Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
2.3. Defining Application Security Domain
To allow an application to communicate with the application server through the SPNEGOLoginModule, you need to define the application security domain on the application server.
To define the application security domain, do the following:
- Open the
$JBOSS_HOME/jboss-as/server/$PROFILE/conf/login-config.xmlfile for editing. - Define a new application policy with the following chained configuration:
- The SPNEGOLoginModule and its configuration with the following options:
- <module-option name="password-stacking">useFirstPass</module-option>
- The password-stacking option activates client-side authentication of clients with other login modules. Set the
password-stackingoption touseFirstPass, so the module looks first for a shared user name and password withjavax.security.auth.login.nameandjavax.security.auth.login.passwordrespectively (for further information refer to Password Stacking in the Security Guide). - <module-option name="serverSecurityDomain">DomainName</module-option>
- The serverSecurityDomain option defines the server security domain, which defines the authentication module (Kerberos) and server authentication properties (refer to Section 2.2, “Defining Server Security Domain”).
- The login module which returns the roles of the authenticated user and its configuration options. You can make use of the UsersRolesLoginModule that obtains the user roles from a properties file or AdvancedLdapLoginModule, which obtains user roles from an LDAP server following GSSAPI. For further information refer to Section 2.4, “Role Mapping”.
Example 2.2. Application Security Domain
In Example 2.2, “Application Security Domain” we have defined an application security domain called
SPNEGO with two login modules:
org.jboss.security.negotiation.spnego.SPNEGOLoginModuleprovides SPNEGO user authentication;org.jboss.security.auth.spi.UsersRolesLoginModulereturns the roles of the user authenticated by the SPNEGOLoginModule (the roles are filtered from a users properties file).
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}