Version 3

    Jboss main configurations and security issues


    1.     Jboss usually comes with three configurations:

    •      The min configuration, Login service JNDI server and a URL deployment scanner.

    •      The default configuration consists of the standard services needed by most J2EE applications such as:

      •      MainDeployer=MainDeployer.

      •      SARDeployer=ServiceDeployer.

      •      EARDeployer==EARDeployer.

      •      EJBDeployer==EJBDeployer.

      •      RARDeployer==RARDeployer.

      •      CMDeployer=ConnectionFactoryDeployer.

      •      WARDeployer=WebServer.

      •      MailService=Mail.

      •      JMSService=DestinationManager.

      •      JNDIService=Naming.

      •      JTAService=TransactionManager.

      •      UserTransactionService=ClientUserTransaction.

      •      RMI_IIOPService=CorbaORB.

      •      ThreadPool=JBoss System Threads.

      •      SecurityConfig=XMLLoginConfig.

      •      XMLLoginConfig=login-config.xml.

      •      JaasSecurityManagerService=JaasSecurityManager.


    It does not include the JAXR (Java API for XML Registries) service, The IIOP service, or any of the clustering services.

    •      The all configuration starts all available services. This includes the RMI/IIOP service and clustering services.


    2.     The user can change the combination of services that Jboss will load and in this case the configuration is called custom configuration, Jboss documentation ( recommends that each one will remove all unnecessary services, so obliviously there is no "common" configuration that we can test.



    3.     Jboss uses four security concepts (

    •      ClientLoginModule:      It means no authentication at all.


    •      UsersRolesLoginModule: There are two properties files in which users     and rules are defined, the files are place in the conf directory or in the J2EE jar file.


    •      DatabaseServerLoginModule: A JDBC based login, That means that users and password are stored in database, it based on two logical tables:

      •      Principals (PrincipalID, Password).

      •      Roles (PrincipalID, Role, RoleGroup).

    •      LdapLoginModule:  The authentication is against LDAP server using JNDI. The actual authentication happens in two phases:

      •      Binding to the directory.

      •      Searching the directory for objects that marches the specified rule.

    Each concept is per application i.e. there is no way to secure all application in one action.


    4.     Jboss has 5 security services:

    •      JaasSecurityManagerService: This is a JMX service which manages JAAS based SecurityManagers, JAAS SecurityManagers are responsible for validating credentials associated with principals.

    •      JaasSecurityManager: its behavior derives from the execution of the login module instances that are configured under the name that matches the security domain to which the JaasSecurityManager has been assigned.

    •      JaasSecurityDomain: extension of the JaasSecurityManager that adds the notion of a KeyStore, and JSSE KeyManagerFactory and TrustManagerFactory for supporting SSL and other cryptographic use cases.

    •      DynamicLoginConfig: A security config mbean that loads an xml login configuration.

    •      JACC: JACC is the Java Authorization for Container Contracts specification.