3 Replies Latest reply on Jun 7, 2012 9:54 PM by raydecampo

    Using custom authentication for protected web resources

    raydecampo

      I am currently migrating an existing application from JBoss 5 to JBoss 7.1.1.Final.  I have protected a set of URLs using web.xml and set a security domain using jboss-web.xml.  (See below.)  I also have a class that implements javax.security.auth.spi.LoginModule inside my application.  I would like for this class to handle the actual authentication.  I do not want to deploy that class as a separate application server wide module, it depends on my specific application.  In JBoss 5 I used DynamicLoginConfig to accomplish this but I am struggling to make it work in JBoss 7.

       

      web.xml

       

      <security-constraint>
        <web-resource-collection>
          <web-resource-name>admin</web-resource-name>
          <url-pattern>/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
          <role-name>administrator</role-name>
        </auth-constraint>
        <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
      </security-constraint>
      
      <security-role>
        <role-name>administrator</role-name>
      </security-role>
      
      <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>sc</realm-name>
        <form-login-config>
          <form-login-page>/admin/login.jsf</form-login-page>
          <form-error-page>/admin/unauthorized.jsf</form-error-page>
        </form-login-config>
      </login-config>
      

       

       

      jboss-web.xml:

       

      <security-domain>sc</security-domain>
      
        • 1. Re: Using custom authentication for protected web resources
          raydecampo

          OK, I have cracked this now that I finally got back to it.  The relevant documentation was found at:

           

          https://community.jboss.org/wiki/JBossAS7SecurityCustomLoginModules

          https://community.jboss.org/wiki/JBossAS7SecurityDomainModel

           

          The details are as follows.  Suppose you originally had the following configuration using DynamicLoginConfig:

           

          jboss-service.xml:

           

          <server>
              <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
                     name="scLoginConfig:service=scLogin">
                  <attribute name="AuthConfig">META-INF/sc-login-config.xml</attribute>
                  <depends optional-attribute-name="LoginConfigService">
                      jboss.security:service=XMLLoginConfig
                  </depends>
                  <depends optional-attribute-name="SecurityManagerService">
                      jboss.security:service=JaasSecurityManager
                  </depends>
              </mbean>
          </server>
          

           

          sc-login-config.xml:

           

          <policy>
              <application-policy name="sc">
                  <authentication>
                      <login-module code="com.sc.security.SCLoginModule"
                                    flag="required">
                          <module-option name="scOption1">value1</module-option>
                          <module-option name="scOption2">value2</module-option>
                      </login-module>
                  </authentication>
              </application-policy>
          </policy>
          

           

          Remove these two files from your EAR.  Add the following to your standalone.xml (or standalone-full.xml or domain.xml, etc.) in the <security-domains> subsystem:

           

          <security-domain name="sc" cache-type="default">
              <authentication>
                  <login-module code="com.sc.security.SCLoginModule" flag="required">
                      <module-option name="scOption1" value="value1"/>
                      <module-option name="scOption2" value="value2"/>
                  </login-module>
              </authentication>
          </security-domain>
          

           

          You can probably use the CLI for this if that is preferable for you.  Just don't ask me what the command is.

           

          Even though you are referencing a class packaged in your EAR from the application server configuration it is OK; it seems that JBoss does not try to do anything until the security domain is referenced.  I was even able to run this configuration in my IDE which delays the EAR deployment until after JBoss starts.

          • 2. Re: Using custom authentication for protected web resources
            shadowcreeper

            Hey, if you solved it, you should mark it answered so that other people with the same question know where to find the answer.

            • 3. Re: Using custom authentication for protected web resources
              raydecampo

              Thanks Shadow Creeper, I hadn't thought of that