9 Replies Latest reply on May 6, 2011 4:26 AM by wolfgangknauf

    how to add web security in jboss 6?

    bcn

      What is the correct way to add security to a web app in jboss 6?

      I have read about jbossweb:

      http://docs.jboss.org/jbossweb/3.0.x/realm-howto.html

      but nothing of this is mentioned in the jboss security guide which seems to offer other solutions.

       

      When I try the jboss web way, I get a class not found error, because the realm classes are not

      in the file deploy/jbossweb.sar/jbossweb.jar.

      How are they added?

       

      Thanks,

      Ulrich

        • 1. how to add web security in jboss 6?
          iabughosh
          • 2. how to add web security in jboss 6?
            wolfgangknauf

            Hi,

             

            first step: add some JavaEE standard security declarations to your web.xml:

             

             

                <security-constraint>

                    <web-resource-collection>

                        <web-resource-name>All is secured</web-resource-name>

                        <url-pattern>/*</url-pattern>

                        <http-method>GET</http-method>

                        <http-method>POST</http-method>

                    </web-resource-collection>

                    <auth-constraint>

                        <role-name>administrator</role-name>

                        <role-name>customer</role-name>

                    </auth-constraint>

                </security-constraint>

                <login-config>

                    <auth-method>FORM</auth-method>

                    <form-login-config>

                        <form-login-page>/login.jsp</form-login-page>

                        <form-error-page>/error.jsp</form-error-page>

                    </form-login-config>

                </login-config>

                <security-role>

                    <role-name>administrator</role-name>

                </security-role>

                <security-role>

                    <role-name>customer</role-name>

                </security-role>

             

            Second step: add a file "jboss-web.xml" to your "WEB-INF" of your web app, which has to declare a security domain:

             

            <?xml version="1.0" encoding="UTF-8"?>

            <!DOCTYPE jboss-web PUBLIC

                "-//JBoss//DTD Web Application 5.0//EN"

                "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">

             

            <jboss-web>

                <security-domain>mysecuritydomain</security-domain>

                ...

             

            </jboss-web>

             

            Third step: configure your security domain by either editing the file "server\default\conf\login-config.xml" or by add a "...-jboss-beans.xml" file. see here for more details: http://server.dzone.com/articles/security-features-jboss-510

             

            Hope this gives a starting point.

             

            Unfortunately, I don't have a good tutorial at hand...

             

            Best regards

             

            Wolfgang

            1 of 1 people found this helpful
            • 3. how to add web security in jboss 6?
              bcn

              Okay thanks that led me to the right direction.

              Although now I hit this bug:

              http://community.jboss.org/thread/162927

              Argh...

              • 4. how to add web security in jboss 6?
                iabughosh

                u j, if you are using form authentication and your form login page is based on JSF then try regular HTML form.

                • 5. Re: how to add web security in jboss 6?
                  bcn

                  Ok I put a pure html form and don't get the error anymore.

                   

                  However, the authentication does not work. I have a DatabaseServerLoginModule but it seems to be never used (if I put a syntax error in the select, no error ocurrs).

                   

                  I don't find a documentation about how the names in the different files have to match.

                   

                  How does the xxx-jboss-web.xml know about the jboss-web.xml? Does the name of the security domain in jboss-web has to be used somewhere in xxx-jboss-web? Must the name have the prefix java:/jaas/?

                   

                  I guess the role-name in web.xml has to match the role selected by the query rolesQuery.

                   

                  How can I debug the authentication? If I put the log level of org.jboss.security to trace, I get:

                   

                  2011-05-04 10:44:01,136 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-localhost%2F127.0.0.1-8080-2) Creating SDC for domain=smsurbano

                  2011-05-04 10:44:01,138 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.smsurbano] (http-localhost%2F127.0.0.1-8080-2) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@506e89dd

                  2011-05-04 10:44:01,138 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.smsurbano] (http-localhost%2F127.0.0.1-8080-2) CachePolicy set to: org.jboss.security.auth.AuthenticationTimedCachePolicy@63935d75

                  2011-05-04 10:44:01,138 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-localhost%2F127.0.0.1-8080-2) setCachePolicy, c=org.jboss.security.auth.AuthenticationTimedCachePolicy@63935d75

                  2011-05-04 10:48:20,672 TRACE [org.jboss.security.SecurityRolesAssociation] (http-localhost%2F127.0.0.1-8080-2) Setting threadlocal:{}

                  2011-05-04 10:48:20,675 TRACE [org.jboss.security.SecurityRolesAssociation] (http-localhost%2F127.0.0.1-8080-2) Setting threadlocal:null

                   

                  Thanks,

                   

                  Ulrich

                  • 6. Re: how to add web security in jboss 6?
                    iabughosh

                    u j, i'm using authentication with only web.xml and jboss.xml, i didn't use third xml file, however the name of security domain in your jboss-web.xml must match a login module in this file : ${jboss home}server\default\conf\login-config.xml

                    you can configure a new login config using server modules, details of creating the module are available in the documentation that i've post in a previous thread.

                     

                    ex : names of the security domains in jboss-web.xml is like this java:/jaas/${login-module name}.

                     

                    regards.

                    • 7. Re: how to add web security in jboss 6?
                      wolfgangknauf

                      Hi all,

                       

                      @Ibrahim: u j used a new way of configuring the login module without having to edit "login-config.xml", which was added in AS 5: http://server.dzone.com/articles/security-features-jboss-510

                       

                      @u j: could you activate logging of the security layer? See http://community.jboss.org/wiki/SecurityFAQ - question 4. Hopefully this will point you to the error. But your config looks OK at first glance.

                       

                      Best regards

                       

                      Wolfgang

                      • 8. Re: how to add web security in jboss 6?
                        bcn

                        That helped! I needed the log of org.catalina and org.tomcat to find it.

                        In the login page, in <input name="j_username" type="text" /> I used id= instead of name=.

                        And the datasource in jboss-beans.xml must have a prefix of java:/.

                         

                        Thanks a lot,

                        Ulrich

                        • 9. how to add web security in jboss 6?
                          wolfgangknauf

                          Thanks for your feedback. I updated the security FAQ and removed my comment "don't know whether the other two categories are required".

                           

                          Best regards

                           

                          Wolfgang