-
1. Re: JBoss Security: how to implement security in a web app r
koudry May 13, 2005 10:59 AM (in response to koudry)Dear colleagues,
This is to let you know that I have now managed to implement a simple security in my webapp. I have followed the starting guide that came with JBoss 4 and to do some guess works which have paid off.
I have used 4 steps to solve the problem:
Step 1: entries in the web.xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>mywebapp</web-resource-name>
An example security config only allows users with the
role Admin to access my web application
<url-pattern>/protected/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>Admin</role-name>
</security-role>
<!--Login config-->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/unprotected/login.jsp</form-login-page>
<form-error-page>/unprotected/login_error.jsp</form-error-page>
</form-login-config>
</login-config>
Step 2: entry in the jboss-web.xml
<jboss-web>
<security-domain>
java:/jaas/SCWCDWeb2
</security-domain>
</jboss-web>
Notes: In this case, SCWCDWeb2 is the name of my web app.
Step 3: entry in the login-config.xml file
<application-policy name = "SCWCDWeb2">
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">SCWCDWeb2-users.properties</module-option>
<module-option name="rolesProperties">SCWCDWeb2-roles.properties</module-option>
</login-module>
</application-policy>
Notes: In this case, SCWCDWeb2 is the name of my web app.
Step 4: entries in SCWCDWeb2-users.properties and SCWCDWeb2-roles.properties
* These two files sit in the src directory
* entry in the SCWCDWeb2-users.properties is in the format username = password, e.g. joe = blog
* entry in the SCWCDWeb2-roles.properties is in the form of username = roleName, e.g. joe = Admin
Notes:
* In this case, SCWCDWeb2, the prefix of the file names, is the name of my web app.
* The role name Admin must be defined in the web.xml file, e.g. <role-name>Admin</role-name>
--------------
I am not sure if this is the best way to do this, but if anyone finds a better way, I would like to know.
Thanks,
Koudry