Version 4

    This article is about FORM-Based authentication for jboss for securing admin related pages.
    The attached web application uses declarative authentication against mysql security realm.


    Add following security-constraint section to web.xml:

         <display-name>require valid user</display-name>
      <web-resource-name>internal application</web-resource-name>
      <!-- secure only admin pages-->
      <!--Admin pages secured only for admin-->

    Add following login-config section to web.xml:


    Find and replace following realm config section in <JBOSS_HOME>\server\default\deploy\jbossweb.sar\server.xml:


    <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
    roleNameCol="role_name" />


    From the above, realm requires DB Class name, DB Driver class, DB URL,
    DB name, DB username, DB password and
    userTable is users,
    userNameCol is user_name,
    userRoleTable is user_roles,
    userCredCol is user_pass and
    roleNameCol is role_name


    Setting up security realm:
    Have mysql running.


    mysql> create database jaasrealm;

    mysql> use jaasrealm;

    mysql> create table users (
      user_name varchar(15) not null primary key,
      user_pass varchar(15) not null


    mysql> create table user_roles (
      user_name varchar(15) not null,
      role_name varchar(15) not null,
      primary key (user_name, role_name)


    mysql> insert into users values('hari','good');
    mysql> insert into users values('hara','better');


    mysql> insert into user_roles values('hari','usergroup');
    mysql> insert into user_roles values('hara','admin');


    In case more roles to be added to same user, hara keep adding more user_role records to hara:

    mysql> insert into user_roles values('hara','editor');

    mysql> insert into user_roles values('hara','publisher');


    Ensure mysql driver in JBoss classpath, browser setting for cookies and modify JBossIPAddress in links in JSPs.
    Deploy the application after extracting it to JBOSS_HOME/server/default/deploy/.
    Reach the application at URL: http://<JBossIPAddress>:8080/auth/index.jsp
    The first two links are to user pages that require no authentication.
    The last two links are to admin pages which require authentication.
    Clicking on admin links will cause login.jsp to be displayed as configured by login-config section of web.xml.
    The pages are authenticated by j_security_check with textboxes for j_username and j_password.
    A j_security_check servlet reserved by JBoss for authentication handles the request and the security-constraints associated with it.
    On successful authentication, the secured admin page will be displayed.
    On unsuccessful authentication, loginInvalid.jsp as configured by login-config section of web.xml will be displayed.


    Fire up the JBoss and pull up the app...


    Saravana Prasad