JBoss EAP 6.4.0 – Configure web application security from zero

JBOSS 6 – Configure web application security

In this example we’ll show how to manage web application security using the ManagementRealm of Jboss 6.x and filtering roles directly on a rest service by using javax annotations.
Even more, since we are using BASIC authentication, our site will make exclusive use of SSL protocol in order to avoid easy sniffing of credentials through ordinary HTTP.

The final result, once the user enter the rest service address, is to let authenticate the user to check if is role is allowed, otherwise the server will refuse him to access.


For the code, click on the link below:

Download code

1. Configure JBOSS

First off, JBoss 6.x requires user to be added in order to access the administration management.

Under bin directory, create a user “testuser” of “Operator” group in ManagementRealm by using adduser command.

Notice that user is added by default in ManagementRealm.

Now we have to make some changes on standalone.xml, or whatever configuration is used by the JBoss instance.

We have to map groups to roles so testuser may access with the Operator role.

The next step is to create a security domain called “management“, used by our application, that delegate to realm ManagementRealm with the add of these lines:

For more informations on security domains and realms, there is an interesting StackOverflow post here

Last one, to enable https protocol, make sure we have the following lines:

For every http request the server will automatically redirect to the 8443 port that bind to the secure ssl protocol.


2. Generate SSL key

For generating an RSA key, type the following:

The default password for keystore should be changeit.

For more info, check this page.

3. Create JBOSS 6.x Web Application

Starting a new JBoss project can be really simple using Maven archetypes;
Below there are some examples for Jboss 6.4

4. Configure the Web Application

Create a file called jboss-web.xml under WEB-INF directory and fill with this:

So our application will use of “management” domain.

Then create or update web.xml, (still under WEB-INF) in this way:

We have set the following rules:

  • User access method based on BASIC authentication
  • All pages of our domain will run only by HTTPS protocol
  • All roles are granted to access by default

5. Create a rest service with role restrictions

In order to activate Jax-rs, create the following class:

Now it’s time to create our rest service implementation:

Notice that while service is accessible by all roles, the foo method is restricted only to Operator group.

To complete our example we can create a pre process interceptor to add a security layer.

6. Deploy and test our application

compile and deploy war with the following command:


Download code

Create JMS Topic with JBoss 5.1 GA and Java 6

Send message with JMS and JBoss 5.1 GA

This example will show how to produce an async JMS message after a success update operation.

The source code is based on the previous article on how to set up a restful webapp that uses ejb3 and jpa technology.

So the minimum requirements for this example are:

  • Java J2ee 6.0
  • JPA 1
  • EJB 3.x
  • JBoss 5.1 GA
  • Jersey 2.6

Topic configuration on JBoss

Under {JBOSS_HOME}/server/default/deploy directory, create a “topic” folder and add a file named MyTopic-service.xml, then write in the following content:

Notice it is also possible to put the content above on the already existent file destination-service.xml.

Send message topic from JBoss

Take the sample-ejb project of the previous article and edit the classes as described below:

PersonLocal.java and PersonRemote.java


PersonBean EJB now expose the create and update method.

Execute the following command from the Windows prompt:


Expose Restful methods for create and update

Take the sample-web project of the previous article and edit the classes as described below:



Execute the following command from the Windows prompt:

Create a simple app client for subscribe to Topic

Create a simple app project archetype by executing the maven command

Edit pom.xml in this way:

Under src/main/resources, place a file named jndi.properties with the following content:


Edit App.java

Run the app, it will wait for a message.

From a restclient like Postman or RestClient , set the request body in this way:

Set Content-Type on request headers with value “application/json

On the address bar, type the following with PUT method



From the app client console, a log message should display something like this

Create a Java Restful Web Application (Jersey, EJB3, JPA, JBoss 5.1, JDK 6) from ZERO with Maven

Create a web application with JBoss 5.1 and JDK 6

In this post we’ll see how to set up a complete life-cyle webapp within JBoss 5.1 on JDK 6.

Please notice this example is no-IDE dependant, therefore the procedure below is created with maven and manual editing.

The requirements / specs for this example are:

  • JDK 6
  • JBoss 5.1 GA
  • JPA (1.0)
  • EJB 3.x
  • Jersey 2.6
  • MySql

You can download the full example here

MySQL Database

Download full Database definition and script

Basically, create a database called JPADB  and two tables definied as below:



Make sure you execute the following scripts:

JBoss configuration

To make MySql work on JBoss environment, copy mysql-connector-java-5.1.18.jar under {JBOSS_HOME}/server/default/lib.

Then, create a file called mysql-ds.xml under {JBOSS_HOME}/server/default/deploy with this content:


If you want to enable remote debugging with JBoss, edit run.conf or run.bat.conf (depending on your sistem) and under the line “Sample JPDA settings for remote socket debugging“, type in the following line:

Please notice:

Setting localhost instead of yourhostname can result in access error on mysql db.

Create EJB module

From the command line, type in the following command:

This will create an ejb project compatible with Java6.

Edit pom.xml and edit the following line

By enabling the generation of the client, all the modules using the ejb can include the ejb-client on its classpath


Then, create a file called persistence.xml with the following content:


Create City.java

and Person.java

Create PersonBeanLocal.java as the following:

The PersonRemote.java interface

The PersonBean.java implementation

Your ejb module is now completed. Build and deploy it under {JBOSS_HOME}/server/default/deploy directory with the following command under project directory:

Windows example

The last line will install the ejb-client.jar under maven local repository in order to be included in the webapp classpath.

Create web module

First off, create a web module with the jersey archetype

Edit pom.xml so the result will be the following:

According to Jersey Documentation, last Jersey compatible with JDK 6 is version 2.6.

Notice that with the line

the war package will not include the ejb-client libraries, otherwise the binding to the ejb interfaces will fail.

Under src directory, create a file named jndi.properties with the following:

Now it’s time to create the model returned from our future rest service; we’ll use JAXB specs in order to return an  xml response, if requested.

Create CityResult.java

Create PersonResult.java

Finally, create PersonService.java

That’s all.

Deploy web module with the following command from project root directory:

Windows command example

You can better test PersonService from a rest client browser like postman or restclient:

Type in the following on the address bar:



Set Accept: application/xml on the request header will return an xml response instead.