3 Replies Latest reply on Aug 25, 2011 8:37 AM by mmoyses

    Securing a Web application with AS7

    developer251

      Hi all !

      I have a JBoss 5.1 application which uses HTTP Role authentication to perform some basic authentication.

       

      Basically I have the login module defined into login-config.xml

       

      <login-module

                         code="org.jboss.security.auth.spi.DatabaseServerLoginModule"

                         flag="required">

                      <module-option name="dsJndiName">java:/OracleDS</module-option>

                      <module-option name="principalsQuery">

                          select passwd from USERS where login=?

                      </module-option>

                      <module-option name="rolesQuery">

                          select role, 'Roles' from USER_ROLES where login=?

                      </module-option>

      </login-module>

       

      this module matches with the security domain in jboss-web.xml

       

      <jboss-web>

            <security-domain>java:/jaas/myLogin</security-domain>

      </jboss-web>

       

      And finally a security constraint in the web.xml:

       

      <web-app>

      . . . . . .

      <security-constraint>

           <web-resource-collection>

             <web-resource-name>HtmlAdaptor</web-resource-name>

             <description>security constraints</description>

             <url-pattern>/*</url-pattern>

             <http-method>GET</http-method>

             <http-method>POST</http-method>

           </web-resource-collection>

           <auth-constraint>

             <role-name>Admin</role-name>

           </auth-constraint>

         </security-constraint>

         <login-config>

            <auth-method>BASIC</auth-method>

            <realm-name>Secure Realm</realm-name>

         </login-config>

       

         <security-role>

            <role-name>Admin</role-name>

         </security-role>

      </web-app>

       

      Given that web.xml and jboss-web.xml stays the same (I guess!) how do I translate the login module in AS 7 ?

      I've found in the AS7 security subsystem a clue:

       

      <login-module code="..." flag="..."> <module-option name="..." value="..."/> </login-module>

      however I've not been able to find how to specify dsJndiName or principalsQuery/rolesQuery

      Any help ???

      Thanks in advance

      Max

        • 1. Re: Securing a Web application with AS7
          mmoyses

          You need to add a security-domain element in standalone.xml under the security subsystem. It will look something like:

           

          <security-domain name="myLogin" cache-type="default">

            <authentication>

              <login-module code="Database" flag="required">

                <module-option name="dsJndiName" value="java:/OracleDS"/>

                <module-option name="principalsQuery" value="select passwd from USERS where login=?"/>

                 <module-option name="rolesQuery" value="select role, 'Roles' from USER_ROLES where login=?"/>

              </login-module>

            </authentication>

          </security-domain>

          • 2. Re: Securing a Web application with AS7
            developer251

            Thank you very much, it works.

            I was able to run clear text password authorization. The only thing I wasn't able to, is using my earlier encrypted passwords. With JBoss 5 I used to add this to my login module:

             

            <module-option name="hashAlgorithm" value="MD5" />
            <module-option name="hashEncoding" valu="BASE64" />

             

            Anybody knows if encrypted password still work in AS 7 ?

            Thanks

            Max

            • 3. Re: Securing a Web application with AS7
              mmoyses

              Encryption works the same way in AS7. Check this thread: http://community.jboss.org/message/621315