1 Reply Latest reply on May 13, 2005 10:59 AM by koudry

JBoss Security: how to implement security in a web app runni

koudry May 6, 2005 9:02 AM

Dear All,

I am new to JBoss and have been trying to develop a web app. I need a simple way to implement security on my web app.

I know I have to make some entries in the web.xml as follow:

secruity-role
secruity-constraint

and add security-role-ref to servlets where necessary.

I know that I have to add a security domain name to the jboss-web.xml file and I know of the existence of the jboss-login.xml file although I don't know what should go in there.

What I need is to be able to create users with their passwords and associate them to roles. I want to do this declaratively. I was expecting this to be easy, I think it is but I just don't know how to go about it.

I am familiar with the concept of security realm, roles, users identified by their passwords and assigning roles to users. I have done this in Bea WebLogic server via the admin console.

I will be very grateful if someone could give me a simple idea of the main steps to follow, what files to change etc. I am using the default server configuration that comes with JBoss 4.0 for my web app.

Many thanks in advance.

Koudry

1. Re: JBoss Security: how to implement security in a web app r

koudry May 13, 2005 10:59 AM (in response to koudry)

Dear colleagues,

This is to let you know that I have now managed to implement a simple security in my webapp. I have followed the starting guide that came with JBoss 4 and to do some guess works which have paid off.

I have used 4 steps to solve the problem:

Step 1: entries in the web.xml file

<security-constraint>
<web-resource-collection>
<web-resource-name>mywebapp</web-resource-name>

An example security config only allows users with the
role Admin to access my web application

<url-pattern>/protected/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>

<security-role>
<role-name>Admin</role-name>
</security-role>


<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/unprotected/login.jsp</form-login-page>
<form-error-page>/unprotected/login_error.jsp</form-error-page>
</form-login-config>
</login-config>

Step 2: entry in the jboss-web.xml

<jboss-web>
<security-domain>
java:/jaas/SCWCDWeb2
</security-domain>
</jboss-web>

Notes: In this case, SCWCDWeb2 is the name of my web app.

Step 3: entry in the login-config.xml file

<application-policy name = "SCWCDWeb2">

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">SCWCDWeb2-users.properties</module-option>
<module-option name="rolesProperties">SCWCDWeb2-roles.properties</module-option>
</login-module>

</application-policy>

Notes: In this case, SCWCDWeb2 is the name of my web app.

Step 4: entries in SCWCDWeb2-users.properties and SCWCDWeb2-roles.properties

* These two files sit in the src directory
* entry in the SCWCDWeb2-users.properties is in the format username = password, e.g. joe = blog
* entry in the SCWCDWeb2-roles.properties is in the form of username = roleName, e.g. joe = Admin

Notes:
* In this case, SCWCDWeb2, the prefix of the file names, is the name of my web app.
* The role name Admin must be defined in the web.xml file, e.g. <role-name>Admin</role-name>

--------------
I am not sure if this is the best way to do this, but if anyone finds a better way, I would like to know.

Thanks,

Koudry
Actions