9 Replies Latest reply: May 6, 2011 4:26 AM by Wolfgang Knauf RSS

    how to add web security in jboss 6?

    u j Novice

      What is the correct way to add security to a web app in jboss 6?

      I have read about jbossweb:

      http://docs.jboss.org/jbossweb/3.0.x/realm-howto.html

      but nothing of this is mentioned in the jboss security guide which seems to offer other solutions.

       

      When I try the jboss web way, I get a class not found error, because the realm classes are not

      in the file deploy/jbossweb.sar/jbossweb.jar.

      How are they added?

       

      Thanks,

      Ulrich

        • 2. how to add web security in jboss 6?
          Wolfgang Knauf Master

          Hi,

           

          first step: add some JavaEE standard security declarations to your web.xml:

           

           

              <security-constraint>

                  <web-resource-collection>

                      <web-resource-name>All is secured</web-resource-name>

                      <url-pattern>/*</url-pattern>

                      <http-method>GET</http-method>

                      <http-method>POST</http-method>

                  </web-resource-collection>

                  <auth-constraint>

                      <role-name>administrator</role-name>

                      <role-name>customer</role-name>

                  </auth-constraint>

              </security-constraint>

              <login-config>

                  <auth-method>FORM</auth-method>

                  <form-login-config>

                      <form-login-page>/login.jsp</form-login-page>

                      <form-error-page>/error.jsp</form-error-page>

                  </form-login-config>

              </login-config>

              <security-role>

                  <role-name>administrator</role-name>

              </security-role>

              <security-role>

                  <role-name>customer</role-name>

              </security-role>

           

          Second step: add a file "jboss-web.xml" to your "WEB-INF" of your web app, which has to declare a security domain:

           

          <?xml version="1.0" encoding="UTF-8"?>

          <!DOCTYPE jboss-web PUBLIC

              "-//JBoss//DTD Web Application 5.0//EN"

              "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">

           

          <jboss-web>

              <security-domain>mysecuritydomain</security-domain>

              ...

           

          </jboss-web>

           

          Third step: configure your security domain by either editing the file "server\default\conf\login-config.xml" or by add a "...-jboss-beans.xml" file. see here for more details: http://server.dzone.com/articles/security-features-jboss-510

           

          Hope this gives a starting point.

           

          Unfortunately, I don't have a good tutorial at hand...

           

          Best regards

           

          Wolfgang

          • 3. how to add web security in jboss 6?
            u j Novice

            Okay thanks that led me to the right direction.

            Although now I hit this bug:

            http://community.jboss.org/thread/162927

            Argh...

            • 4. how to add web security in jboss 6?
              iabughosh Master

              u j, if you are using form authentication and your form login page is based on JSF then try regular HTML form.

              • 5. Re: how to add web security in jboss 6?
                u j Novice

                Ok I put a pure html form and don't get the error anymore.

                 

                However, the authentication does not work. I have a DatabaseServerLoginModule but it seems to be never used (if I put a syntax error in the select, no error ocurrs).

                 

                I don't find a documentation about how the names in the different files have to match.

                 

                How does the xxx-jboss-web.xml know about the jboss-web.xml? Does the name of the security domain in jboss-web has to be used somewhere in xxx-jboss-web? Must the name have the prefix java:/jaas/?

                 

                I guess the role-name in web.xml has to match the role selected by the query rolesQuery.

                 

                How can I debug the authentication? If I put the log level of org.jboss.security to trace, I get:

                 

                2011-05-04 10:44:01,136 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-localhost%2F127.0.0.1-8080-2) Creating SDC for domain=smsurbano

                2011-05-04 10:44:01,138 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.smsurbano] (http-localhost%2F127.0.0.1-8080-2) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@506e89dd

                2011-05-04 10:44:01,138 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.smsurbano] (http-localhost%2F127.0.0.1-8080-2) CachePolicy set to: org.jboss.security.auth.AuthenticationTimedCachePolicy@63935d75

                2011-05-04 10:44:01,138 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-localhost%2F127.0.0.1-8080-2) setCachePolicy, c=org.jboss.security.auth.AuthenticationTimedCachePolicy@63935d75

                2011-05-04 10:48:20,672 TRACE [org.jboss.security.SecurityRolesAssociation] (http-localhost%2F127.0.0.1-8080-2) Setting threadlocal:{}

                2011-05-04 10:48:20,675 TRACE [org.jboss.security.SecurityRolesAssociation] (http-localhost%2F127.0.0.1-8080-2) Setting threadlocal:null

                 

                Thanks,

                 

                Ulrich

                • 6. Re: how to add web security in jboss 6?
                  iabughosh Master

                  u j, i'm using authentication with only web.xml and jboss.xml, i didn't use third xml file, however the name of security domain in your jboss-web.xml must match a login module in this file : ${jboss home}server\default\conf\login-config.xml

                  you can configure a new login config using server modules, details of creating the module are available in the documentation that i've post in a previous thread.

                   

                  ex : names of the security domains in jboss-web.xml is like this java:/jaas/${login-module name}.

                   

                  regards.

                  • 7. Re: how to add web security in jboss 6?
                    Wolfgang Knauf Master

                    Hi all,

                     

                    @Ibrahim: u j used a new way of configuring the login module without having to edit "login-config.xml", which was added in AS 5: http://server.dzone.com/articles/security-features-jboss-510

                     

                    @u j: could you activate logging of the security layer? See http://community.jboss.org/wiki/SecurityFAQ - question 4. Hopefully this will point you to the error. But your config looks OK at first glance.

                     

                    Best regards

                     

                    Wolfgang

                    • 8. Re: how to add web security in jboss 6?
                      u j Novice

                      That helped! I needed the log of org.catalina and org.tomcat to find it.

                      In the login page, in <input name="j_username" type="text" /> I used id= instead of name=.

                      And the datasource in jboss-beans.xml must have a prefix of java:/.

                       

                      Thanks a lot,

                      Ulrich

                      • 9. how to add web security in jboss 6?
                        Wolfgang Knauf Master

                        Thanks for your feedback. I updated the security FAQ and removed my comment "don't know whether the other two categories are required".

                         

                        Best regards

                         

                        Wolfgang