Below are the steps for Securing any Web App deployed on Jboss EAP 5.1 or AS 5.
"-//JBoss//DTD Web Application 5.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
<jboss-web>
<security-domain>java:/jaas/"Myappname"</security-domain>
</jboss-web>
"Myappname" is Policy name that we are going to use further. Actually this tells JBOSS to use application Policy name 'Myappname' for this application.
Here we have used BASIC authentication in this example, but we can also use other types as DIGEST, FORM or CLIENT-CERT.
Thanks!!
Step1: Edit web.xml in your application
Edit the web.xml file in your webapp at the following location:
WEB-INF/web.xmlEdit your web.xml and put the following contents (generally towards the bottom of the file)
<security-constraint>This is a way of telling the container to restrict all URLs to any user with the role ‘myrole‘.
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>myrole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Confidential</realm-name>
</login-config>
<security-role>
<role-name>myrole</role-name>
</security-role>
Step 2: Create jboss-web.xml in your application
Edit or create the jboss-web.xml file in your webapp at the following location:WEB-INF/jboss-web.xml<!DOCTYPE jboss-web PUBLIC
"-//JBoss//DTD Web Application 5.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
<jboss-web>
<security-domain>java:/jaas/"Myappname"</security-domain>
</jboss-web>
"Myappname" is Policy name that we are going to use further. Actually this tells JBOSS to use application Policy name 'Myappname' for this application.
Step 3: Create Application policy on JBoss server
We now need to define the application policy ‘Myappname‘ on JBoss server.
Edit the login-config.xml file in the JBoss server directory at the following location:
jboss/server/<profile>/conf/login-config.xmlEdit the contents of login-config.xml and add an application policy as follows:
This tells JBoss to user ‘UsersRolesLoginModule’ which uses property files to store users and roles.
<!-- application policy for myappname -->
<application-policy name="365black">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties">props/users.properties</module-option>
<module-option name="rolesProperties">props/roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
Step 4: Create users on JBoss server
Now we create a new user with the role ‘myrole’.
Create a new User
Edit the users.properties file used by your application policy in Step 3:
Add a line to create a new user as follows.jboss/server/<profile>/conf/props/users.properties
myuser=mypasswordRoles
Finally, we assign the role ‘myrole’ to the user ‘myuser’. Edit the following file
Create a new roleEdit the roles.properties file used by your application policy in Step 3.jboss/server/<profile>/conf/props/roles.propertiesAdd a line to create a assign the role ‘myrole’ to ‘myuser’ as follows.
myuser=myrole
Test your settings
Restart the JBoss server and deploy your application. When you access your application, you should see a basic authentication popup
If your setup is correct, you should be able to login using ‘myuser’ and ‘mypassword’ as defined in the Step 4.
Here we have used BASIC authentication in this example, but we can also use other types as DIGEST, FORM or CLIENT-CERT.
Thanks!!
