Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 3. Login Modules Without External Identity Store
3.1. Identity Login Module
Short name: Identity
Full name: org.jboss.security.auth.spi.IdentityLoginModule
Parent: AbstractServer Login Module
Identity login module is a simple login module that associates a hard-coded user name to any subject authenticated against the module. It creates a SimplePrincipal instance using the name specified by the principal option. This login module is useful when a fixed identity is required to be provided to a service. This can also be used in development environments for testing the security associated with a given principal and associated roles.
| Option | Type | Default | Description |
|---|---|---|---|
| principal | String | guest | The name to use for the principal. |
| roles | comma-separated list of Strings | none | A comma-delimited list of roles which will be assigned to the subject. |
3.2. UsersRoles Login Module
Short name: UsersRoles
Full name: org.jboss.security.auth.spi.UsersRolesLoginModule
Parent: UsernamePassword Login Module
UsersRoles login module is a simple login module that supports multiple users and user roles loaded from Java properties files. The primary purpose of this login module is to easily test the security settings of multiple users and roles using properties files deployed with the application.
| Option | Type | Default | Description |
|---|---|---|---|
| usersProperties | Path to a file or resource. | users.properties |
The file or resource which contains the user-to-password mappings. The format of the file is |
| rolesProperties | Path to a file or resource. | roles.properties |
The file or resource which contains the user-to-role mappings. The format of the file is |
| defaultUsersProperties | String |
|
The name of the properties resource containing the username-to-password mappings that will be used as the default properties passed to the |
| defaultRolesProperties | String |
|
The name of the properties resource containing the username-to-roles mappings that will be used as the default properties passed to the |
| roleGroupSeperator | String | . |
The character used to separate the role group name from the user name, for example |
3.3. PropertiesUsers Login Module
Short name: PropertiesUsers
Full name: org.jboss.security.auth.spi.PropertiesUsersLoginModule
Parent: UsersRoles Login Module
The PropertiesUsers login module that uses a properties file to store user names and passwords for authentication. No authorization, role mapping, is provided. This module is only appropriate for testing.
3.4. SimpleUsers Login Module
Short name: SimpleUsers
Full name: org.jboss.security.auth.spi.SimpleUsersLoginModule
Parent: PropertiesUsers Login Module
The SimpleUsers login module that stores the user name and clear-text password using module-option. The name and value attributes of the module-option specifies a user name and password. It is included for testing only, and is not appropriate for a production environment.
3.5. SecureIdentity Login Module
Short name: SecureIdentity
Full name: org.picketbox.datasource.security.SecureIdentityLoginModule
Parent: AbstractPasswordCredential Login Module
The SecurityIdentity login module is a module that is provided for legacy purposes. It allows users to encrypt a password and then use the encrypted password with a static principal. If an application uses SecureIdentity, consider using a password vault mechanism instead.
| Option | Type | Default | Description |
|---|---|---|---|
| username | String | none | The user name for authentication. |
| password | encrypted String | "" |
The password to use for authentication. To encrypt the password, use the module directly at the command line, for example |
| managedConnectionFactoryName | JCA resource | none | The name of the JCA connection factory for your datasource. |
3.6. ConfiguredIdentity Login Module
Short name: ConfiguredIdentity
Full name: org.picketbox.datasource.security.ConfiguredIdentityLoginModule
Parent: AbstractPasswordCredential Login Module
The ConfiguredIdentity login module associates the principal specified in the module options with any subject authenticated against the module. The type of Principal class used is org.jboss.security.SimplePrincipal.
| Option | Type | Default | Description |
|---|---|---|---|
| username | String | none | The user name for authentication. |
| password | encrypted String | "" | The password to use for authentication, which can be encrypted via the vault mechanism. The default value is an empty String. |
| principal | Name of a principal | none | The principal which will be associated with any subject authenticated against the module. |
3.7. Simple Login Module
Short name: Simple
Full name: org.jboss.security.auth.spi.SimpleServerLoginModule
Parent: UsernamePassword Login Module
The Simple login module is a module for quick setup of security for testing purposes. It implements the following simple algorithm:
-
If the password is null, authenticate the user and assign an identity of
guestand a role ofguest. -
Otherwise, if the password is equal to the user, assign an identity equal to the
usernameand bothuserandguestroles. - Otherwise, authentication fails.
