AD248 - ch09s02

Preface A: Introduction

Section A.1: Red Hat JBoss Enterprise Application Platform Administration I

Section A.2: Orientation to the Classroom Environment

Chapter 1: Red Hat JBoss Enterprise Application Platform: Architecture and Features

Section 1.1: Exploring the Architecture of JBoss EAP

Section 1.2: Quiz: Use Cases for Standalone Server versus Managed Domain

Section 1.3: Installing JBoss EAP

Section 1.4: Guided Exercise: Installing JBoss EAP

Section 1.5: Interpreting Extensions, Subsystems, and Profiles

Section 1.6: Quiz: Profile Selection

Section 1.7: Managing JBoss EAP

Section 1.8: Guided Exercise: JBoss EAP Management Console

Section 1.9: Lab: Red Hat JBoss Enterprise Application Platform: Architecture and Features

Section 1.10: Summary

Chapter 2: Configuring JBoss EAP as a Standalone Server

Section 2.1: Running JBoss EAP Standalone Server

Section 2.2: Guided Exercise: Creating a Standalone Server

Section 2.3: Configuring JBoss EAP as a Standalone Server

Section 2.4: Quiz: Configuring Profiles

Section 2.5: Configuring Interfaces and Socket Binding Groups

Section 2.6: Quiz: Configuring Interfaces and Socket Binding Groups

Section 2.7: Lab: Configuring JBoss EAP in Standalone Mode

Section 2.8: Summary

Chapter 3: Scripting Configuration and Deploying Applications

Section 3.1: Configuring JBoss EAP by Using the Management Command Line Interface

