Access Controls
To enforce J2EE-style access controls, Web applications deployed in JBoss must contain a WEB-INF/jboss-web.xml file that defines a security domain as shown here:
<jboss-web><security-domain>java:/jaas/TEST_SECURITY_DOMAIN</security-domain></jboss-web>For these Web applications, JBoss performs authentication as defined in the application's deployment descriptor, the WEB-INF/web.xml file. Here is the relevant sample portion of a WEB-INF/web.xml file:
<security-constraint><web-resource-collection><web-resource-name>TEST_WEB_RESOURCE_NAME</web-resource-name><!-- Define the context-relative URL(s) to be protected --><url-pattern>/*</url-pattern></web-resource-collection><auth-constraint><role-name>TEST_ROLE_NAME</role-name></auth-constraint></security-constraint><login-config><auth-method>BASIC</auth-method><realm-name>TEST_REALM_NAME</realm-name></login-config>This web.xml file sample directs JBoss to obtain a username and password by using the HTTP BASIC pop-up. The sample shown from the jboss-web.xml file directs JBoss to authenticate that username and password by using the login module configured for the security domain, TEST_SECURITY_DOMAIN. You can edit the /opt/UMC/jboss/server/default/conf/login-config.xml file to change the login module for a particular security domain.
If no login module is defined for TEST_SECURITY_DOMAIN, then the "other" security domain is used by default, as shown in this sample from the login-config.xml file:
<!--The default login configuration used by any security domain thatdoes not have a application-policy entry with a matching name.--><application-policy name = "other"><authentication><login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required" /></authentication></application-policy>The org.jboss.security.auth.spi.UsersRolesLoginModule login module authenticates usernames and passwords against the server/default/conf/users.properties file. The authenticated username must be a member of the role specified in the web.xml file. In our example earlier, this is TEST_ROLE_NAME.
To provide access to the Web application to user "anonymous" with password "secret" with the jboss-web.xml and web.xml files shown above, the login module requires the following information:
anonymous=secretFrom server/default/conf/roles.properties: anonymous=TEST_ROLE_NAMEThe following Web applications do not have the jboss-web.xml file; you must add the file to provide J2EE-style access control: