0 Replies Latest reply on Jun 9, 2009 4:28 AM by Gajanan More

    securing a web project on jboss using https(SSL)

    Gajanan More Newbie

      Hi
      I am facing some problems while securing a web application on jboss...
      below are the steps which i followed.....
      I have created a web application in eclipse 3.2.2 on jboss 4.2.2GA .
      I want to secure my webappllication using SSL
      for this i have

      1.generated certificate by using "%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA" command line

      2.I have changed jboss/server/default/deploy/jboss-web.deployer/server.xml file .in this file i replaced <connector port=8080..../> TO



      3.Modified web.xml of the web application:
      Added security mappings to web.xml file:

      <servlet-mapping>
      <servlet-name>testsecurity</servlet-name>
      <url-pattern>/testsecurity</url-pattern>
      </servlet-mapping>

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>All resources</web-resource-name>
      Protects all resources
      <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>WebAppUser</role-name>
      </auth-constraint>
      </security-constraint>

      <security-role>
      <role-name>WebAppUser</role-name>
      </security-role>
      <login-config>

      <auth-method>BASIC</auth-method>
      <realm-name>Test Realm</realm-name>
      </login-config>

      4. created a jboss-web.xml file in side web-inf and made an entry of
      <jboss-web>
      <security-domain>java:/jaas/myweb-console</security-domain>
      </jboss-web>

      5. when i am trying to deploy and run the application on jboss it is prompting for user name and password.

      6.i have changed the boss-4.2.0.GA\server\default\conf\login-config.xml file . added :
      <application-policy name = "myweb-console">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required">

      <module-option name="usersProperties">web-console-users.properties</module-option>
      <module-option name="rolesProperties">web-console-roles.properties</module-option>

      </login-module>

      </application-policy>

      when i specify the username and password i am not able to see my index.jsp page it is giving me status 401 error authentication.
      my dout is do i need to specify username password of the certificate in any one of the property file of jboss if so ... please let me know the formate to specify....
      tel me weather my approach to secure the webapplication on jboss is correct or not

      I am able to access the jboss console using
      https://localhost:8443/

      when iam trying to access https://localhost:8443/testsecurity
      it is giving error asaying status 401 authentication...
      it should display index.jsp page ....
      looking forward for ur replies .......Please help if any one has idea about ssl security for jboss