Section 3.2: Guided Exercise: Exploring the Management CLI Tool

Section 3.3: Deploying Applications to a Standalone Server

Section 3.4: Guided Exercise: Deploying Applications with Management Tools

Section 3.5: Lab: Scripting Configuration and Deploying Applications

Section 3.6: Summary

Chapter 4: Configuring JBoss EAP as a Managed Domain

Section 4.1: Running JBoss EAP as a Managed Domain

Section 4.2: Quiz: Managed Domains

Section 4.3: Assigning a Domain Controller

Section 4.4: Guided Exercise: Assigning a Domain Controller

Section 4.5: Configuring a Host Controller

Section 4.6: Guided Exercise: Configuring Host Controllers

Section 4.7: Configuring a Domain Controller

Section 4.8: Quiz: Configuring a Domain Controller

Section 4.9: Lab: Configuring JBoss EAP as a Managed Domain

Section 4.10: Summary

Chapter 5: Configuring Servers in a Managed Domain

Section 5.1: Managed Domain Server Architecture

Section 5.2: Quiz: Hosts and Servers

Section 5.3: Configuring Server Groups

Section 5.4: Guided Exercise: Configuring Server Groups

Section 5.5: Configuring Servers

Section 5.6: Guided Exercise: Configuring Servers

Section 5.7: Deploying Applications on a Managed Domain

Section 5.8: Guided Exercise: Deployment on a Managed Domain

Section 5.9: Lab: Configuring Servers in a Managed Domain

Section 5.10: Summary

Chapter 6: Configuring Data Sources

Section 6.1: Exploring the Data Source Subsystem

Section 6.2: Quiz: Data Sources

Section 6.3: Configuring JDBC Drivers

Section 6.4: Guided Exercise: Configuring JDBC Drivers

Section 6.5: Configuring Datasources

Section 6.6: Guided Exercise: Configuring a Data Source

Section 6.7: Configuring an XA Data Source

Section 6.8: Guided Exercise: Configuring an XA Datasource

Section 6.9: Lab: Configuring Data Sources

Section 6.10: Summary

Chapter 7: Configuring the Logging Subsystem

Section 7.1: Configuring Logging Handlers

Section 7.2: Guided Exercise: Configuring Logging Handlers

Section 7.3: Configuring Loggers

Section 7.4: Guided Exercise: Controlling Logging Levels

Section 7.5: Lab: Configuring the Logging Subsystem

Section 7.6: Summary

Chapter 8: Configuring the Messaging Subsystem

Section 8.1: Exploring the Messaging Subsystem

Section 8.2: Quiz: The Messaging Subsystem

Section 8.3: Configuring Messaging Resources

Section 8.4: Guided Exercise: Configuring Messaging Resources

Section 8.5: Configure Journals and Other Settings

Section 8.6: Guided Exercise: Configuring the Journals and Other Settings

Section 8.7: Lab: Configuring the Messaging Subsystem

Section 8.8: Summary

Chapter 9: Securing JBoss EAP

Section 9.1: Configuring a Database Security Domain

SectionSection 9.2: Guided Exercise: Securing an Application

Section 9.3: Configuring an LDAP Security Domain

Section 9.4: Guided Exercise: Configuring the LDAP Login Module

Section 9.5: Securing a JMS Destination

Section 9.6: Quiz: Securing a JMS Destination

Section 9.7: Configuring the Password Vault

Section 9.8: Guided Exercise: Encrypting a Password

Section 9.9: Lab: Securing JBoss EAP

Section 9.10: Summary

Chapter 10: Configuring the Java Virtual Machine

Section 10.1: Configuring the JVM in a Standalone Server

Section 10.2: Quiz: Configuring the JVM in a Standalone Server

Section 10.3: Configuring the JVM in a Managed Domain

Section 10.4: Guided Exercise: Configuring Java Virtual Machines

Section 10.5: Lab: Configuring the Java Virtual Machine

Section 10.6: Summary

Chapter 11: Configuring the Web Subsystem

Section 11.1: Exploring the Features of the Web Subsystem

Section 11.2: Quiz: Features of Web Subsystem

Section 11.3: Configuring the Web Subsystem

Section 11.4: Guided Exercise: Securing HTTP Connections

Section 11.5: Lab: Configuring the Web Subsystem

Section 11.6: Summary

Chapter 12: Deploying Clustered Applications

Section 12.1: Exploring Clustered Applications

Section 12.2: Quiz: Exploring Clustered Applications

Section 12.3: Configuring Subsystems that Support Clustered Applications

Section 12.4: Guided Exercise: Configuring JGroups for a Clustered Web Application

Section 12.5: Configuring Load Balancer

Section 12.6: Guided Exercise: Configuring Load Balancing

Section 12.7: Deploying HA Singleton Applications

Section 12.8: Quiz: Deploying an HA Singleton Applications

Section 12.9: Lab: Deploying Clustered Applications

Section 12.10: Summary

Chapter 13: Comprehensive Review

Section 13.1: Comprehensive Review

Section 13.2: Lab: Comprehensive Review of Red Hat JBoss Application Administration I

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12 13

Guided Exercise: Securing an Application

Use a database security scheme to secure the Example application.

Resources
Files:	`/home/student/AD248/labs/security-dbrealm`
Application URL:	http://127.0.0.1:8080/example

Outcomes

You should be able to configure an application to verify the username and password by using a database backed security module.

Before beginning the guided exercise, run the following command to prepare the environment:

[student@workstation ~]$ lab start security-dbrealm

Instructions

Start the standalone instance of JBoss EAP by running the following command, which uses /home/student/AD248/labs/security-dbrealm/standalone as the base directory:

[student@workstation ~]$ cd /opt/jboss-eap-7.4/bin
[student@workstation bin]$ ./standalone.sh \
-Djboss.server.base.dir=/home/student/AD248/labs/security-dbrealm/standalone/

Connect to the security data source.
In this step, you configure the non-XA data source that connects to the database storing the credentials used by the example application. The data source is used later by the security subsystem to fetch the username and the password.
The database is a MariaDB database running on localhost and it is named bksecurity. The credentials to access the database are bkadmin/redhat123. Use java:/jboss/datasource/bksecurity-ds as the JNDI name.
1. On the workstation machine, open the management console by pointing a web browser to localhost:9990.
  Use admin as the username, and redhat123 as the password. Go to the Configuration page.
2. Navigate to the data sources subsystem by clicking Subsystems and then Data Sources & Drivers.
3. In the third column click Datasources.
  Then, in the fourth column, click the arrow next to the plus icon, and click Add Datasource.
4. On the first step of the Add Datasource wizard, select MariaDB and click Next.
5. Use the following parameters to complete the form:
  Field Value
  Name bksecurity-ds
  JNDI Name java:/jboss/datasources/bksecurity-ds
  Click Next.
6. On the third step of the Add Datasource wizard, the mariadb driver is already selected. Click Next.
7. Use the following information for the database connection:
  Field Value
  Connection URL jdbc:mariadb://localhost:3306/bksecurity
  User Name bkadmin
  Password redhat123
  Security Domain Leave empty
  Click Next.
8. On step 5 of the 'Add Datasource' wizard, click Test Connection. Then click Next to review all the data, and close the wizard by clicking Finish, and Close.

Field	Value
`Name`	`bksecurity-ds`
`JNDI Name`	`java:/jboss/datasources/bksecurity-ds`

Field	Value
`Connection URL`	`jdbc:mariadb://localhost:3306/bksecurity`
`User Name`	`bkadmin`
`Password`	`redhat123`
`Security Domain`	Leave empty

Configure the security domain.

Create a security domain that uses the bksecurity-ds data source. The security domain must have a default cache type.

Go back to the Subsystem column.
In the second column, click Security Legacy. Then, click the plus icon button in the Security Domain column.
Enter bksecurity as the security domain name, and set the Cache Type to default. Click Add.

Start the management CLI in a new terminal and connect to the standalone server.

[student@workstation ~]$ cd /opt/jboss-eap-7.4/bin
[student@workstation bin]$ ./jboss-cli.sh --connect

Use the following command to create an authentication login module.
```
[standalone@localhost:9990] /subsystem=security/security-domain\
=bksecurity/authentication\
=classic:add
```
Note
The output indicates that a server reload is required. You can safely ignore that message, because you reload the server in the next steps.

