> ...output omitted... </authentication> <authorization> ...output omitted... </authorization> </security-realm> </security-realms> ...output omitted... </management> <profile> ...output omitted... <
subsystem xmlns="urn:wildfly:elytron:13.0"final-providers="combined-providers" disallowed-providers="OracleUcrypto"> ...output omitted... </security-domains> <security-realms> ...output omitted...<properties-realm name="ApplicationRealm">...output omitted... </properties-realm>
<properties-realm name="ManagementRealm">...output omitted... </properties-realm> </security-realms>
| Legacy security realms defined in the |
| Elytron security realms defined in the elytron subsystem. |
The duplicity of the configuration of both security realms enables you to change the JBoss EAP configuration from legacy to elytron.
You define the security domains in each of the subsystems, as this snippet of the standalone.xml file shows:
<server xmlns="urn:jboss:domain:16.0"> ...output omitted... <profile> ...output omitted...<subsystem xmlns="urn:wildfly:elytron:13.0"... ...output omitted... <security-domains><security-domain name="ApplicationDomain"default-realm="ApplicationRealm" permission-mapper="default-permission-mapper"> <realm name="ApplicationRealm" role-decoder="groups-to-roles"/> <realm name="local"/> </security-domain><security-domain name="ManagementDomain"default-realm="ManagementRealm" permission-mapper="default-permission-mapper"> <realm name="ManagementRealm" role-decoder="groups-to-roles"/> <realm name="local" role-mapper="super-user-mapper"/> </security-domain> </security-domains> <security-realms> ...output omitted...<subsystem xmlns="urn:jboss:domain:security:2.0"><security-domains><security-domain name="other"cache-type="default"> <authentication> ...output omitted... </security-domain><security-domain name="jboss-web-policy"cache-type="default"> <authorization> ...output omitted... </authorization> </security-domain><security-domain name="jaspitest"cache-type="default"> ...output omitted...<security-domain name="jboss-ejb-policy"cache-type="default"> ...output omitted... </security-domain> </security-domains> </subsystem>
By default, the legacy security subsystem has four security domains defined:
- jboss-ejb-policy
The default authorization security domain for EJB modules in applications that have not defined a security-domain explicitly.
- jboss-web-policy
The default authorization security domain for web modules in applications that have not defined a security-domain explicitly.
- other
This security domain is used internally within JBoss EAP for authorization and is required for correct operation.
- jaspitest
The jaspitest security domain is a simple Java Authentication Service Provider Interface for Containers (JASPIC) security domain included for development purposes.
The default configuration uses these legacy security domains from each subsystem. For example:
<subsystem xmlns="urn:jboss:domain:ejb3:9.0">...output omitted... <default-security-domain value="other"/> ...output omitted...<subsystem xmlns="urn:jboss:domain:undertow:12.0"...output omitted...default-security-domain="other"...>
By default, the elytron security subsystem has two security domains defined: ManagementDomain, and ApplicationDomain.
Each elytron security domain is using its corresponding elytron security realm: ManagementRealm, and ApplicationRealm.
You can define and configure security domains by using the management CLI, or by using the management console, in the → → section.
Since JBoss EAP 7.1, Red Hat provides a management CLI script that you can use to change the security subsystem from legacy to Elytron.
The script is $JBOSS_HOME/docs/examples/enable-elytron.cli.
This script modifies all relevant subsystems to use the security domains defined in the elytron subsystem, instead of using the security domains defined in the legacy subsystem.
For example, after executing the script, the previous configuration related to the ejb3 and undertow subsystems, changes to the following:
<subsystem xmlns="urn:jboss:domain:ejb3:9.0"> ...output omitted... <default-security-domain value="ApplicationDomain"/> ...output omitted... <subsystem xmlns="urn:jboss:domain:undertow:12.0" ...output omitted... <default-security-domain="ApplicationDomain"...>
Both security subsystems can work in parallel. You can have a group of applications secured with security domains from the legacy subsystem, and other groups secured with an elytron security domain.
As a general rule, Red Hat recommends to use only elytron as security subsystem, although the legacy security is always present in JBoss EAP 7.x.
There are cases where using only elytron is mandatory, for example, if you are using Java 17.
In Java 17 the java.security.acl package was removed, however PicketBox, the legacy implementation still uses it.
Since JBoss EAP 7.5, Red Hat provides another CLI script, which removes all use of the legacy subsystem: $JBOSS_HOME/docs/examples/enable-elytron-se17.cli.
Red Hat recommends migrating the existing uses of the legacy security subsystem to elytron. To help you in this task, refer to the migration guide linked in the references section.
By default, the role-based access control (RBAC) to the management interfaces is disabled.
If you enable RBAC, then you can use the following provided roles: Monitor, Operator, Maintainer, Deployer, Auditor, Administrator, and SuperUser.
Refer to the references section to learn more about JBoss EAP RBAC.
You can define a legacy security domain backed by a database by using the Database login module.
The database stores the users and the role mappings for the applications.
