Why is it that developers are so horrible at writing documentation? Here’s a task for you, search the JBoss documentation, even do a Google search, and try to find a clearly written, step-by-step tutorial on adding role-based security to a JBoss web app.
You can’t because, stunningly, it doesn’t exist…. until now. After days of searching different forums and tinkering around with settings myself, I discovered that the process is laughably simple, but the instructions exist nowhere (well, they exist, but good luck understanding them).
Here we go:
Edit the file C:\{jboss install dir}\server\default\deploy\{your web app}\WEB-INF\web.xml
After all of the servlet-mapping sections (near the bottom of the file) you need to add security-contraint sections for each resource (file or directory) that you want secure. Here’s an example of how you would secure a directory named developer.
<security-constraint>
<web-resource-collection>
<web-resource-name>developer</web-resource-name>
<url-pattern>/developer/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>developer</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>Below that in the same file, specify what type of authentication you want to use for your security contraints. Check the JBoss documentation for the different types.
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>My Application Security Zone</realm-name>
</login-config>Last step in this file is to define what roles will have access to this application’s security zones. You can take a quick peek at Step 7 to see how roles are set up.
<security-role>
<description>The role required to access restricted developer content</description>
<role-name>developer</role-name>
</security-role>
<security-role>
<description>The role required to access restricted ColdFusion content </description>
<role-name>coldfusionadmin</role-name>
</security-role>Create/edit the file C:\{jboss install dir}\server\default\deploy\{your web app}\WEB-INF\jboss-web.xml
Edit the file so that it contains the <security-domain> property. Here’s an example of what the file should look like…
<jboss-web>
<context-root></context-root>
<security-domain>java:/jaas/{application policy name}</security-domain>
</jboss-web>The application policy name can be anything you want. Just pick a common-sense name. For example, if you’re app name is Widgets, just put that text in there.
Edit the file C:\{jboss install dir}\server\default\conf\login-config and add an application policy with the same name as what you put in {application policy name} in the previous step. Again, here’s an example…
<application-policy name ="{application policy name}"
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties">yourappnamehere-users.properties</module-option>
<module-option name="rolesProperties">yourappnamehere-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>Now create the WEB-INF\classes directory under your web application if it doesn’t already exist.
Create two files in the classes directory
In the users file, all you need to do is define a user and its password in the format user=password for as many as you need to create.
In the roles file, assign each user a role that you created in your web.xml file.
user=coldfusionadmin,developer
joe=developer
bob=coldfusionadmin
24 Responses for "JBoss Role-Based Security"
Thanks. I was able to use the information effectively.
[...] For more advanced configurations of JBoss, here are some links to other relevant posts. Running multiple ColdFusion instances Securing your JBoss web applications Hosting multiple domains in JBoss Flexible ColdFusion deployment – serving from anywhere [...]
Steve,
excellent work. Thank you. I couldn’t agree more with your words regarding, poor documentation for local XML file-based security in JBoss.
Larry Little
Thanks, it was very usefull.
i will go with steve … given on 14th Nov. 2006
little more documentation requires for xml things
Good job, I agree 100% with everything you said. The only extra thing I had to do to get it to work was put my webapp name in the context-root element of jboss-web.xml
[...] For more advanced configurations of JBoss, here are some links to other relevant posts. Running multiple ColdFusion instances Securing your JBoss web applications Hosting multiple domains in JBoss Flexible ColdFusion deployment – serving from anywhere [...]
Cool !. Thank you for posting the procedure !
I got mine to work, but not using yourappnamehere-users.properties, and yourappnamehere-roles.properties. I had to remove the yourappnamehere- and just go with users.properties and roles.properties. Thanks for the instructions… it’s nice to have it pulled together in one place.
Hi all!
I want to all of you know, World is mine, and yoursite good
Bye
In the example above, the page header and intro text prints. I’m trying to suppress that as well.
I just did this and it worked :-) – it is a very helpful article – thanks.
In case people are wondering (correct me if I’m wrong here) the value of realm-name doesn’t matter.
Also – There are (sort of) instructions for doing this in the JBoss docs set (although they are slightly wrong!). If you go to http://docs.jboss.org/jbossas/getting_started/v4/html/tour.html It details how to password protect the jmx-console app. You can apply the same procedure to any app, except that they forgot to tell you to add the login-config element, so you can’t ever log in (very secure – not very useful).
This is very useful I appreciate it really. But it lakes from one point that what if the users and roles are coming from Data Base. At that time users and roles are static and also there password is not encrypted so no security at all. I will request to the author to make an example of it too if possible.
Thanking you in Anticipation.
Man, this is useful – really :)
BTW. You are 1000% right – they do write horrible documentation.
I have the same setup and it works but there is a problem when JBoss is fronted by a apache web server and authorization is initially done by the web server. NullpointerException is thrown on the JBoss side when it tries to run Basic Auth.
I spend time to debug JBoss code to find out the reason and this is what happens. JBoss caches roles in a map keyed bu SimplePrinciple object where the principal name is the username. But already authorized request come with Principal being CayotePrincipal object and there fore unable to locate roles then throw exception. I haven’t found a solution yet. If anyone succesfully setup apache and JBoss Basic authorization together please let me know how.
Thanks! Saved me a bunch of time!
Thanks a lot.
Worked like a charm :-)
[...] The next step took a bit more digging and looking outside of grails oriented guides. The actual deployment environment I have to target is JBoss, but the best description of the security configuration I found was in the article JBoss Role-Based Security. [...]
thanks, this was very helpful
just one more thing,
i set up DIGEST security instead of BASIC, and followed below link verbatim (in addition to the changes suggested here)
http://docs.jboss.org/jbossas/guides/webguide/r2/en/html/ch05.html
Nice guide.
However as I was trying to figure out what step 3 was doing exactly, I left it out in my application and it still worked same as before.
I also left out step 4 and 5 and I didnt notice any changes.
Anyone who can tell me what step 3 , 4 and 5 do exactly?
Great documentation. I had one problem. Since we set
it means that the secured resource is accessed directly as
htt://:8080/SecuredResource.
Once I added context root i.e.
WebApp
this worked fine
http://localhost:8080/WebApp/SecureResource
Does anyone know what could be causing the following issue ? When I try to access that has been setup for Role Based Secuirty, it opens a window to enter the username/password. Inspite of entering a valid username/password I get the HTTP 401 error.
Is there an option to replace the properties file with DB Query? I may store all the users and roles in a DB. Would like to make a call to DB for checking the same?
Leave a reply