[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Access Controls

To enforce J2EE-style access controls, Web applications deployed in JBoss must contain a WEB-INF/jboss-web.xml file that defines a security domain as shown here:

<jboss-web>
<security-domain>java:/jaas/TEST_SECURITY_DOMAIN</security-domain>
</jboss-web>

For these Web applications, JBoss performs authentication as defined in the application's deployment descriptor, the WEB-INF/web.xml file. Here is the relevant sample portion of a WEB-INF/web.xml file:

<security-constraint>
    <web-resource-collection>
      <web-resource-name>TEST_WEB_RESOURCE_NAME</web-resource-name>
      <!-- Define the context-relative URL(s) to be protected -->
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>TEST_ROLE_NAME</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>TEST_REALM_NAME</realm-name>
  </login-config>

This web.xml file sample directs JBoss to obtain a username and password by using the HTTP BASIC pop-up. The sample shown from the jboss-web.xml file directs JBoss to authenticate that username and password by using the login module configured for the security domain, TEST_SECURITY_DOMAIN. You can edit the /opt/UMC/jboss/server/default/conf/login-config.xml file to change the login module for a particular security domain.

If no login module is defined for TEST_SECURITY_DOMAIN, then the "other" security domain is used by default, as shown in this sample from the login-config.xml file:

<!--
  The default login configuration used by any security domain that
  does not have a application-policy entry with a matching name.
-->
<application-policy name = "other">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag 
= "required" />
  </authentication>
</application-policy>

The org.jboss.security.auth.spi.UsersRolesLoginModule login module authenticates usernames and passwords against the server/default/conf/users.properties file. The authenticated username must be a member of the role specified in the web.xml file. In our example earlier, this is TEST_ROLE_NAME.

To provide access to the Web application to user "anonymous" with password "secret" with the jboss-web.xml and web.xml files shown above, the login module requires the following information:

The following Web applications do not have the jboss-web.xml file; you must add the file to provide J2EE-style access control:


[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]