The security domain uses a datasource reference defined in the JBoss EAP configuration file, and defines queries for fetching the users and roles from the database.
The recommended approach is to store passwords in an encrypted format by configuring the hashAlgorithm attribute.
A database security domain can be created with the management CLI by using the following command:
[standalone@localhost:9990]/subsystem=security/security-domain= \bksecurity-domain:add(cache-type=default)
The following command associates the security domain with a database for authentication purposes:
[standalone@localhost:9990]/subsystem=security/security-domain= \db-domain/authentication=classic:add \(login-modules=[{"code"=>"Database", "flag"=>"required", \"module-options"=>[("dsJndiName"=>"java:jboss/datasources/test-ds"), \("principalsQuery"=>"SELECT password FROM users WHERE username = ?"), \("rolesQuery"=>"SELECT role, 'Roles' FROM roles WHERE username = ?"), \("hashAlgorithm"=>"SHA-256"),("hashEncoding"=>"base64")]}])
The corresponding XML definition of the database security domain is as follows:
<security-domain name="db-domain" cache-type="default">value="SELECT role, 'Roles' FROM roles WHERE username = ?"/> <module-option name="hashAlgorithm" value="SHA-256"/>
<module-option name="hashEncoding" value="base64"/>
</login-module> </authentication> </security-domain>
| The |
| The |
| The |
| The |
| The |
| The |
| The |
When a request is made to a JBoss EAP server that requires a user to be authenticated by using the db-domain, the following steps occur:
The username is retrieved from the request.
A database connection is retrieved from the connection pool named
java:jboss/datasources/test-ds.The
principalsQueryis executed, with the placeholder (?) being replaced with the username from the request.If the password retrieved from the database does not match the password sent in the request, then the security domain notifies the EAP container that this user is not authenticated. The request is not processed further.
If the password retrieved from the database matches the password sent in the request, then the
rolesQueryis executed, with the placeholder (?) being replaced with the username from the request.If the user does not belong to a required role of the requested resource, then the security domain notifies the EAP container that this user is not authorized. The request is not processed further.
If the user does belong to one of the required roles of the requested resource, then the user is authorized and the request is passed on to the requested resource.
To learn how to configure a database security domain by using the elytron subsystem, refer to the references section.
To utilize a security domain, users must add a reference to the security domain in the jboss-web.xml file.
The following is an example of the <security-domain> tag in the jboss-web.xml file:
<security-domain>Security_Domain_Name</security-domain>If an application has no <security-domain> tag in the jboss-web.xml file, then the undertow web subsystem applies the security domain defined in the default-security-domain element of the undertow configuration.
The web.xml file allows users to configure the security of the application, by creating security restrictions to specific paths, restricting based on roles, and defining the authentication type.
In the <security-constraint> portion of the web.xml file is the <web-resource-collections> section, which allows users to define which URL path requires authorization.
The <url-pattern> tag can contain any path on the server or simply use an * to secure all of the pages and resources.
The <auth-constraint> within the same section specifies which roles are allowed to access the restricted aspects of the application.
...
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
...The <login-config> tag within the web.xml defines the type of authentication to be used.
BASIC refers to an authentication requirement wherein the server requests a username and password from the web client, which is validated against the database.
Defining these aspects of the web.xml is outside the scope of this course.
...
<login-config>
<auth-method>BASIC</auth-method>
</login-config>References
For a general overview of common security concepts, refer to the Overview of General Security Concepts chapter in the Security Architecture guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/security_architecture/index#overview_of_general_security_concepts
For more information about RBAC and existing roles in JBoss EAP, refer to the Role-Based Access Control section in the Security Architecture guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/security_architecture/index#rbac
For more information about configuring JBoss EAP for SSO by using SAML, refer to the How To Set Up SSO with SAML v2 guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/how_to_set_up_sso_with_saml_v2/index
For more information about configuring JBoss EAP for SSO by using Kerberos, refer to the How to Set Up SSO with Kerberos guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/how_to_set_up_sso_with_kerberos/index
For more information about the elytron security realms types and how to use them, refer to the Elytron Subsystem chapter in the How to Configure Identity Management guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/how_to_configure_identity_management/index#elytron_secure_apps
For more information about the login modules existing in the legacy security subsystem, refer to the Login Module Reference Guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/login_module_reference/index
Security Configuration Changes for Java SE 17 Support in Red Hat JBoss EAP
For more information about how to migrate legacy security configuration to Elytron, refer to the Migrating to Elytron chapter in the Migration Guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/migration_guide/index#migrating_to_elytron
References
For more information about RBAC to the management interfaces, refer to the Role-Based Access Control section in the Security Architecture guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/security_architecture/index#rbac
For more information about configuring authentication with a database in elytron, refer to the How to Configure Identity Management guide in the in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/how_to_configure_identity_management/index#elytron_apps_DBAuth
For more information about configuring an application to use a JBoss EAP security domain, refer to the How to Configure Identity Management guide in the in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/how_to_configure_identity_management/index#configure-app-authentication
