3 Replies Latest reply on Jun 7, 2012 9:54 PM by raydecampo

    Using custom authentication for protected web resources

    raydecampo
    raydecampo Jun 7, 2012 4:38 PM

      I am currently migrating an existing application from JBoss 5 to JBoss 7.1.1.Final.  I have protected a set of URLs using web.xml and set a security domain using jboss-web.xml.  (See below.)  I also have a class that implements javax.security.auth.spi.LoginModule inside my application.  I would like for this class to handle the actual authentication.  I do not want to deploy that class as a separate application server wide module, it depends on my specific application.  In JBoss 5 I used DynamicLoginConfig to accomplish this but I am struggling to make it work in JBoss 7.

       

      web.xml

       

      <security-constraint>
  <web-resource-collection>
    <web-resource-name>admin</web-resource-name>
    <url-pattern>/admin/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>administrator</role-name>
  </auth-constraint>
  <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

<security-role>
  <role-name>administrator</role-name>
</security-role>

<login-config>
  <auth-method>FORM</auth-method>
  <realm-name>sc</realm-name>
  <form-login-config>
    <form-login-page>/admin/login.jsf</form-login-page>
    <form-error-page>/admin/unauthorized.jsf</form-error-page>
  </form-login-config>
</login-config>

       

       

      jboss-web.xml:

       

      <security-domain>sc</security-domain>
      • 4560 Views
      • Tags:
        • 1. Re: Using custom authentication for protected web resources
          raydecampo
          raydecampo Jun 7, 2012 4:52 PM (in response to raydecampo)

          OK, I have cracked this now that I finally got back to it.  The relevant documentation was found at:

           

          https://community.jboss.org/wiki/JBossAS7SecurityCustomLoginModules

          https://community.jboss.org/wiki/JBossAS7SecurityDomainModel

           

          The details are as follows.  Suppose you originally had the following configuration using DynamicLoginConfig:

           

          jboss-service.xml:

           

          <server>
    <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
           name="scLoginConfig:service=scLogin">
        <attribute name="AuthConfig">META-INF/sc-login-config.xml</attribute>
        <depends optional-attribute-name="LoginConfigService">
            jboss.security:service=XMLLoginConfig
        </depends>
        <depends optional-attribute-name="SecurityManagerService">
            jboss.security:service=JaasSecurityManager
        </depends>
    </mbean>
</server>

           

          sc-login-config.xml:

           

          <policy>
    <application-policy name="sc">
        <authentication>
            <login-module code="com.sc.security.SCLoginModule"
                          flag="required">
                <module-option name="scOption1">value1</module-option>
                <module-option name="scOption2">value2</module-option>
            </login-module>
        </authentication>
    </application-policy>
</policy>

           

          Remove these two files from your EAR.  Add the following to your standalone.xml (or standalone-full.xml or domain.xml, etc.) in the <security-domains> subsystem:

           

          <security-domain name="sc" cache-type="default">
    <authentication>
        <login-module code="com.sc.security.SCLoginModule" flag="required">
            <module-option name="scOption1" value="value1"/>
            <module-option name="scOption2" value="value2"/>
        </login-module>
    </authentication>
</security-domain>

           

          You can probably use the CLI for this if that is preferable for you.  Just don't ask me what the command is.

           

          Even though you are referencing a class packaged in your EAR from the application server configuration it is OK; it seems that JBoss does not try to do anything until the security domain is referenced.  I was even able to run this configuration in my IDE which delays the EAR deployment until after JBoss starts.

            • Actions
          • 2. Re: Using custom authentication for protected web resources
            shadowcreeper
            shadowcreeper Jun 7, 2012 8:32 PM (in response to raydecampo)

            Hey, if you solved it, you should mark it answered so that other people with the same question know where to find the answer.

              • Actions
            • 3. Re: Using custom authentication for protected web resources
              raydecampo
              raydecampo Jun 7, 2012 9:54 PM (in response to shadowcreeper)

              Thanks Shadow Creeper, I hadn't thought of that

                • Actions