Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 3. Additional Features

3.1. Adding a FORM Login as a Fallback
Copiar enlace

JBoss EAP 6 and applications deployed to it can also configure a FORM login authentication mechanism to use as a fallback. This allows applications to present a login page for authentication in cases where a Keberos/SPNEGO tokens are not present. This authentication happens independent of the Kerberos authentication. As a result, depending on how the FORM login fallback is configured, users may require separate credentials to authenticate via this method.

The following steps are required to configure FORM login as a fallback:

  1. Configure Red Hat JBoss Enterprise Application Platform 6 and the web application to use Kerberos and SPNEGO
  2. Update the Security Domain for Fallback Authentication
  3. Add the login and error pages
  4. Modify the web.xml
Note

The fallback to FORM logic is available in the case when no SPNEGO (or NTLM) tokens are present or SPNEGO token is present but from another KDC.

Please refer to the previous section for the steps required to configure JBoss EAP 6 and web applications to use Kerberos and SPNEGO for authentication and authorization. ⁠

3.1.2. 2. Update the Security Domain for Fallback Authentication
Copiar enlace

The web application security domain must be configured to support a fallback login mechanism. This requires the following steps:

  • Add a new security domain to server as a fallback authentication method.
  • Add a usernamePasswordDomain module option to the web application security domain that points to the fallback domain.

Example Security Domain Configured with a Fallback Security Domain

<security-domain name="app-spnego" cache-type="default">
  <authentication>
    <login-module code="SPNEGO" flag="requisite">
      <module-option name="password-stacking" value="useFirstPass"/>
      <module-option name="serverSecurityDomain" value="host"/>
      <module-option name="usernamePasswordDomain" value="app-fallback"/>
    </login-module>
    <!--login module for mapping roles -->
    <login-module code="UsersRoles" flag="required">
      <module-option name="password-stacking" value="useFirstPass"/>
      <module-option name="usersProperties"
        value="file:${jboss.server.config.dir}/users.properties"/>
      <module-option name="rolesProperties"
        value="file:${jboss.server.config.dir}/roles.properties"/>
    </login-module>
  </authentication>
</security-domain>
<security-domain name="app-fallback" cache-type="default">
  <authentication>
    <login-module code="UsersRoles" flag="required">
      <module-option name="usersProperties"
        value="file:${jboss.server.config.dir}/fallback-users.properties"/>
      <module-option name="rolesProperties"
        value="file:${jboss.server.config.dir}/fallback-roles.properties"/>
    </login-module>
  </authentication>
</security-domain>
Copy to Clipboard Toggle word wrap

3.1.3. 3. Add the Login and Error Pages
Copiar enlace

To use FORM login, a login and error page are required. These files are added to web application and are used in the authentication process.

Example login.jsp file:

<html>
<head></head>
<body>
  <form id="login_form" name="login_form" method="post"
  action="j_security_check" enctype="application/x-www-form-urlencoded">
    <center>
	  <p>Please login to proceed.</p>
	</center>
	<div style="margin-left: 15px;">
	  <p>
	    <label for="username">Username</label>
		<br />
		<input id="username" type="text" name="j_username"/>
	  </p>
	  <p>
	    <label for="password">Password</label>
		<br />
		<input id="password" type="password" name="j_password" value=""/>
	  </p>
	  <center>
	    <input id="submit" type="submit" name="submit" value="Login"/>
	  </center>
	</div>
  </form>
</body>
</html>
Copy to Clipboard Toggle word wrap

Example error.jsp file:

<html>
<head></head>
<body>
  <p>Login failed, please go back and try again.</p>
</body>
</html>
Copy to Clipboard Toggle word wrap

3.1.4. 4. Modify the web.xml
Copiar enlace

After adding the login and error pages to the web application, the web.xml must be updated to use these files for FORM login. A <form-login-config> element is added to <login-config> and the paths to the the login and error pages are specified as <form-login-page> and <form-error-page> elements.

Example updated web.xml file:

<web-app>
  <display-name>App1</display-name>
  <description>App1</description>
  <!-- Define a security constraint that requires the All role to access resources -->
  <security-constraint>
    <display-name>Security Constraint on Conversation</display-name>
    <web-resource-collection>
      <web-resource-name>examplesWebApp</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>All</role-name>
    </auth-constraint>
  </security-constraint>
<!-- Define the Login Configuration for this Application -->
  <login-config>
    <auth-method>SPNEGO</auth-method>
    <realm-name>SPNEGO</realm-name>
    <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/error.jsp</form-error-page>
    </form-login-config>
  </login-config>
<!-- Security roles referenced by this web application -->
  <security-role>
    <description> role required to log in to the Application</description>
    <role-name>All</role-name>
  </security-role>
</web-app>
Copy to Clipboard Toggle word wrap

3.2. Securing the Management Interfaces with Kerberos
Copiar enlace

In addition to providing Kerberos authentication in security domains, JBoss EAP 6 also provides the ability to secure the management interfaces using Kerberos. To enable Kerberos authentication on the management interfaces, the following steps must be performed:

  1. Enable Relavant System Properties
  2. Add the Kerberos Server Identity to the Security Realm
  3. Update Authentication Method in the Security Realm
Note

The CLI commands shown below were done assuming a standalone instance of JBoss EAP 6. For more details on using the CLI with JBoss EAP 6 domains, please consult The Management CLI section of the Red Hat JBoss Enterprise Application Platform 6 Administration and Configuration Guide.

3.2.1. 1. Enable Relavant System Properties
Copiar enlace

As discussed in a previous section, enable any needed JBoss EAP 6 system properties for connecting to the Kerberos server.

3.2.2. 2. Adding the Kerberos Server Identity to the Security Realm
Copiar enlace

Before Kerberos authentication can be used in a security realm, a connection to a Kerberos server must be added. The following example shows how to add a Kerberos server identity to the existing Management Realm.

Example CLI for Adding a Server Identity to a Security Realm

/core-service=management/security-realm=ManagementRealm/server-identity=kerberos:add
Copy to Clipboard Toggle word wrap 

/core-service=management/security-realm=ManagementRealm/server-identity=kerberos/ \
keytab=host\/testserver@MY_REALM:add( \
path=/home\/username\/service.keytab, \
debug=true)
Copy to Clipboard Toggle word wrap 
reload
Copy to Clipboard Toggle word wrap

Resulting XML

<security-realm name="ManagementRealm">
    <server-identities>
        <kerberos>
            <keytab principal="host/testserver@MY_REALM"
                    path="/home/username/service.keytab"
                    debug="true"/>
        </kerberos>
    </server-identities>
    ...
</security-realm>
Copy to Clipboard Toggle word wrap

3.2.3. 3. Updating Authentication Method in the Security Realm
Copiar enlace

Once the Kerberos server identity has been properly configured, the authentication method in the security realm needs to be updated to use it.

Example CLI for Adding Kerberos Authentication to a Security Realm

/core-service=management/security-realm=ManagementRealm/authentication=kerberos:add
Copy to Clipboard Toggle word wrap 

reload
Copy to Clipboard Toggle word wrap

Resulting XML

<security-realm name="ManagementRealm">
    <server-identities>
        <kerberos>
            <keytab principal="host/testserver@MY_REALM"
                    path="/home/username/service.keytab"
                    debug="true"/>
        </kerberos>
    </server-identities>
    <authentication>
        <local default-user="$local" skip-group-loading="true"/>
        <kerberos/>
        <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
    </authentication>
    ...
</security-realm>
Copy to Clipboard Toggle word wrap

Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2026 Red HatVolver arriba