Version 4

    This article will describe the Security Configuration facilities available in JBoss AS5.0 and beyond.  This applies to JBoss Enterprise Application Platform v5.0 and beyond.



    There are 3 parsers involved.

    • JBossXB based (which extends
    • JBoss Microcontainer based parser.
    • JavaCC based default JAAS Configuration parser.

    Configuration Files

    There are 4 types of configuration files where the security domain information may be provided.

    1. login-config.xml
    2. DynamicLoginConfigService via jboss-service.xml
    3. Microcontainer based xxx-jboss-beans.xml
    4. JDK JAAS config such as auth.conf



    This is the historic configuration file that is provided in the conf directory.


    More information can be obtained here.

    Microcontainer based Configuration

    More information here.

    JDK JAAS Configuration

    Supported but not recommended.

    An example auth.conf is here:

     other {
    // Put your login modules that work without jBoss here
    // jBoss LoginModule required;
    // Put your login modules that need jBoss here

    What Configuration can be provided?


    You can provide the configuration for authentication, authorization, mapping and audit at the security domain level in login-config.xml, DynamicLoginConfig (via jboss-service.xml) or the new JBossMC based config.


    How do all these work?

    We instantiate a JDK Configuration class called as XMLLoginConfigImpl that we set as:



    This is our custom Configuration class that includes invoking the appropriate parsers (mainly parsing login-config.xml, DynamicLoginConfig or the JDK JAAS config).


    It is set in the JaasSecurityManagerService MBean in the conf/jboss-service.xml


    The JBossMC based new configuration is performed by the MC based parsers from here.