The Simple login module has no options.
3.8. Disabled Login Module
Short name: Disabled
Full name: org.jboss.security.auth.spi.DisabledLoginModule
A login module that always fails authentication. It is to be used for a security domain that needs to be disabled, for instance when we do not want JAAS to fall back to using the other security domain.
| Option | Type | Default | Description |
|---|---|---|---|
| jboss.security.security_domain | String | Name of security domain to display in error message. |
3.9. Anon Login Module
Short name: Anon
Full name: org.jboss.security.auth.spi.AnonLoginModule
Parent: UsernamePassword Login Module
A simple login module that allows for the specification of the identity of unauthenticated users via the unauthenticatedIdentity property. This login module has no additional options beyond its inherited options from UsernamePassword Login Module.
3.10. RunAs Login Module
Short name: RunAs
Full name: org.jboss.security.auth.spi.RunAsLoginModule
The RunAs login module is a helper module that pushes a run as role onto the stack for the duration of the login phase of authentication, then pops the run as role from the stack in either the commit or abort phase. The purpose of this login module is to provide a role for other login modules that must access secured resources in order to perform their authentication, for example, a login module that accesses a secured EJB. The RunAs login module must be configured ahead of the login modules that require a run as role established.
| Option | Type | Default | Description |
|---|---|---|---|
| roleName | role name | nobody |
The name of the role to use as the |
| principalName | principal name | nobody |
Name of the principal to use as the |
| principalClass | A fully qualified classname. | org.jboss.security.SimplePrincipal | A Principal implementation class which contains a constructor that takes String arguments for the principal name. |
3.11. RoleMapping Login Module
Short name: RoleMapping
Full name: org.jboss.security.auth.spi.RoleMappingLoginModule
Parent: AbstractServer Login Module
The RoleMapping login module is a login module that supports mapping roles, that are the end result of the authentication process, to one or more declarative roles. For example, if the authentication process has determined that the user John has the roles ldapAdmin and testAdmin, and the declarative role defined in the web.xml or ejb-jar.xml file for access is admin, then this login module maps the admin roles to John. The RoleMapping login module must be defined as an optional module to a login module configuration as it alters mapping of the previously mapped roles.
| Option | Type | Default | Description |
|---|---|---|---|
| rolesProperties | The fully qualified file path and name of a properties file or resource | none |
The fully qualified file path and name of a properties file or resource which maps roles to replacement roles. The format is |
| replaceRole | true or false | false | Whether to add to the current roles, or replace the current roles with the mapped ones. Replaces if set to true. |
3.12. RealmDirect Login Module
Short name: RealmDirect
Full name: org.jboss.as.security.RealmDirectLoginModule
Parent: UsernamePassword Login Module
The RealmDirect login module allows for the use of an existing security realm to be used in making authentication and authorization decisions. When configured, this module will look up identity information using the referenced realm for making authentication decisions and delegate to that security realm for authorization decisions. For example, the pre-configured other security domain that ships with JBoss EAP has a RealmDirect login module. If no realm is referenced in this module, the ApplicationRealm security realm is used by default.
| Option | Type | Default | Description |
|---|---|---|---|
| realm | String | ApplicationRealm | Name of the desired realm. |
The RealmDirect login module uses realm only for legacy security and not for Elytron.
3.13. RealmUsersRoles Login Module
Short name: RealmUsersRoles
Full name: org.jboss.as.security.RealmUsersRolesLoginModule
Parent: UsersRoles Login Module
A login module which can authenticate users from given realm. Used for remoting calls. Use of RealmDirect is recommended instead of RealmUsersRoles.
| Option | Type | Default | Description |
|---|---|---|---|
| realm | String | ApplicationRealm | Name of the desired realm. |
| hashAlgorithm | String | REALM | Static value set by login module for option from inherited UsernamePassword Login Module. |
| hashStorePassword | String | false | Static value set by login module for option from inherited UsernamePassword Login Module. |
The RealmUsersRoles login module uses realm only for legacy security and not for Elytron.
