1 Reply Latest reply on May 13, 2005 10:59 AM by Richard Gbehode KOUDRY

    JBoss Security: how to implement security in a web app runni

    Richard Gbehode KOUDRY Newbie

      Dear All,

      I am new to JBoss and have been trying to develop a web app. I need a simple way to implement security on my web app.

      I know I have to make some entries in the web.xml as follow:


      and add security-role-ref to servlets where necessary.

      I know that I have to add a security domain name to the jboss-web.xml file and I know of the existence of the jboss-login.xml file although I don't know what should go in there.

      What I need is to be able to create users with their passwords and associate them to roles. I want to do this declaratively. I was expecting this to be easy, I think it is but I just don't know how to go about it.

      I am familiar with the concept of security realm, roles, users identified by their passwords and assigning roles to users. I have done this in Bea WebLogic server via the admin console.

      I will be very grateful if someone could give me a simple idea of the main steps to follow, what files to change etc. I am using the default server configuration that comes with JBoss 4.0 for my web app.

      Many thanks in advance.


        • 1. Re: JBoss Security: how to implement security in a web app r
          Richard Gbehode KOUDRY Newbie

          Dear colleagues,

          This is to let you know that I have now managed to implement a simple security in my webapp. I have followed the starting guide that came with JBoss 4 and to do some guess works which have paid off.

          I have used 4 steps to solve the problem:

          Step 1: entries in the web.xml file


          An example security config only allows users with the
          role Admin to access my web application



          <!--Login config-->

          Step 2: entry in the jboss-web.xml


          Notes: In this case, SCWCDWeb2 is the name of my web app.

          Step 3: entry in the login-config.xml file

          <application-policy name = "SCWCDWeb2">

          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
          flag = "required">
          <module-option name="usersProperties">SCWCDWeb2-users.properties</module-option>
          <module-option name="rolesProperties">SCWCDWeb2-roles.properties</module-option>


          Notes: In this case, SCWCDWeb2 is the name of my web app.

          Step 4: entries in SCWCDWeb2-users.properties and SCWCDWeb2-roles.properties

          * These two files sit in the src directory
          * entry in the SCWCDWeb2-users.properties is in the format username = password, e.g. joe = blog
          * entry in the SCWCDWeb2-roles.properties is in the form of username = roleName, e.g. joe = Admin

          * In this case, SCWCDWeb2, the prefix of the file names, is the name of my web app.
          * The role name Admin must be defined in the web.xml file, e.g. <role-name>Admin</role-name>

          I am not sure if this is the best way to do this, but if anyone finds a better way, I would like to know.