Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 3. Login Modules Without External Identity Store
3.1. Identity Login Module
Short name: Identity
Full name: org.jboss.security.auth.spi.IdentityLoginModule
Parent: AbstractServerLoginModule
Identity login module is a simple login module that associates a hard-coded user name to any subject authenticated against the module. It creates a SimplePrincipal instance using the name specified by the principal option. This login module is useful when a fixed identity is required to be provided to a service. This can also be used in development environments for testing the security associated with a given principal and associated roles.
| Option | Type | Default | Description |
|---|---|---|---|
| principal | String | guest | The name to use for the principal. |
| roles | comma-separated list of Strings | none | A comma-delimited list of roles which will be assigned to the subject. |
3.2. UsersRoles Login Module
Short name: UsersRoles
Full name: org.jboss.security.auth.spi.UsersRolesLoginModule
Parent: UsernamePasswordLoginModule
UsersRoles login module is a simple login module that supports multiple users and user roles loaded from Java properties files. The primary purpose of this login module is to easily test the security settings of multiple users and roles using properties files deployed with the application.
| Option | Type | Default | Description |
|---|---|---|---|
| usersProperties | Path to a file or resource. | users.properties | The file or resource which contains the user-to-password mappings. The format of the file is username=password |
| rolesProperties | Path to a file or resource. | roles.properties | The file or resource which contains the user-to-role mappings. The format of the file is username=role1,role2,role3 |
| defaultUsersProperties | String | defaultUsers.properties | The name of the properties resource containing the username-to-password mappings that will be used as the default properties passed to the usersProperties properties. |
| defaultRolesProperties | String | defaultRoles.properties | The name of the properties resource containing the username-to-roles mappings that will be used as the default properties passed to the usersProperties properties. |
| roleGroupSeperator | String | . | The character used to seperate the role group name from the username (e.g. . in jduke.CallerPrincipal=…). |
3.3. PropertiesUsers Login Module
Short name: PropertiesUsers
Full name: org.jboss.security.auth.spi.PropertiesUsersLoginModule
Parent: UsersRoles Login Module
The PropertiesUsers login module that uses a properties file to store usernames and passwords for authentication. No authorization (role mapping) is provided. This module is only appropriate for testing.
3.4. SimpleUsers Login Module
Short name: SimpleUsers
Full name: org.jboss.security.auth.spi.SimpleUsersLoginModule
Parent: PropertiesUsers Login Module
The SimpleUsers login module that stores the username and clear-text password using module-option. module-option's name and value attributes specify a username and password. It is included for testing only, and is not appropriate for a production environment.
3.5. SecureIdentity Login Module
Short name: SecureIdentity
Full name: org.picketbox.datasource.security.SecureIdentityLoginModule
Parent: AbstractPasswordCredentialLoginModule
The SecurityIdentity login module is a module that is provided for legacy purposes. It allows users to encrypt a password and then use the encrypted password with a static principal. If an application uses SecureIdentity, consider using a password vault mechanism instead.
| Option | Type | Default | Description |
|---|---|---|---|
| username | String | none | The username for authentication. |
| password | encrypted String | "" |
The password to use for authentication. To encrypt the password, use the module directly at the command line (e.g. |
| managedConnectionFactoryName | JCA resource | none | The name of the JCA connection factory for your datasource. |
3.6. ConfiguredIdentity Login Module
Short name: ConfiguredIdentity
Full name: org.picketbox.datasource.security.ConfiguredIdentityLoginModule
Parent: AbstractPasswordCredentialLoginModule
The ConfiguredIdentity login module associates the principal specified in the module options with any subject authenticated against the module. The type of Principal class used is org.jboss.security.SimplePrincipal.
| Option | Type | Default | Description |
|---|---|---|---|
| username | String | none | The username for authentication. |
| password | encrypted String | "" | The password to use for authentication, which can be encrypted via the vault mechanism. The default value is an empty String. |
| principal | Name of a principal | none | The principal which will be associated with any subject authenticated against the module. |
3.7. Simple Login Module
Short name: Simple
Full name: org.jboss.security.auth.spi.SimpleServerLoginModule
Parent: UsernamePasswordLoginModule
The Simple login module is a module for quick setup of security for testing purposes. It implements the following simple algorithm:
- If the password is null, authenticate the user and assign an identity of guest and a role of guest.
