-
-
2. how to add web security in jboss 6?
wolfgangknauf May 3, 2011 10:02 AM (in response to bcn)1 of 1 people found this helpfulHi,
first step: add some JavaEE standard security declarations to your web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>All is secured</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
<role-name>customer</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>administrator</role-name>
</security-role>
<security-role>
<role-name>customer</role-name>
</security-role>
Second step: add a file "jboss-web.xml" to your "WEB-INF" of your web app, which has to declare a security domain:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-web PUBLIC
"-//JBoss//DTD Web Application 5.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
<jboss-web>
<security-domain>mysecuritydomain</security-domain>
...
</jboss-web>
Third step: configure your security domain by either editing the file "server\default\conf\login-config.xml" or by add a "...-jboss-beans.xml" file. see here for more details: http://server.dzone.com/articles/security-features-jboss-510
Hope this gives a starting point.
Unfortunately, I don't have a good tutorial at hand...
Best regards
Wolfgang
-
3. how to add web security in jboss 6?
bcn May 3, 2011 4:06 PM (in response to wolfgangknauf)Okay thanks that led me to the right direction.
Although now I hit this bug:
http://community.jboss.org/thread/162927
Argh...
-
4. how to add web security in jboss 6?
iabughosh May 4, 2011 1:55 AM (in response to bcn)u j, if you are using form authentication and your form login page is based on JSF then try regular HTML form.
-
5. Re: how to add web security in jboss 6?
bcn May 4, 2011 5:34 AM (in response to iabughosh)Ok I put a pure html form and don't get the error anymore.
However, the authentication does not work. I have a DatabaseServerLoginModule but it seems to be never used (if I put a syntax error in the select, no error ocurrs).
I don't find a documentation about how the names in the different files have to match.
How does the xxx-jboss-web.xml know about the jboss-web.xml? Does the name of the security domain in jboss-web has to be used somewhere in xxx-jboss-web? Must the name have the prefix java:/jaas/?
I guess the role-name in web.xml has to match the role selected by the query rolesQuery.
How can I debug the authentication? If I put the log level of org.jboss.security to trace, I get:
2011-05-04 10:44:01,136 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-localhost%2F127.0.0.1-8080-2) Creating SDC for domain=smsurbano
2011-05-04 10:44:01,138 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.smsurbano] (http-localhost%2F127.0.0.1-8080-2) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@506e89dd
2011-05-04 10:44:01,138 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.smsurbano] (http-localhost%2F127.0.0.1-8080-2) CachePolicy set to: org.jboss.security.auth.AuthenticationTimedCachePolicy@63935d75
2011-05-04 10:44:01,138 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (http-localhost%2F127.0.0.1-8080-2) setCachePolicy, c=org.jboss.security.auth.AuthenticationTimedCachePolicy@63935d75
2011-05-04 10:48:20,672 TRACE [org.jboss.security.SecurityRolesAssociation] (http-localhost%2F127.0.0.1-8080-2) Setting threadlocal:{}
2011-05-04 10:48:20,675 TRACE [org.jboss.security.SecurityRolesAssociation] (http-localhost%2F127.0.0.1-8080-2) Setting threadlocal:null
Thanks,
Ulrich
-
6. Re: how to add web security in jboss 6?
iabughosh May 4, 2011 5:59 AM (in response to bcn)u j, i'm using authentication with only web.xml and jboss.xml, i didn't use third xml file, however the name of security domain in your jboss-web.xml must match a login module in this file : ${jboss home}server\default\conf\login-config.xml
you can configure a new login config using server modules, details of creating the module are available in the documentation that i've post in a previous thread.
ex : names of the security domains in jboss-web.xml is like this java:/jaas/${login-module name}.
regards.
-
7. Re: how to add web security in jboss 6?
wolfgangknauf May 4, 2011 7:48 AM (in response to iabughosh)Hi all,
@Ibrahim: u j used a new way of configuring the login module without having to edit "login-config.xml", which was added in AS 5: http://server.dzone.com/articles/security-features-jboss-510
@u j: could you activate logging of the security layer? See http://community.jboss.org/wiki/SecurityFAQ - question 4. Hopefully this will point you to the error. But your config looks OK at first glance.
Best regards
Wolfgang
-
8. Re: how to add web security in jboss 6?
bcn May 4, 2011 9:08 AM (in response to wolfgangknauf)That helped! I needed the log of org.catalina and org.tomcat to find it.
In the login page, in <input name="j_username" type="text" /> I used id= instead of name=.
And the datasource in jboss-beans.xml must have a prefix of java:/.
Thanks a lot,
Ulrich
-
9. how to add web security in jboss 6?
wolfgangknauf May 6, 2011 4:26 AM (in response to bcn)Thanks for your feedback. I updated the security FAQ and removed my comment "don't know whether the other two categories are required".
Best regards
Wolfgang