Create a login module that connects to the data source. It should query the table's users and roles to identify the credentials. The password is encrypted with a SHA-256 algorithm and the hash uses a base64 encoding.

Use the following values when creating the login module:

Field	Value
`Name`	`database`
`Code`	`Database`
`Flag`	`required`
`dsJndiName`	`java:jboss/datasources/bksecurity-ds`
`principalsQuery`	`select password from users where username=?`
`rolesQuery`	`select role, "Roles" from roles where username=?`
`hashAlgorithm`	`SHA-256`
`hashEncoding`	`base64`

Use the following management CLI command to create the login module:

[standalone@localhost:9990] /subsystem=security/security-domain=bksecurity/\
authentication=classic/login-module=database:add( \
  code=Database, \
  flag=required, \
  module-options=[ \
    ("dsJndiName"=>"java:jboss/datasources/bksecurity-ds"), \
    ("principalsQuery"=>"select password from users where username=?"), \
    ("rolesQuery"=>"select role, 'Roles' from roles where username=?"), \
    ("hashAlgorithm"=>"SHA-256"), \
    ("hashEncoding"=>"base64") \
  ])

Reload the server to allow the changes to take place:
```
[standalone@localhost:9990] :reload
```

Verify that your settings are correct by running the following CLI command:

[standalone@localhost:9990] /subsystem=security/security-domain=bksecurity\
/authentication=classic/login-module=database:read-resource

The response is similar to the following output:

{
    "outcome" => "success",
    "result" => {
      "code" => "Database",
      "flag" => "required",
      "module" => undefined,
      "module-options" => {
         ("rolesQuery" => "select role, "Roles" from roles where username=?"),
         ("principalsQuery" => "select password from users where username=?"),
         ("dsJndiName" => "java:jboss/datasources/bksecurity-ds"),
         ("hashAlgorithm" => "SHA-256"),
         ("hashEncoding" => "base64"),
         }
    }
}

Note

If there is any mistake in the module-options, you can update each module option by using the map-put command in the management CLI. For example, if there is an error with the dsJndiName value, then the following command can update the module option:

[standalone@localhost:9990] /subsystem=security/security-domain\
=bksecurity/authentication=classic/login-module=database\
:map-put(name=module-options,key="dsJndiName",\
value="java:/jboss/datasources/bksecurity-ds")

Configure the application security.
To secure an application deployed on JBoss EAP, the first step is to modify the application so that it requires credentials to access it.
1. By using a text editor, open the /home/student/AD248/labs/security-dbrealm/example/src/main/webapp/WEB-INF/web.xml file.
2. After the <welcome-file-list> section, add the following XML snippet, which defines a security constraint on all URLs to the application and requires a user to be authenticated.
```
<security-constraint>
    <web-resource-collection>
         <web-resource-name>All resources</web-resource-name>
         <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
         <role-name>*</role-name>
    </auth-constraint>
</security-constraint>
<security-role>
    <role-name>*</role-name>
</security-role>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>bksecurity</realm-name>
</login-config>
```
Save your changes to the web.xml file.
Configure the security domain in the application.
1. Using a text editor, open the jboss-web.xml file in the /home/student/AD248/labs/security-dbrealm/example/src/main/webapp/WEB-INF directory.
2. Within the <jboss-web> tag, enter the following <security-domain> tag:
```
<security-domain>bksecurity</security-domain>
```
  bksecurity references the security domain that was created previously.
3. Save your changes to the jboss-web.xml file.

Package the application.

Open a new terminal and enter the following command to create a WAR file of the example application:

[student@workstation ~]$ cd /home/student/AD248/labs/security-dbrealm/\
example/src/main/webapp
[student@workstation webapp]$ jar -cvf example.war .

Deploy the application.
Using the management console or management CLI, deploy the example.war file located at /home/student/AD248/labs/security-dbrealm/example/src/main/webapp/ on the standalone server.
```
[standalone@localhost:9990 /] deploy \
/home/student/AD248/labs/security-dbrealm/example/src/main/webapp/example.war
```
Inspect the server log in the terminal console, and verify that there are no errors on the deployment.
Verify the security settings.
1. Navigate to http://127.0.0.1:8080/example/. You should be prompted to log in.
2. Enter admin as the username and admin as the password. You should see the "Welcome to JBoss EAP 7" page after you are logged in successfully.
  Note
  If the authentication fails with those credentials, verify that the security domain was set up correctly with the correct values for each module option.
3. Undeploy the example application from the standalone server by using the management CLI:
```
[standalone@localhost:9990] undeploy example.war
```
4. Exit the management CLI and stop the running instance of JBoss EAP.

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish security-dbrealm

Discuss Red Hat JBoss Enterprise Application Platform Administration I

Go to community

Welcome to the Red Hat JBoss Application Administration 1 (AD248) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat JBoss Application Administration I! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to AD248.Read more about Red Hat JBoss Application Administration I here.

270

Revision: ad248-7.4-18a9db2