- Otherwise, if the password is equal to the user, assign an identity equal to the username and both user and guest roles.
- Otherwise, authentication fails.
The Simple login module has no options
3.8. Disabled Login Module
Short name: Disabled
Full name: org.jboss.security.auth.spi.DisabledLoginModule
A login module that always fails authentication. It is to be used for a security domain that needs to be disabled, for instance when we don’t want JAAS to fallback to using the other security domain.
| Option | Type | Default | Description |
|---|---|---|---|
| jboss.security.security_domain | String | Name of security domain to display in error message. |
3.9. Anon Login Module
Short name: Anon
Full name: org.jboss.security.auth.spi.AnonLoginModule
Parent: UsernamePasswordLoginModule
A simple login module that allows for the specification of the identity of unauthenticated users via the unauthenticatedIdentity property. This login module has no additional options beyond it’s inherited options from UsernamePasswordLoginModule.
3.10. RunAs Login Module
Short name: RunAs
Full name: org.jboss.security.auth.spi.RunAsLoginModule
The RunAs login module is a helper module that pushes a run as role onto the stack for the duration of the login phase of authentication, then pops the run as role from the stack in either the commit or abort phase. The purpose of this login module is to provide a role for other login modules that must access secured resources in order to perform their authentication (for example, a login module that accesses a secured EJB). RunAs login module must be configured ahead of the login modules that require a run as role established.
| Option | Type | Default | Description |
|---|---|---|---|
| roleName | role name | nobody | The name of the role to use as the run as role during the login phase. |
| principalName | principal name | nobody | Name of the principal to use as the run as principal during login phase. If not specified a default of nobody is used. |
| principalClass | A fully-qualified classname. | org.jboss.security.SimplePrincipal | A Principal implementation class which contains a constructor that takes String arguments for the principal name. |
3.11. RoleMapping Login Module
Short name: RoleMapping
Full name: org.jboss.security.auth.spi.RoleMappingLoginModule
Parent: AbstractServerLoginModule
The RoleMapping login module is a login module that supports mapping roles, that are the end result of the authentication process, to one or more declarative roles. For example, if the authentication process has determined that the user John has the roles ldapAdmin and testAdmin, and the declarative role defined in the web.xml or ejb-jar.xml file for access is admin, then this login module maps the admin roles to John. The RoleMapping login module must be defined as an optional module to a login module configuration as it alters mapping of the previously mapped roles.
| Option | Type | Default | Description |
|---|---|---|---|
| rolesProperties | The fully-qualified file path and name of a properties file or resource | none | The fully-qualified file path and name of a properties file or resource which maps roles to replacement roles. The format is original_role=role1,role2,role3 |
| replaceRole | true or false | false | Whether to add to the current roles, or replace the current roles with the mapped ones. Replaces if set to true. |
3.12. RealmDirect Login Module
Short name: RealmDirect
Full name: org.jboss.as.security.RealmDirectLoginModule
Parent: UsernamePasswordLoginModule
The Realm Direct login module allows for the use of an existing security realm to be used in making authentication and authorization decisions. When configured, this module will look up identity information using the referenced realm for making authentication decisions and delegate to that security realm for authorization decisions. For example, the pre-configured other security domain that ships with JBoss EAP 6 has a RealmDirect login module. If no realm is referenced in this module, the ApplicationRealm security realm is used by default.
| Option | Type | Default | Description |
|---|---|---|---|
| realm | String | ApplicationRealm | Name of the desired realm. |
3.13. RealmUsersRoles Login Module
Short name: RealmUsersRoles
Full name: org.jboss.as.security.RealmUsersRolesLoginModule
Parent: UsersRoles Login Module
A login module which can authenticate users from given realm. Used for remoting calls. Use of RealmDirect is recommended instead of RealmUsersRoles.
| Option | Type | Default | Description |
|---|---|---|---|
| realm | String | ApplicationRealm | Name of the desired realm. |
| hashAlgorithm | String | REALM | Static value set by login module for option from inherited UsernamePasswordLoginModule. |
| hashStorePassword | String | false | Static value set by login module for option from inherited UsernamePasswordLoginModule. |
