JBoss EAP 6.4.0 – Configure web application security from zero

JBOSS 6 – Configure web application security

In this example we’ll show how to manage web application security using the ManagementRealm of Jboss 6.x and filtering roles directly on a rest service by using javax annotations.
Even more, since we are using BASIC authentication, our site will make exclusive use of SSL protocol in order to avoid easy sniffing of credentials through ordinary HTTP.

The final result, once the user enter the rest service address, is to let authenticate the user to check if is role is allowed, otherwise the server will refuse him to access.


For the code, click on the link below:

Download code

1. Configure JBOSS

First off, JBoss 6.x requires user to be added in order to access the administration management.

Under bin directory, create a user “testuser” of “Operator” group in ManagementRealm by using adduser command.

Notice that user is added by default in ManagementRealm.

Now we have to make some changes on standalone.xml, or whatever configuration is used by the JBoss instance.

We have to map groups to roles so testuser may access with the Operator role.

The next step is to create a security domain called “management“, used by our application, that delegate to realm ManagementRealm with the add of these lines:

For more informations on security domains and realms, there is an interesting StackOverflow post here

Last one, to enable https protocol, make sure we have the following lines:

For every http request the server will automatically redirect to the 8443 port that bind to the secure ssl protocol.


2. Generate SSL key

For generating an RSA key, type the following:

The default password for keystore should be changeit.

For more info, check this page.

3. Create JBOSS 6.x Web Application

Starting a new JBoss project can be really simple using Maven archetypes;
Below there are some examples for Jboss 6.4

4. Configure the Web Application

Create a file called jboss-web.xml under WEB-INF directory and fill with this:

So our application will use of “management” domain.

Then create or update web.xml, (still under WEB-INF) in this way:

We have set the following rules:

  • User access method based on BASIC authentication
  • All pages of our domain will run only by HTTPS protocol
  • All roles are granted to access by default

5. Create a rest service with role restrictions

In order to activate Jax-rs, create the following class:

Now it’s time to create our rest service implementation:

Notice that while service is accessible by all roles, the foo method is restricted only to Operator group.

To complete our example we can create a pre process interceptor to add a security layer.

6. Deploy and test our application

compile and deploy war with the following command:


Download code