0 Replies Latest reply on Aug 24, 2004 4:30 PM by gjb

    login-config.xml and protection of http://myhost/jboss-net

    gjb Newbie

      Hi,

      I'm browsing for an example, and cannot find what I'm looking for...

      How to secure my web services with simple user/pass?

      I'm using jboss-3.2.1 and have successfully developed and deployed my application web services. Now, I need to secure them. But, nothing fancy, just a simple user/pass configuration... perhaps similar to the configuration I've done with the jmx-console.

      I edit the jboss-3.2.1/server/default/conf/login-config.xml to include the following:

      <application-policy name = "jboss-net">

      <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      <module-option name="usersProperties">users.properties</module-option>
      <module-option name="rolesProperties">roles.properties</module-option>

      </application-policy>

      This is exactly what was used to configure my jmx-console (except that the name="jboss-net" is name="jmx-console" of course. Anyhow, I don't think this did anything to the jboss-net because I can still access the web page and services on my server without any prompt for the user/pass.

      What else must I do to enable basic user/pass for the jboss-net web services? Also, where would I deploy the users.properties and roles.properties files... under jboss-3.2.1/server/default/deploy/jboss-net.sar someplace?

      Or... maybe I'm going about this all wrong? Must I instead configure different security settings for each of the services deployed? Ideally, I don't want anyone to be able to access anything from my server under http://myhost/jboss-net

      Thanks, Gretel