9 Replies Latest reply: May 6, 2011 4:26 AM by Wolfgang Knauf RSS

how to add web security in jboss 6?

u j Novice

What is the correct way to add security to a web app in jboss 6?

I have read about jbossweb:

http://docs.jboss.org/jbossweb/3.0.x/realm-howto.html

but nothing of this is mentioned in the jboss security guide which seems to offer other solutions.

 

When I try the jboss web way, I get a class not found error, because the realm classes are not

in the file deploy/jbossweb.sar/jbossweb.jar.

How are they added?

 

Thanks,

Ulrich

  • 2. how to add web security in jboss 6?
    Wolfgang Knauf Master

    Hi,

     

    first step: add some JavaEE standard security declarations to your web.xml:

     

     

        <security-constraint>

            <web-resource-collection>

                <web-resource-name>All is secured</web-resource-name>

                <url-pattern>/*</url-pattern>

                <http-method>GET</http-method>

                <http-method>POST</http-method>

            </web-resource-collection>

            <auth-constraint>

                <role-name>administrator</role-name>

                <role-name>customer</role-name>

            </auth-constraint>

        </security-constraint>

        <login-config>

            <auth-method>FORM</auth-method>

            <form-login-config>

                <form-login-page>/login.jsp</form-login-page>

                <form-error-page>/error.jsp</form-error-page>

            </form-login-config>

        </login-config>

        <security-role>

            <role-name>administrator</role-name>

        </security-role>

        <security-role>

            <role-name>customer</role-name>

        </security-role>

     

    Second step: add a file "jboss-web.xml" to your "WEB-INF" of your web app, which has to declare a security domain:

     

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE jboss-web PUBLIC

        "-//JBoss//DTD Web Application 5.0//EN"

        "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">

     

    <jboss-web>

        <security-domain>mysecuritydomain</security-domain>

        ...

     

    </jboss-web>

     

    Third step: configure your security domain by either editing the file "server\default\conf\login-config.xml" or by add a "...-jboss-beans.xml" file. see here for more details: http://server.dzone.com/articles/security-features-jboss-510

     

    Hope this gives a starting point.

     

    Unfortunately, I don't have a good tutorial at hand...

     

    Best regards

     

    Wolfgang

  • 3. how to add web security in jboss 6?
    u j Novice

    Okay thanks that led me to the right direction.

    Although now I hit this bug:

    http://community.jboss.org/thread/162927

    Argh...

  • 4. how to add web security in jboss 6?
    iabughosh Master

    u j, if you are using form authentication and your form login page is based on JSF then try regular HTML form.

  • 5. Re: how to add web security in jboss 6?
    u j Novice

    Ok I put a pure html form and don't get the error anymore.

     

    However, the authentication does not work. I have a DatabaseServerLoginModule but it seems to be never used (if I put a syntax error in the select, no error ocurrs).

     

    I don't find a documentation about how the names in the different files have to match.

     

    How does the xxx-jboss-web.xml know about the jboss-web.xml? Does the name of the security domain in jboss-web has to be used somewhere in xxx-jboss-web? Must the name have the prefix java:/jaas/?

     

    I guess the role-name in web.xml has to match the role selected by the query rolesQuery.

     

    How can I debug the authentication? If I put the log level of org.jboss.security to trace, I get:

     

    2011-05-04 10:44:01,136 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-localhost%2F127.0.0.1-8080-2) Creating SDC for domain=smsurbano

    2011-05-04 10:44:01,138 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.smsurbano] (http-localhost%2F127.0.0.1-8080-2) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@506e89dd

    2011-05-04 10:44:01,138 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.smsurbano] (http-localhost%2F127.0.0.1-8080-2) CachePolicy set to: org.jboss.security.auth.AuthenticationTimedCachePolicy@63935d75

    2011-05-04 10:44:01,138 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-localhost%2F127.0.0.1-8080-2) setCachePolicy, c=org.jboss.security.auth.AuthenticationTimedCachePolicy@63935d75

    2011-05-04 10:48:20,672 TRACE [org.jboss.security.SecurityRolesAssociation] (http-localhost%2F127.0.0.1-8080-2) Setting threadlocal:{}

    2011-05-04 10:48:20,675 TRACE [org.jboss.security.SecurityRolesAssociation] (http-localhost%2F127.0.0.1-8080-2) Setting threadlocal:null

     

    Thanks,

     

    Ulrich

  • 6. Re: how to add web security in jboss 6?
    iabughosh Master

    u j, i'm using authentication with only web.xml and jboss.xml, i didn't use third xml file, however the name of security domain in your jboss-web.xml must match a login module in this file : ${jboss home}server\default\conf\login-config.xml

    you can configure a new login config using server modules, details of creating the module are available in the documentation that i've post in a previous thread.

     

    ex : names of the security domains in jboss-web.xml is like this java:/jaas/${login-module name}.

     

    regards.

  • 7. Re: how to add web security in jboss 6?
    Wolfgang Knauf Master

    Hi all,

     

    @Ibrahim: u j used a new way of configuring the login module without having to edit "login-config.xml", which was added in AS 5: http://server.dzone.com/articles/security-features-jboss-510

     

    @u j: could you activate logging of the security layer? See http://community.jboss.org/wiki/SecurityFAQ - question 4. Hopefully this will point you to the error. But your config looks OK at first glance.

     

    Best regards

     

    Wolfgang

  • 8. Re: how to add web security in jboss 6?
    u j Novice

    That helped! I needed the log of org.catalina and org.tomcat to find it.

    In the login page, in <input name="j_username" type="text" /> I used id= instead of name=.

    And the datasource in jboss-beans.xml must have a prefix of java:/.

     

    Thanks a lot,

    Ulrich

  • 9. how to add web security in jboss 6?
    Wolfgang Knauf Master

    Thanks for your feedback. I updated the security FAQ and removed my comment "don't know whether the other two categories are required".

     

    Best regards

     

    Wolfgang