10 Replies Latest reply on Jul 28, 2005 5:18 AM by Thomas Cherel

    Selective access to application running on JBoss!

    Manish gupta Newbie

      Hi, I am new to JBoss. I want to give role wise access to clients who want to connect to the server.
      In more detail, I am having the JBoss server running on one maching with some application deployed on it, now I want to let only selected machines (depends upon the roles like admin, user etc.) to access the application running on the JBoss server.
      Can i do it with JBoss 4.x and if yes then plz let me know.
      Any help will be highly appreciated!

      Thanks in advance.

      Maddy

        • 1. Re: Selective access to application running on JBoss!
          Thomas Cherel Novice

          It looks like standard J2EE security to me and JBoss can definitely do that, but you need to be a little more specific in your requirements before a more detailed answer can be provided.

          1) You are saying "only selected machines" but you are also talking about some roles. Roles are ususally assigned to users, not machines. Do you want the access to be driven by which user is accessing the JBoss server (regardeless from which physical machine they do it) or do you want it to be driven depending of which physical machine is accessing the server (which is not standard J2EE security anymore).

          2) If driven by users, where are the users coming from? Your own database? An external directory (like LDAP)?

          3) Where do you want your user/role associations to be defined? Should ana dminsitrator be able to define these associations through your own interface (administration tool or something like that)?

          Thomas

          • 2. Re: Selective access to application running on JBoss!
            Manish gupta Newbie

            Hi tcherel,
            Thanks for the reply....I very much want the access to be driven by the user based upon a role (regardless of any physical machine).
            As far as user is concerned it will come from the database. But as i was exploring the JBoss i came across login-config.xml file in the /conf directory which actually lets u to configure a templete for the web console web application. It defines an <application-policy> tag under which we can specify userProperties & roleProperties files where we can defines the user's properties in form of "username=password" and user's role in form of "username=role1, role2......".
            But i could not understand the whole architecture.......
            Am i going to the right direction.....plz give me ur valuable comments if you have anything to share....

            cheers!
            maddy

            • 3. Re: Selective access to application running on JBoss!
              Thomas Cherel Novice


              Ok, so it seems that you want standard J2EE security.
              There is two aspects to use standard security in JBoss: what is specified byt the J2EE spec and what is application server (JBoss in your case) specific.

              For the J2EE specified aspect you need to declare your security constraints in your J2EE deployment descriptors (web.xml for web application and ejb-jar.xml for EJB components). See J2EE spec for more details. These constraints are basically saying which roles are needed to access which resources.

              For the JBoss aspect, you need to do the following:

              - First define your security domain. This is what you saw in the login-config.xml. It basically defines your user source (how users are authenticated) and where the user/role associations are coming from. If you want all that to come from a database, you might want to take a look at the JBoss DataBaseServerLogin module (see the wiki page about JBoss security: http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossSX).

              - Associate your J2EE applications (web or EJB) with the defined security domain. This is done through the JBoss specific deployment descriptor (jboss-web.xml or jboss.xml) by adding the the security-doamin element that will reference the domain that you defined in your login-config.xml.

              Between the JBoss-SX Wiki and the HowTo sample (referenced from the Wiki pages), you should find all the details that you need.

              Thomas

              • 4. Re: Selective access to application running on JBoss!
                Manish gupta Newbie

                in continuation of the previous reply.........
                as far as my objective is concerned.....
                I am having an application running on JBoss server which is a sperate machine......on the local lan there are several other machines(clients) to whom i want to give role based access to the server as i have different tools including code coverage tools which are running on that server and which requires no interruption during that time i.e. no request should be made to the application while those tools are running on that applicaton.
                So after giving the role based access anybody who needs any resource on the that application would need to go through a login page where he/she would require to enter his/her username,password and role....so that whever we run any tool on that application we disable those role given to different clients so that they can't access the application.

                hope u would have an idea of my requirment..........

                maddy

                • 5. Re: Selective access to application running on JBoss!
                  Manish gupta Newbie

