Securing a Web Application in JBoss AS


Securing web resources basically involves setting some stuff in the web deployment descriptor, and in jboss-web.xml.  You also have to do a little prep work to the server itself to configure a security domain for JBoss SX.  These instructions assume that you have JBoss AS installed, and you have a server instance created with at least Tomcat included.  The "default" instance is a good choice here.  The variable ${jboss.dist} refers to the location you extracted/installed JBoss AS to, and ${} cooresponds to the name of the server instance you are configuring for security.  The first part of these instructions refers to setting up JBoss SX for security, and the second part deals with setting up the web application for security using basic authentication.




Securing the Web Application with Basic Authentication



Attached is a sample application that can be used to test out securing a web application.  There are two files that need to be added/modified in your web application to attach it to the security domain we defined in the previous steps.  The web.xml and jboss-web.xml file contain commented out versions of the text to add to a web application that are covered in the next two steps.  Also included, is a simple index.jsp that outputs the name of the authenticated JAAS Subject via HttpServletRequest.getRemoteUser().


1. Configure the web application for security by adding constraints to the web deployment descriptor.


You need to modify the web.xml in the WEB-INF directory of the web application you are securing to add in the following:

               <web-resource-name>All resources</web-resource-name>
               <description>Protects all resources</description>
          <realm-name>Test Realm</realm-name>

The "security-constraint" section is what is used to define what resources in the web application are protected.  You can have multiple security-constraint elements in the web.xml that have different protections for different resources.  You have to have at least one web-resource-collection element to specify what this constraint it protecting.  The "url-pattern" element specifies the URL pattern to protect.  The example above protects all resources in the web application.  The auth-contstraint element specifies which roles have access to the protected resource.  The example just specifies one role, but multiple roles can be included by specifying additional role-name elements.  This role name needs to match the name of the role you specified in the file.  There are ways to have a level of indirection with this role name by using the "security-role-ref" element instead.  Finally, the "login-config" element specifies how authentication occurs with the web application.  The "auth-method" element specifies how the browser gets credentials from the user.  The spec defines "BASIC", "DIGEST", "FORM", and "CLIENT-CERT" as the possible methods to retrieve data from the browser user.  The example uses "BASIC" since it is the simplest, but this method shouldn't be used in a production app unless you are also using SSL/TLS since user names and passwords are transmitted in clear text over the network.  The "realm-name" element just specifies the authentication realm name that is given to the browser for authentication.  This realm is just shown to a user when the authentication dialog is presented.


2. Configure the jboss-web.xml file to point to the "my-web" application.


Add/edit the jboss-web.xml in the WEB-INF directory of the web application you are securing to add the following in the "jboss-web" element:


This element tells JBoss AS to connect the web application to the "my-web" security domain we defined in the login-config.xml file earlier.  JBoss AS exposes security domains via JNDI by prepending "java:/jaas/" to the name element in the application-policy element in the login-config.xml file.


3. Start up the application server, navigate to your application.


The browser should prompt you for username and password.  Enter "chris" for the username, and "secure" for the password.  You should then be allowed access to the web application.  You can verify this by closing the browser, opening it back up and navigating back to your protected application.  When the browser prompts you, you can either enter no credentials, or use the "admin" user account that was in the file originally (password: admin), and see that the web application won't be presented because you didn't log in with a user that had the "WebAppUser" role.



JavaWorld JAAS article by Scott Stark: