1

I plan on migrating my application from jboss to openliberty. In jboss, I have a authentication and role mapping done using DatabaseServerLoginModule and configuring in standalone.xml file. How do I achieve the same thing using openliberty? I am using java as the backend.

Also, I need help on the below -

Wanted to know how to configure the below code in liberty? In jboss inside standalone.xml, I can provide a class name which is called automatically and i can specify the password and role query -

<security-domain name="APPRealm" cache-type="default">
<authentication>
    <login-module code="com.applayer.common.security.AppLoginModule" flag="required">
        <module-option name="dsJndiName" value="java:jboss/datasources/APPDS"/>
        <module-option name="principalsQuery" value="select password from ScUser where loginName=?"/>
        <module-option name="rolesQuery" value="select r.jaasRoleName, 'Roles' from ScJAASRole r where r.jaasRoleTypeName = 'systemUser' OR ? LIKE 'SystemUser'"/>
    </login-module>
</authentication>
deepc554
  • 21
  • 2

2 Answers2

1

Just thought to leave the following articles for how to configure JAAS loginModules in openliberty for your review. Hopefully your DatabaseServerLoginModule magically works or works with just minor changes.

Liberty's authentication overview https://openliberty.io/docs/latest/authentication.html

Step by Step JAAS configuration (This article is for commercial Liberty. The same steps for open liberty) https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-configuring-jaas-custom-login-module

Reference https://openliberty.io/docs/latest/reference/config/jaasLoginModule.html

Hiroko
  • 21
  • 2
0

DatabaseServerLoginModule is an older JBoss SPI, and it looks like it was removed from Wildfly in a recent version, because it used security APIs that are no longer in the JDK.

As Hiroko linked to, OpenLiberty has a number of Authentication options.

For application authentication, @DatabaseIdentityStoreDefinition from Jakarta Security would be a good replacement, here's an example on a servlet:

@BasicAuthenticationMechanismDefinition(realmName = "JavaEESec Basic Realm")
@DatabaseIdentityStoreDefinition(
                                 callerQuery = "select password from callertable where name = ?",
                                 groupsQuery = "select group_name from callertable_groups where caller_name = ?",
                                 dataSourceLookup = "java:comp/env/jdbc/derby1fat")

public class DatabaseAuthAliasBasicAuthServlet extends FlexibleBaseServlet {

For authorization, you can map users/groups to roles in server.xml:

<application type="war" id="myWebApp" name="myWebApp"
             location="${server.config.dir}/apps/myWebApp.war">
   <application-bnd>
       <security-role name="testing">
           <user name="Bob" />
           <user name="user1" />
           <group name="users" />
       </security-role>
   </application-bnd>
</application>

If you need database backed server authentication, I would look into creating a Custom User Registry: https://community.ibm.com/community/user/wasdevops/blogs/hiroko-takamiya1/2021/11/19/configuring-custom-user-registry-liberty

Hiroko has a git repository with an example here: https://github.com/una-tapa/bellscur

mswatosh
  • 466
  • 2
  • 8
  • Added the standalone.xml code by editing the original question.. could you help me on that? – deepc554 Aug 01 '23 at 07:33
  • That configuration is done in the @DatabaseIdentityStoreDefinition annotation. See above, it contains essentially the same thing as the login module, `callerQuery` is your `principalsQuery`, `groupsQuery` returns the user's groups like `rolesQuery` returns the roles. and dataSourceLookup is to specify the datasource. – mswatosh Aug 01 '23 at 18:17
  • do you have an example code on how to implement the above and how this class will be called? i am really clueless now – deepc554 Aug 08 '23 at 06:43