JBossAS7: Secure my Web App : How Do I?

This is an article for people seeking ways by which they can secure their Java EE Web Apps.   I am assuming that your web app contains servlets, jsps, html etc.  If you have a Seam based app, then Seam Security is what you should look for.

Bare Minimum Security

This is when you just want to secure your web app in the most minimalistic way.  Something like the default jmx-console that you want to ship with JBoss AS7.


Step 1:  Add a security-constraint to your web.xml

Step 2: Add a security-domain to your jboss-web.xml

Step 3: Configure a security domain in standalone.xml

Step 4:  Have users.properties and roles.properties files in WEB-INF/classes directory of your web application


That is it.  How do you achieve these steps?  Look in the references below.


  1. http://java.dzone.com/articles/understanding-web-security
  2. http://community.jboss.org/wiki/JBossAS7SecurityDomainModel