Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 9. Security Mapping Modules

The following security mapping modules are provided in JBoss EAP 6.

ClassCodeType

org.jboss.security.mapping.providers.role.PropertiesRolesMappingProvider

PropertiesRoles

role

org.jboss.security.mapping.providers.role.SimpleRolesMappingProvider

SimpleRoles

role

org.jboss.security.mapping.providers.DeploymentRolesMappingProvider

DeploymentRoles

role

org.jboss.security.mapping.providers.role.DatabaseRolesMappingProvider

DatabaseRoles

role

org.jboss.security.mapping.providers.role.LdapRolesMappingProvider

LdapRoles

role

org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider

LdapAttributes

attribute

org.jboss.security.mapping.providers.DeploymentRoleToRolesMappingProvider

 

role

org.jboss.security.mapping.providers.attribute.DefaultAttributeMappingProvider

 

attribute

9.1. PropertiesRolesMappingProvider

Code: PropertiesRoles

Class: org.jboss.security.mapping.providers.role.PropertiesRolesMappingProvider

Type: role

A MappingProvider that reads roles from a properties file in the following format: username=role1,role2,…​

OptionTypeDescription

rolesProperties

String

Properties formatted file name. Expansion of JBoss EAP 6 variables can be used in form of ${jboss.variable}.

9.2. SimpleRolesMappingProvider

Code: SimpleRoles

Class: org.jboss.security.mapping.providers.role.SimpleRolesMappingProvider

Type: role

A simple MappingProvider that reads roles from the options map. The option attribute name is the name of principal to assign roles to and the attribute value is the comma separated role names to assign to the principal. ⁠

Example

<module-option name="JavaDuke" value="JBossAdmin,Admin"/>
<module-option name="joe" value="Users"/>

9.3. DeploymentRolesMappingProvider

Code: DeploymentRoles

Class: org.jboss.security.mapping.providers.DeploymentRolesMappingProvider

Type: role

A Role Mapping Module that takes into consideration a principal to roles mapping that can be done in jboss-web.xml and jboss-app.xml deployment descriptors.

Example

<jboss-web>
...
​  <security-role>
​      <role-name>Support</role-name>
​      <principal-name>Mark</principal-name>
​      <principal-name>Tom</principal-name>
​  </security-role>
...
</jboss-web>

9.4. DatabaseRolesMappingProvider

Code: DatabaseRoles

Class: org.jboss.security.mapping.providers.role.DatabaseRolesMappingProvider

Type: role

A MappingProvider that reads roles from a database.

OptionTypeDescription

dsJndiName

String

JNDI name of data source used to map roles to the user.

rolesQuery

String

This option should be a prepared statement equivalent to select RoleName from Roles where User=?. ? is substituted with current principal name.

suspendResume

boolean

If true, will suspend and later resume transaction associated with current thread while performing search for roles.

transactionManagerJndiName

String

JNDI name of Transaction mamager (default is java:/TransactionManager)

9.5. LdapRolesMappingProvider

Code: LdapRoles

Class: org.jboss.security.mapping.providers.role.LdapRolesMappingProvider

Type: role

A mapping provider that assigns roles to an user using a LDAP server to search for the roles.

OptionTypeDescription

bindDN

String

The DN used to bind against the LDAP server for the user and roles queries. This DN needs read and search permissions on the baseCtxDN and rolesCtxDN values.

bindCredential

String

The password for the bindDN. This can be encrypted via the vault mechanism.

rolesCtxDN

String

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

roleAttributeID

String

The LDAP attribute which contains the names of authorization roles.

roleAttributeIsDN

boolean

Whether or not the roleAttributeID contains the fully-qualified DN of a role object. If false, the role name is taken from the value of the roleNameAttributeId attribute of the context name. Certain directory schemas, such as Microsoft Active Directory, require this attribute to be set to true.

roleNameAttributeID

String

Name of the attribute within the roleCtxDN context which contains the role name. If the roleAttributeIsDN property is set to true, this property is used to find the role object’s name attribute.

parseRoleNameFromDN

boolean

A flag indicating if the DN returned by a query contains the roleNameAttributeID. If set to true, the DN is checked for the roleNameATtributeID. If set to false, the DN is not checked for the roleNameAttributeID. This flag can improve the performance of LDAP queries.

roleFilter

String

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

roleRecursion

number

The numbers of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

searchTimeLimit

number

The timeout in milliseconds for the user/role searches. The default value is 10000.

searchScope

String

The search scope to use.

9.6. LdapAttributeMappingProvider

Code: LdapAttributes

Class: org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider

Type: attribute

Maps attributes from LDAP to the subject. The options include whatever options your LDAP JNDI provider supports. ⁠

Examples of Standard Property Names

Context.INITIAL_CONTEXT_FACTORY = "java.naming.factory.initial"
Context.SECURITY_PROTOCOL = "java.naming.security.protocol"
Context.PROVIDER_URL = "java.naming.provider.url"
Context.SECURITY_AUTHENTICATION = "java.naming.security.authentication"

OptionTypeDescription

bindDN

String

The DN used to bind against the LDAP server for the user and roles queries. This DN needs read and search permissions on the baseCtxDN and rolesCtxDN values.

bindCredential

String

The password for the bindDN. This can be encrypted if the jaasSecurityDomain is specified.

baseCtxDN

String

The fixed DN of the context to start the user search from.

baseFilter

String

A search filter used to locate the context of the user to authenticate. The input username or userDN as obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. This substitution behavior comes from the standard DirContext.search(Name, String, Object[], SearchControls cons) method. An common example search filter is (uid={0}).

searchTimeLimit

number

The timeout in milliseconds for the user/role searches. The default value is 10000.

attributeList

String

A comma-separated list of attributes for the user. For example, mail,cn,sn,employeeType,employeeNumber.

jaasSecurityDomain

String

The JaasSecurityDomain to use to decrypt the java.naming.security.credentials. The encrypted form of the password is that returned by the JaasSecurityDomain#encrypt64(byte[]) method. The org.jboss.security.plugins.PBEUtils can also be used to generate the encrypted form.

9.7. DeploymentRoleToRolesMappingProvider

Class: org.jboss.security.mapping.providers.DeploymentRoleToRolesMappingProvider

Type: role

A Role to Roles Mapping Module that takes into consideration a principal to roles mapping that can be done in the deployment descriptors jboss-web.xml and jboss-app.xml. In this case principal-name denotes role to map other roles. ⁠

Example

<jboss-web>
...
​    <security-role>
​      <role-name>Employee</role-name>
​      <principal-name>Support</principal-name>
​      <principal-name>Sales</principal-name>
    </security-role>
...
</jboss-web>

In the above example, each principal having the role Support or Sales will also have role Employee assigned.

Note

This mapping provider does not have a code associated with it so the full class name must be in the code field when configuring.

9.8. DefaultAttributeMappingProvider

Class: org.jboss.security.mapping.providers.attribute.DefaultAttributeMappingProvider

Type: attribute

Checks module and locates principal name from mapping context to create attribute e-mail address from module option named principalName + .email and maps it to the given principal.

OptionTypeDescription

principalName

String

Principal name used to create the attribute e-mail address.

Note

This mapping provider does not have a code associated with it so the full class name must be in the code field when configuring.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.