[英]How to configure multiple Login modules in one security domain in JBOSS EAP 6.3?
I have two groups of users - employees and members, employees are in LDAP server and members are in properties file. 我有两组用户-雇员和成员,雇员在LDAP服务器中,成员在属性文件中。 I need to configure both of them in a single security domain, which means I need to get authentication from different login modules - employees from LdapExtLoginModule, and, members from UsersRoles login module.
我需要将它们都配置在一个安全域中,这意味着我需要从不同的登录模块中获取身份验证-LdapExtLoginModule的员工以及UsersRoles登录模块的成员。 Something like this:
像这样:
<security-domain name="EmpMem" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="usersProperties" value="app-users.properties"/>
<module-option name="rolesProperties" value="app-roles.properties"/>
</login-module>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="java.naming.provider.url" value="ldap://ha-adds-global.xxx.com:3268"/>
<module-option name="bindDN" value="CN=prodjbsvc,OU=ServiceAccounts,OU=NOPOL,dc=eagle,dc=xxx,dc=com"/>
<module-option name="bindCredential" value="XQtU@1lc"/>
<module-option name="baseCtxDN" value="dc=eagle,dc=xxx,dc=com"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="ou=COSAs,dc=eagle,dc=xxx,dc=com"/>
<module-option name="roleFilter" value="(sAMAccountName={0})"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="roleRecursion" value="-1"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="java.naming.referral" value="follow"/>
</login-module>
</authentication>
</security-domain>
I know that there is a login module called Password Stacking which can chain multiple login modules together, but looks like LdapExtLoginModule doesn't support that? 我知道有一个称为密码堆栈的登录模块,它可以将多个登录模块链接在一起,但是看起来LdapExtLoginModule不支持该模块吗? Please suggest a way to accomplish this.
请提出一种实现此目的的方法。
My Requirement: When the user is employee, he gets authenticated from LDAP server and should be able to to access employee resources (java packages/classes)only, and when the user is member, he gets authenticated from properties file and should be able to access member resources (java packages/classes) only. 我的要求:当用户为员工时,他将从LDAP服务器获得身份验证,并且仅应能够访问员工资源(java包/类),而当用户为会员时,他将从属性文件中获得身份验证,并且应该能够仅访问成员资源(java包/类)。
If sufficient for your needs use LdapLoginModule instead of LdapExtLoginModule. 如果足够满足您的需求,请使用LdapLoginModule而不是LdapExtLoginModule。 Password Stacking is supported by that LoginModule.
该LoginModule支持密码堆叠。
However, judging by your Requirement I don't think Password Stacking is what you're looking for ... 但是,从您的要求来看,我认为密码堆栈不是您要寻找的...
If a previous module configured for password stacking has authenticated the user, all the other stacking modules will consider the user authenticated and only attempt to provide a set of roles for the authorization step.
如果为密码堆叠配置的先前模块已对用户进行了身份验证,则所有其他堆叠模块将认为用户已通过身份验证,并且仅尝试为授权步骤提供一组角色。
Seems like a User will either be a employee or a member? 好像用户将是雇员还是成员? If so, use "sufficient" as the LoginModule "flag" attribute
如果是这样,请使用“ sufficient”作为LoginModule的“ flag”属性
sufficient : The login module is not required to succeed.
足够:不需要成功登录模块。 If it does succeed, control immediately returns to the application.
如果确实成功,则控制权立即返回到应用程序。 If it fails, authentication continues down the login stack.
如果失败,则身份验证将继续沿登录堆栈进行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.