1 Reply Latest reply on Jan 26, 2009 3:32 PM by plscstx

    Security Issues with Migrating from WebSphere to JBoss

    plscstx

      In WebSphere, you could select a "Mapping Users to Roles" option for "All Authenticated" but I can not figure out how to do that in JBoss.

      Basically, if your username and password are successfully authenticated via LDAP then your are allowed into the secure area of the application.

      I know how to do this when there is an LDAP Role, but I am having a hard time figuring out how to do this at a general level.

      Any help would be greatly appreciated.

        • 1. Re: Security Issues with Migrating from WebSphere to JBoss
          plscstx

          Never mind, figured it out.

          web.xml security snippet:

           <security-constraint>
           <web-resource-collection>
           <web-resource-name>Admin</web-resource-name>
           <description>Administrative Functions</description>
           <url-pattern>/admin/*</url-pattern>
           <url-pattern>/formprocessing/*</url-pattern>
           <url-pattern>/adminintro.html</url-pattern>
           <!-- url-pattern>/config/*</url-pattern -->
           <http-method>
           GET</http-method>
           <http-method>
           POST</http-method>
           <http-method>
           PUT</http-method>
           <http-method>
           HEAD</http-method>
           <http-method>
           TRACE</http-method>
           <http-method>
           DELETE</http-method>
           <http-method>
           OPTIONS</http-method>
           </web-resource-collection>
           <auth-constraint>
           <description>AdminSettings</description><role-name>*</role-name> </auth-constraint>
           <user-data-constraint>
           <transport-guarantee>NONE</transport-guarantee>
           </user-data-constraint>
           </security-constraint>
           <login-config>
           <auth-method>BASIC</auth-method>
           <!--realm-name>corpTax</realm-name>
           <realm-name>drhorton.com</realm-name-->
           <form-login-config>
           <form-login-page>/login.html</form-login-page>
           <form-error-page>/error.jsp</form-error-page>
           </form-login-config>
           </login-config>


          note the * for the role


          jboss-web.xml:
          <jboss-web>
           <!-- All secured web content uses this security manager -->
           <security-domain>java:/jaas/myApp</security-domain>
          </jboss-web>


          servers login-config.xml:
          <application-policy name = "myApp">
           <authentication>
           <login-module code = "org.jboss.security.auth.spi.LdapLoginModule" flag = "required" >
           <!-- PASSWORD VERIFICATION -->
           <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
           <module-option name="java.naming.provider.url">ldap://servername:389/</module-option>
           <module-option name="java.naming.security.authentication">simple</module-option>
           <module-option name="principalDNPrefix">prefix\</module-option>
          
           </login-module>
           </authentication>
           </application-policy>