3 Replies Latest reply on Aug 25, 2011 8:37 AM by mmoyses

    Securing a Web application with AS7


      Hi all !

      I have a JBoss 5.1 application which uses HTTP Role authentication to perform some basic authentication.


      Basically I have the login module defined into login-config.xml





                      <module-option name="dsJndiName">java:/OracleDS</module-option>

                      <module-option name="principalsQuery">

                          select passwd from USERS where login=?


                      <module-option name="rolesQuery">

                          select role, 'Roles' from USER_ROLES where login=?




      this module matches with the security domain in jboss-web.xml






      And finally a security constraint in the web.xml:



      . . . . . .




             <description>security constraints</description>











            <realm-name>Secure Realm</realm-name>








      Given that web.xml and jboss-web.xml stays the same (I guess!) how do I translate the login module in AS 7 ?

      I've found in the AS7 security subsystem a clue:


      <login-module code="..." flag="..."> <module-option name="..." value="..."/> </login-module>

      however I've not been able to find how to specify dsJndiName or principalsQuery/rolesQuery

      Any help ???

      Thanks in advance


        • 1. Re: Securing a Web application with AS7

          You need to add a security-domain element in standalone.xml under the security subsystem. It will look something like:


          <security-domain name="myLogin" cache-type="default">


              <login-module code="Database" flag="required">

                <module-option name="dsJndiName" value="java:/OracleDS"/>

                <module-option name="principalsQuery" value="select passwd from USERS where login=?"/>

                 <module-option name="rolesQuery" value="select role, 'Roles' from USER_ROLES where login=?"/>




          • 2. Re: Securing a Web application with AS7

            Thank you very much, it works.

            I was able to run clear text password authorization. The only thing I wasn't able to, is using my earlier encrypted passwords. With JBoss 5 I used to add this to my login module:


            <module-option name="hashAlgorithm" value="MD5" />
            <module-option name="hashEncoding" valu="BASE64" />


            Anybody knows if encrypted password still work in AS 7 ?



            • 3. Re: Securing a Web application with AS7

              Encryption works the same way in AS7. Check this thread: http://community.jboss.org/message/621315