1 Reply Latest reply on May 13, 2005 10:59 AM by Richard Gbehode KOUDRY

    JBoss Security: how to implement security in a web app runni

    Richard Gbehode KOUDRY Newbie

      Dear All,

      I am new to JBoss and have been trying to develop a web app. I need a simple way to implement security on my web app.

      I know I have to make some entries in the web.xml as follow:

      secruity-role
      secruity-constraint

      and add security-role-ref to servlets where necessary.

      I know that I have to add a security domain name to the jboss-web.xml file and I know of the existence of the jboss-login.xml file although I don't know what should go in there.

      What I need is to be able to create users with their passwords and associate them to roles. I want to do this declaratively. I was expecting this to be easy, I think it is but I just don't know how to go about it.

      I am familiar with the concept of security realm, roles, users identified by their passwords and assigning roles to users. I have done this in Bea WebLogic server via the admin console.

      I will be very grateful if someone could give me a simple idea of the main steps to follow, what files to change etc. I am using the default server configuration that comes with JBoss 4.0 for my web app.

      Many thanks in advance.

      Koudry

        • 1. Re: JBoss Security: how to implement security in a web app r
          Richard Gbehode KOUDRY Newbie

          Dear colleagues,

          This is to let you know that I have now managed to implement a simple security in my webapp. I have followed the starting guide that came with JBoss 4 and to do some guess works which have paid off.

          I have used 4 steps to solve the problem:

          Step 1: entries in the web.xml file

          <security-constraint>
          <web-resource-collection>
          <web-resource-name>mywebapp</web-resource-name>

          An example security config only allows users with the
          role Admin to access my web application

          <url-pattern>/protected/*</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
          <role-name>Admin</role-name>
          </auth-constraint>
          </security-constraint>

          <security-role>
          <role-name>Admin</role-name>
          </security-role>

          <!--Login config-->
          <login-config>
          <auth-method>FORM</auth-method>
          <form-login-config>
          <form-login-page>/unprotected/login.jsp</form-login-page>
          <form-error-page>/unprotected/login_error.jsp</form-error-page>
          </form-login-config>
          </login-config>

          Step 2: entry in the jboss-web.xml

          <jboss-web>
          <security-domain>
          java:/jaas/SCWCDWeb2
          </security-domain>
          </jboss-web>

          Notes: In this case, SCWCDWeb2 is the name of my web app.

          Step 3: entry in the login-config.xml file

          <application-policy name = "SCWCDWeb2">

          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
          flag = "required">
          <module-option name="usersProperties">SCWCDWeb2-users.properties</module-option>
          <module-option name="rolesProperties">SCWCDWeb2-roles.properties</module-option>
          </login-module>

          </application-policy>

          Notes: In this case, SCWCDWeb2 is the name of my web app.

          Step 4: entries in SCWCDWeb2-users.properties and SCWCDWeb2-roles.properties

          * These two files sit in the src directory
          * entry in the SCWCDWeb2-users.properties is in the format username = password, e.g. joe = blog
          * entry in the SCWCDWeb2-roles.properties is in the form of username = roleName, e.g. joe = Admin

          Notes:
          * In this case, SCWCDWeb2, the prefix of the file names, is the name of my web app.
          * The role name Admin must be defined in the web.xml file, e.g. <role-name>Admin</role-name>

          --------------
          I am not sure if this is the best way to do this, but if anyone finds a better way, I would like to know.

          Thanks,

          Koudry