Search
SupportConsoleDevelopersStart a trialContact

2.3. Defining Application Security Domain

download PDF
To allow an application to communicate with the application server through the SPNEGOLoginModule, you need to define the application security domain on the application server.
To define the application security domain, do the following:
  1. Open the $JBOSS_HOME/jboss-as/server/$PROFILE/conf/login-config.xml file for editing.
  2. Define a new application policy with the following chained configuration:
    • The SPNEGOLoginModule and its configuration with the following options:
      <module-option name="password-stacking">useFirstPass</module-option>
      The password-stacking option activates client-side authentication of clients with other login modules. Set the password-stacking option to useFirstPass, so the module looks first for a shared user name and password with javax.security.auth.login.name and javax.security.auth.login.password respectively (for further information refer to Password Stacking in the Security Guide).
      <module-option name="serverSecurityDomain">DomainName</module-option>
      The serverSecurityDomain option defines the server security domain, which defines the authentication module (Kerberos) and server authentication properties (refer to Section 2.2, “Defining Server Security Domain”).
    • The login module which returns the roles of the authenticated user and its configuration options. You can make use of the UsersRolesLoginModule that obtains the user roles from a properties file or AdvancedLdapLoginModule, which obtains user roles from an LDAP server following GSSAPI. For further information refer to Section 2.4, “Role Mapping”.

Example 2.2. Application Security Domain

<application-policy name="SPNEGO">
   <authentication>
      <login-module
         code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule"
         flag="requisite">
         <module-option name="password-stacking">useFirstPass</module-option>
         <module-option name="serverSecurityDomain">host</module-option>
      </login-module>
      <login-module
         code="org.jboss.security.auth.spi.UsersRolesLoginModule"
         flag="required">
         <module-option name="password-stacking">useFirstPass</module-option>
         <module-option name="usersProperties">props/spnego-users.properties</module-option>
         <module-option name="rolesProperties">props/spnego-roles.properties</module-option>
      </login-module>
   </authentication>
</application-policy>
In Example 2.2, “Application Security Domain” we have defined an application security domain called SPNEGO with two login modules:
  • org.jboss.security.negotiation.spnego.SPNEGOLoginModule provides SPNEGO user authentication;
  • org.jboss.security.auth.spi.UsersRolesLoginModule returns the roles of the user authenticated by the SPNEGOLoginModule (the roles are filtered from a users properties file).
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.