Hi,

I'm browsing for an example, and cannot find what I'm looking for...

How to secure my web services with simple user/pass?

I'm using jboss-3.2.1 and have successfully developed and deployed my application web services. Now, I need to secure them. But, nothing fancy, just a simple user/pass configuration... perhaps similar to the configuration I've done with the jmx-console.

I edit the jboss-3.2.1/server/default/conf/login-config.xml to include the following:

<application-policy name = "jboss-net">

<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />

<module-option name="usersProperties">users.properties</module-option>
<module-option name="rolesProperties">roles.properties</module-option>

</application-policy>

This is exactly what was used to configure my jmx-console (except that the name="jboss-net" is name="jmx-console" of course. Anyhow, I don't think this did anything to the jboss-net because I can still access the web page and services on my server without any prompt for the user/pass.

What else must I do to enable basic user/pass for the jboss-net web services? Also, where would I deploy the users.properties and roles.properties files... under jboss-3.2.1/server/default/deploy/jboss-net.sar someplace?

Or... maybe I'm going about this all wrong? Must I instead configure different security settings for each of the services deployed? Ideally, I don't want anyone to be able to access anything from my server under http://myhost/jboss-net

Thanks, Gretel