diff --git a/account-ui/src/main/filters/development.properties b/account-ui/src/main/filters/development.properties index 6717186..c37b080 100644 --- a/account-ui/src/main/filters/development.properties +++ b/account-ui/src/main/filters/development.properties @@ -1 +1,7 @@ jsf.projectStage=Development + +shiro.contextFactory = # not defined +shiro.passwordMatcher= passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher${line.separator}passwordMatcher.passwordService = $passwordService +shiro.ldapRealm = # not defined +shiro.authcStrategy = org.apache.shiro.authc.pam.AllSuccessfulStrategy +shiro.realms = $jdbcRealm diff --git a/account-ui/src/main/filters/production.properties b/account-ui/src/main/filters/production.properties index f9b33c0..6bb220d 100644 --- a/account-ui/src/main/filters/production.properties +++ b/account-ui/src/main/filters/production.properties @@ -1 +1,16 @@ jsf.projectStage=Production + +ldap.url = ldaps://your.domain.com +ldap.user = user +ldap.password = secret +ldap.suffix = @your.domain.com +ldap.fallbackSuffix = @your.domain2 +ldap.searchBase = dc=com,dc=domain,dc.your +ldap.searchFilter = (&(objectClass=*)(mail={0})) + +## NO CHANGES BEHIND THIS LINE REQUIRED +shiro.contextFactory = contextFactory = org.apache.shiro.realm.ldap.JndiLdapContextFactory${line.separator}contextFactory.url = ${ldap.url}${line.separator}contextFactory.systemUsername = ${ldap.user}${line.separator}contextFactory.systemPassword = ${ldap.password}${line.separator}contextFactory.environment[java.naming.security.protocol] = ssl +shiro.passwordMatcher= passwordMatcher=org.apache.shiro.authc.credential.AllowAllCredentialsMatcher +shiro.ldapRealm = ldapRealm = de.muehlencord.shared.account.util.UserNameActiveDirectoryRealm${line.separator}ldapRealm.principalSuffix = ${ldap.suffix}${line.separator}ldapRealm.fallbackPrincipalSuffix = ${ldap.fallbackSuffix}${line.separator}ldapRealm.ldapContextFactory = $contextFactory${line.separator}ldapRealm.searchBase = ${ldap.searchBase}${line.separator}ldapRealm.searchFilter = ${ldap.searchFilter}${line.separator}ldapRealm.permissionsLookupEnabled=false +shiro.authcStrategy = org.apache.shiro.authc.pam.AllSuccessfulStrategy +shiro.realms=$jdbcRealm,$ldapRealm diff --git a/account-ui/src/main/webapp/WEB-INF/shiro.ini b/account-ui/src/main/webapp/WEB-INF/shiro.ini index 56c2a5b..d9288a8 100644 --- a/account-ui/src/main/webapp/WEB-INF/shiro.ini +++ b/account-ui/src/main/webapp/WEB-INF/shiro.ini @@ -1,56 +1,62 @@ -[main] -cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager -securityManager.cacheManager = $cacheManager - -# DataSource Setup -datasource = org.apache.shiro.jndi.JndiObjectFactory -datasource.resourceName = java:/jboss/accountDs -datasource.resourceRef = true - -# HashService -hashService = org.apache.shiro.crypto.hash.DefaultHashService -hashService.hashIterations = 500000 -hashService.hashAlgorithmName = SHA-512 -hashService.generatePublicSalt = true - -# Password service -passwordService = org.apache.shiro.authc.credential.DefaultPasswordService -passwordService.hashService = $hashService - -# Required password matcher -passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher -passwordMatcher.passwordService = $passwordService - -# JDBC Realm setup -jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm -jdbcRealm.permissionsLookupEnabled=false -# jdbcRealm.authenticationQuery = select al.account_password from account a, account_login al where al.account = a.id and a.username = ? and status not in ('LOCKED','DELETED') -jdbcRealm.authenticationQuery = SELECT accl.account_password from account acc, account_login accl, account_role accr, application_role appr WHERE accl.account = acc.id AND acc.id = accr.account AND accr.account_role = appr.id AND appr.application = '143a2bd3-7e0b-4162-a76e-3031331c7dfe' AND acc.status not in ('LOCKED','DELETED') AND acc.username = ? -jdbcRealm.userRolesQuery = select r.role_name from application_role r, account_role ar, account a WHERE a.username = ? AND a.id = ar.account AND ar.account_role = r.id -jdbcRealm.credentialsMatcher = $passwordMatcher -jdbcRealm.dataSource = $datasource - -# Activate realms -authcStrategy = org.apache.shiro.authc.pam.AllSuccessfulStrategy -securityManager.realms = $jdbcRealm -securityManager.authenticator.authenticationStrategy = $authcStrategy - -# Setup authentication filter -authc = de.muehlencord.shirofaces.filter.FacesAjaxAwarePassThruAuthenticationFilter -authc.loginUrl = /login.xhtml -authc.successUrl = /web/account.xhtml - -roles.unauthorizedUrl = /error/accessDenied.xhtml - -# -# filter setup -# -[urls] -/public/**=anon -/resources/**=anon -/fonts/**=anon -/javax.faces.resource/**=anon -/login.xhtml=authc -/logout.xhtml=logout -/**=authc -# /web/**=authc +[main] + +# Context factory required for LDAP +${shiro.contextFactory} + +cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager +securityManager.cacheManager = $cacheManager + +# DataSource Setup +datasource = org.apache.shiro.jndi.JndiObjectFactory +datasource.resourceName = java:/jboss/accountDs +datasource.resourceRef = true + +# HashService +hashService = org.apache.shiro.crypto.hash.DefaultHashService +hashService.hashIterations = 500000 +hashService.hashAlgorithmName = SHA-512 +hashService.generatePublicSalt = true + +# Password service +passwordService = org.apache.shiro.authc.credential.DefaultPasswordService +passwordService.hashService = $hashService + +# Required password matcher +${shiro.passwordMatcher} + +# LDAP Realm setup +${shiro.ldapRealm} + +# JDBC Realm setup +jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm +jdbcRealm.permissionsLookupEnabled=false +# jdbcRealm.authenticationQuery = select al.account_password from account a, account_login al where al.account = a.id and a.username = ? and status not in ('LOCKED','DELETED') +jdbcRealm.authenticationQuery = SELECT accl.account_password from account acc, account_login accl, account_role accr, application_role appr WHERE accl.account = acc.id AND acc.id = accr.account AND accr.account_role = appr.id AND appr.application = '143a2bd3-7e0b-4162-a76e-3031331c7dfe' AND acc.status not in ('LOCKED','DELETED') AND acc.username = ? +jdbcRealm.userRolesQuery = select r.role_name from application_role r, account_role ar, account a WHERE a.username = ? AND a.id = ar.account AND ar.account_role = r.id +jdbcRealm.credentialsMatcher = $passwordMatcher +jdbcRealm.dataSource = $datasource + +# Activate realms +authcStrategy = ${shiro.authcStrategy} +securityManager.realms = ${shiro.realms} +securityManager.authenticator.authenticationStrategy = $authcStrategy + +# Setup authentication filter +authc = de.muehlencord.shirofaces.filter.FacesAjaxAwarePassThruAuthenticationFilter +authc.loginUrl = /login.xhtml +authc.successUrl = /web/account.xhtml + +roles.unauthorizedUrl = /error/accessDenied.xhtml + +# +# filter setup +# +[urls] +/public/**=anon +/resources/**=anon +/fonts/**=anon +/javax.faces.resource/**=anon +/login.xhtml=authc +/logout.xhtml=logout +/**=authc +# /web/**=authc