It looks like standard J2EE security to me and JBoss can definitely do that, but you need to be a little more specific in your requirements before a more detailed answer can be provided.

1) You are saying "only selected machines" but you are also talking about some roles. Roles are ususally assigned to users, not machines. Do you want the access to be driven by which user is accessing the JBoss server (regardeless from which physical machine they do it) or do you want it to be driven depending of which physical machine is accessing the server (which is not standard J2EE security anymore).

2) If driven by users, where are the users coming from? Your own database? An external directory (like LDAP)?

3) Where do you want your user/role associations to be defined? Should ana dminsitrator be able to define these associations through your own interface (administration tool or something like that)?

Thomas

Ok, so it seems that you want standard J2EE security.
There is two aspects to use standard security in JBoss: what is specified byt the J2EE spec and what is application server (JBoss in your case) specific.

For the J2EE specified aspect you need to declare your security constraints in your J2EE deployment descriptors (web.xml for web application and ejb-jar.xml for EJB components). See J2EE spec for more details. These constraints are basically saying which roles are needed to access which resources.

For the JBoss aspect, you need to do the following:

- First define your security domain. This is what you saw in the login-config.xml. It basically defines your user source (how users are authenticated) and where the user/role associations are coming from. If you want all that to come from a database, you might want to take a look at the JBoss DataBaseServerLogin module (see the wiki page about JBoss security: http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossSX).

- Associate your J2EE applications (web or EJB) with the defined security domain. This is done through the JBoss specific deployment descriptor (jboss-web.xml or jboss.xml) by adding the the security-doamin element that will reference the domain that you defined in your login-config.xml.

Between the JBoss-SX Wiki and the HowTo sample (referenced from the Wiki pages), you should find all the details that you need.

Thomas

A few different answers to your two last post:

1) With web applications, you can basically handle the login in two different way: BASIC authentication (that will cause the web browser to display the "standard" login window asking for user name and password) or FORM based authentication where you can create your own login page.
Both are part of the J2EE servlet 2.3 specification.
In the case of the FORM login (which seems to be what you want to do), you need to delcare your login page in the web.xml and you need to make sure that your login form is usign the standard names for the user and password fields (see servlet spec) as well as for the action associated to the form.

2) You seem to say that user will provide his username, password and role when login in. I do not think you want the user to specify his own role upon login. The roles attached to a user are specified as part of your role.properties file (in your currrent case).

3) In order to be able to remove some roles assigned to a user without restarting JBoss, you will have to use something else than the UsersRolesLoginModule that is based on property files that can not be dynamically updated. You might want to use the DatabaseServerLoginModule instead. You can then have an SQL script that you run to add/remove roles for your users when needed.
Only caveat to that: if a user is currently using the application (he has already login and he did not logout yet), changing his roles in the database is not going to be taken into account (roles are established at the time the user is login in. After that they are cached and cannot be modified dynamically, or at least not without some custom JBoss code).
Two options to fix this problem:
a) provide a way to force the disconnect of all active clients. You should be able to do that by putting in place some kind of admin page that will allow you to invalidate all currently active HTTP session (might need to check in Tomcat documentation how this can be done).
b) implement your own JACC provider that can then be much more dynamic in determining the roles for a given user. This is probably not the easiest thing to do.

Thomas

This is almost enough....

You also need to define your login page in the web.xml (standard servlet login-config stuff) and you need to define some security contraints on your web app URLs (also done in the web.xml) to mark them as "secured" otherwise login will not be requested.

But, once JBoss is up and running, if you want to change the role assigned to certain users, then you will have to do it by updating the roles.properties file and this cannot be done without a stop/restart of JBoss.
If you do not need it to be that dynamic, then you should be all set.

Thomas

Indeed, no need to define your own login page if you want BASIC authentication.
Check the servlet specification to see how to declare security constraints in your web.xml file.

Here is an example:

<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
Restricted resources
<url-pattern>/*</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>Role1</role-name>
</auth-constraint>

<user-data-constraint>
no description
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

Thomas