                  Thomas,
                  You are right........i have defined the security domain in login-config.xml file and create user.properties and role.properties files where i specified the username=password and username=role1, role2....... and also associate my web application with defined security domain by adding that security domain in the jboss-web.xml file.
                  But now the question is as i need to make a login page in form of a gui where the user will required his username and password, how will the server know about that login page so that on every new request it redirect that request to that login page......

                  maddy

                  • 6. Re: Selective access to application running on JBoss!
                    Thomas Cherel Novice

                    A few different answers to your two last post:

                    1) With web applications, you can basically handle the login in two different way: BASIC authentication (that will cause the web browser to display the "standard" login window asking for user name and password) or FORM based authentication where you can create your own login page.
                    Both are part of the J2EE servlet 2.3 specification.
                    In the case of the FORM login (which seems to be what you want to do), you need to delcare your login page in the web.xml and you need to make sure that your login form is usign the standard names for the user and password fields (see servlet spec) as well as for the action associated to the form.

                    2) You seem to say that user will provide his username, password and role when login in. I do not think you want the user to specify his own role upon login. The roles attached to a user are specified as part of your role.properties file (in your currrent case).

                    3) In order to be able to remove some roles assigned to a user without restarting JBoss, you will have to use something else than the UsersRolesLoginModule that is based on property files that can not be dynamically updated. You might want to use the DatabaseServerLoginModule instead. You can then have an SQL script that you run to add/remove roles for your users when needed.
                    Only caveat to that: if a user is currently using the application (he has already login and he did not logout yet), changing his roles in the database is not going to be taken into account (roles are established at the time the user is login in. After that they are cached and cannot be modified dynamically, or at least not without some custom JBoss code).
                    Two options to fix this problem:
                    a) provide a way to force the disconnect of all active clients. You should be able to do that by putting in place some kind of admin page that will allow you to invalidate all currently active HTTP session (might need to check in Tomcat documentation how this can be done).
                    b) implement your own JACC provider that can then be much more dynamic in determining the roles for a given user. This is probably not the easiest thing to do.

                    Thomas



                    • 7. Re: Selective access to application running on JBoss!
                      Manish gupta Newbie

                      ......that means if i just defined the security domain in the login-config.xml file and create user.properties and role.properties file with the username=password and username=role1,role2... entries and also associate my web application with the defined security domain by adding that security domain in the Jboss-web.xml file, all the user(client) will be presented a standard window asking the user name and password at the time of making any new request to the server.
                      Because if this is the case then that will also sufficient for me.
                      Plz correct me if my understanding is wrong......


                      maddy

                      • 8. Re: Selective access to application running on JBoss!
                        Thomas Cherel Novice

                        This is almost enough....

                        You also need to define your login page in the web.xml (standard servlet login-config stuff) and you need to define some security contraints on your web app URLs (also done in the web.xml) to mark them as "secured" otherwise login will not be requested.

                        But, once JBoss is up and running, if you want to change the role assigned to certain users, then you will have to do it by updating the roles.properties file and this cannot be done without a stop/restart of JBoss.
                        If you do not need it to be that dynamic, then you should be all set.

                        Thomas

                        • 9. Re: Selective access to application running on JBoss!
                          Manish gupta Newbie

                          .....But do i need to define my own login page even if i want BASIC authentication only ? I guess that standard login window will be provided by the browser itself.....and what kind of security constraints do i need to define in web app url(and also in web.xml) to mark it as "secure"......

                          As far as changing roles are concerned i don't have any problem in stopping/restarting the JBoss server.

                          cheers !

                          maddy

                          • 10. Re: Selective access to application running on JBoss!
                            Thomas Cherel Novice


                            Indeed, no need to define your own login page if you want BASIC authentication.
                            Check the servlet specification to see how to declare security constraints in your web.xml file.

                            Here is an example:

                            <security-constraint>
                            <web-resource-collection>
                            <web-resource-name>Restricted</web-resource-name>
                            Restricted resources
                            <url-pattern>/*</url-pattern>
                            </web-resource-collection>

                            <auth-constraint>
                            <role-name>Role1</role-name>
                            </auth-constraint>

                            <user-data-constraint>
                            no description
                            <transport-guarantee>NONE</transport-guarantee>
                            </user-data-constraint>
                            </security-constraint>

                            Thomas