Securing a JBoss web application

This articles describes how to secure a Java web application in JBoss using BASIC authentication.

Step1: Edit web.xml in your application

Edit the web.xml file in your webapp at the following location.

WEB-INF/web.xml

Edit your web.xml and put the following contents (generally towards the bottom of the file)

<web-app>
....

 <security-constraint>
  <web-resource-collection>
   <web-resource-name>All resources</web-resource-name>
   <description>Protects all resources</description>
   <url-pattern>/*</url-pattern>
  </web-resource-collection>

  <auth-constraint>
   <role-name>myrole</role-name>
  </auth-constraint>
 </security-constraint>

 <security-role>
  <role-name>myrole</role-name>
 </security-role>

 <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>Authorized access only.</realm-name>
 </login-config>
</web-app>

This is a way of telling the container to restrict all URLs to any user with the role ‘myrole‘.

Step 2: Create jboss-web.xml in your application

Edit or create the jboss-web.xml file in your webapp at the following location.

WEB-INF/jboss-web.xml

Put the following contents:

<jboss-web>
 <security-domain>java:/jaas/myappname</security-domain>
</jboss-web>

This tells JBoss to use application policy ‘myappname’ for this application.

Step 3: Create Application policy on JBoss server

We now need to define the application policy ‘myappname‘ on JBoss server.

Edit the login-config.xml file in the JBoss server directory at the following location.

jboss/server/default/conf/login-config.xml

Edit the contents of login-config.xml and add an application policy as follows:

<policy>
...

<!-- application policy for myappname -->
<application-policy name="myappname">
 <authentication>
  <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
   <module-option name="usersProperties">props/users.properties</module-option>
   <module-option name="rolesProperties">props/roles.properties</module-option>
  </login-module>
 </authentication>
</application-policy>
</policy>

This tells JBoss to user ‘UsersRolesLoginModule’ which uses property files to store users and roles.

Step 4: Create users on JBoss server

Now we create a new user with the role ‘myrole’.

Create a new User

Edit the users.properties file used by your application policy in Step 3.

jboss/server/default/conf/props/users.properties

Add a line to create a new user as follows.

myuser=mypassword

Roles

Finally, we assign the role ‘myrole’ to the user ‘myuser’. Edit the following file

Create a new role

Edit the roles.properties file used by your application policy in Step 3.

jboss/server/default/conf/props/roles.properties

Add a line to create a assign the role ‘myrole’ to ‘myuser’ as follows.

myuser=myrole

Test your settings

Restart the JBoss server and deploy your application. When you access your application, you should see a basic authentication popup.

If your setup is correct, you should be able to login using ‘myuser’ and ‘mypassword’ as defined in the Step 4.

Conclusion

This approach is equivalent to defining users, passwords and roles in tomcat-users.xml. While this is an easy approach and helps you get started, a real production web application should not store its passwords unencrypted on disk. We used BASIC authentication in this example. For production quality applications, you should use DIGEST, FORM or CLIENT-CERT.

Related posts:

  1. EJB3 JPA error when migrating from JBoss version 4 to 5
  2. Implementing context senstive permissions and authorization in JSF Seam
  3. JBoss Tools bug: SeamListener not found
  4. How to configure multiple page.xml files in Seam 2.2
  5. Maven Cargo JBoss

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Get Adobe Flash playerPlugin by wpburn.com wordpress themes