8 Replies Latest reply on Jun 7, 2009 11:47 AM by Mad Rug

    JB Security + JB Identity

    Mad Rug Newbie


      I'm developing a web application and was thinking of using Portal for it, but it is being ruled out for providing much more features that we do not need, and in fact may give us extra work. I do need user authentication, security, user roles and such, but there are no needs for portlets, WSRP, CMS, forums and most of other Portal features. We would need to remove many of them, and redesign it completely (we aim for a very simple design, no eye candy), almost trashing all its visual frontend.

      Is it possible to quickly (and easily, I hope), integrate the security and identity projects with a generic web app, without further requirements or dependencies? I'm using JBoss AS 4.2.1, and will use JBoss Cache in the future.


        • 1. Re: JB Security + JB Identity
          Peter Johnson Master

          What are you using for the user interface? Servlets/JSP? JSF? Something else? Basic web applications already provide security support. For an intro, see http://www.moreservlets.com/Table-of-Contents.html, part III

          • 2. Re: JB Security + JB Identity
            Mad Rug Newbie


            "PeterJ" wrote:
            What are you using for the user interface? Servlets/JSP? JSF? Something else? Basic web applications already provide security support. For an intro, see http://www.moreservlets.com/Table-of-Contents.html, part III

            I'm using Servlets/JSP/JSTL. It is a basic web app, but it is commercial (security is a key issue), and implementing/handling the security features is quite a task by itself. What I'm looking for is some kind of framework that can manage all these tasks... roles, user hierarchy, permissions, identity, session control, unauthorized access blocking, and that's pretty much what JBoss Portal offers out-of-the-box, creating the required DB structure and managing it.
            That's why Portal interested me, but I was not allowed to use Portal as-is, so I wanted to take from it only the features we are interested in, and that's why I think Identity and Security can help me.
            I know that the web front-end of it will be done by me, but handling lower level of it will be very helpful.

            Thanks again.

            • 3. Re: JB Security + JB Identity
              Peter Johnson Master

              OK, what you need then is a way to hook up the access control info in your web.xml with some authentication mechanism. For that, you need a login module. You can read up about it in the docs, the security chater, probably starting with this [url][http://www.jboss.org/file-access/default/members/jbossas/freezone/docs/Server_Configuration_Guide/4/html/Security_on_JBoss-Defining_Security_Domains.html/url]

              Essentailly, you need to do two things. First, you need to setup an application-policy entry in server/xx/conf/login-config.xml. This entry describes how authentication will take place. That file has several examples. Then you need to create a WEB-INF/jboss-web.xml file in your web app and identify the security domain that you set up in login-config.xml.

              Here is a post that appears to have all of the pieces, using a database to store the authentication data:

              • 4. Re: JB Security + JB Identity
                Mad Rug Newbie

                Thanks again, PeterJ

                The topic you linked is very useful, I intend to use form/DBLogin, so this will come in hand. The http://docs.jboss.org/jbossas/jboss4guide/r5/html/ch8.chapter.html page is a good reference.
                I looked at Identity docs, and SAML is not useful for be, so I'll leave it alone (I thought it had another purpose).

                I could not find Security documentation (except the one provided with Portal and the one above), and I'd like to know better what features it provides. Sorry, but I really couldn't find any clarifying docs about what Security project can do out-of-the-box or provide as default implementation. I was expecting it could offer a standard DB schema for auth/roles, allowing certain customization, like Portal does when it is first used, speeding up app dev.
                Can you clarify this?

                If such default security implementation is not part of Security project itself but an addition by Portal, maybe I will try using Portal and remove its uneeded features, and theme redesign.

                I know it seems I'm just trying to avoid implementing Security code myself, but I fear for robustness of this code, and I believe it would be safer use a default implementation and polish it.


                • 5. Re: JB Security + JB Identity
                  Peter Johnson Master

                  There is no standard schema for the database login server. As an example you can look at what it done for messaging - it uses a database login module and stores users and roles in the database. The db login module is made to be very generic so that you can use almost any schema to configure login, which is handy is you are already storing user info in the database.

                  I guess I fail to see what using Portal to do you security would buy you. The only thing it provides above the database login module is an access control mechanism which is applied to portals, pages and portlet instances. And it has some gotchas when it comes to defining access control. I think that if your access control is already defined in your web.xml, then the login module is all that you need.

                  I do have a resource that goes into some detail on JBoss AS security (even for the Portal), but it is not free. I can provide a link if you like.

                  • 6. Re: JB Security + JB Identity
                    Mad Rug Newbie

                    I saw in the docs the DB login is very flexible, and yet quite simple. A couple of queries for password and roles retrieval, plus an util for password hashing. And not so complex to quickly implement.

                    Pages and portlets access control was something I was excited about... I was intending to remove the public portal (no unauthorized), define many pages, probably one (maximized) portal per page (no decorations and no playing around with portlet window states and positioning), and then restrict the pages access according to user roles (we will have 6-10 of them). Many of our users will have little to no computer knowledge, so we wanted to simplify the design to the max.
                    As I haven't tested Portal properly, I'm not aware of such gotchas. Even so you think Portal would not be so useful for me, maybe I'm hoping it could do more than it can as it is. Seeing the Portal with login, navigaion, authorization, access control already working on first run, then I wonder why you think all this won't be useful

                    And I'd be very grateful if you could share this resource os Security. Any additional toughts on your opinion is very welcome too.

                    • 7. Re: JB Security + JB Identity
                      Peter Johnson Master

                      Here are a few things that might be of help.

                      I gave a presentation on building a custom portal at JBossWorld last year. It includes some security information and other things you might find of help if you plan to go the portal route.

                      Here are some forums posts that discuss portal security gotchas:
                      http://www.jboss.com/index.html? module=bb&op=viewtopic&t=115712

                      Finally, the non-free resource: JBoss in Action contains a lot of security information about JBoss AS, for web apps and various services. It also includes Portal security and building a custom portal.

                      • 8. Re: JB Security + JB Identity
                        Mad Rug Newbie

                        Those topics are issues I'd face very soon... I'll make good use of them. Got your book from a friend. It looks very well explained... the portal customization seems worth the time, so I think I should try it. If I manage to do it easily, some extra xml config and my custom portlet development should be way better for a simpler and more customizable project.

                        Many thanks for all your time, Peter!