JBoss EAP 6.4.0 – Configure web application security from zero

JBOSS 6 – Configure web application security

In this example we’ll show how to manage web application security using the ManagementRealm of Jboss 6.x and filtering roles directly on a rest service by using javax annotations.
Even more, since we are using BASIC authentication, our site will make exclusive use of SSL protocol in order to avoid easy sniffing of credentials through ordinary HTTP.

The final result, once the user enter the rest service address, is to let authenticate the user to check if is role is allowed, otherwise the server will refuse him to access.

login_request

For the code, click on the link below:

Download code

1. Configure JBOSS

First off, JBoss 6.x requires user to be added in order to access the administration management.

Under bin directory, create a user “testuser” of “Operator” group in ManagementRealm by using adduser command.

Notice that user is added by default in ManagementRealm.

Now we have to make some changes on standalone.xml, or whatever configuration is used by the JBoss instance.

We have to map groups to roles so testuser may access with the Operator role.

The next step is to create a security domain called “management“, used by our application, that delegate to realm ManagementRealm with the add of these lines:

For more informations on security domains and realms, there is an interesting StackOverflow post here

Last one, to enable https protocol, make sure we have the following lines:

For every http request the server will automatically redirect to the 8443 port that bind to the secure ssl protocol.

 

2. Generate SSL key

For generating an RSA key, type the following:

The default password for keystore should be changeit.

For more info, check this page.

3. Create JBOSS 6.x Web Application

Starting a new JBoss project can be really simple using Maven archetypes;
Below there are some examples for Jboss 6.4

4. Configure the Web Application

Create a file called jboss-web.xml under WEB-INF directory and fill with this:

So our application will use of “management” domain.

Then create or update web.xml, (still under WEB-INF) in this way:

We have set the following rules:

  • User access method based on BASIC authentication
  • All pages of our domain will run only by HTTPS protocol
  • All roles are granted to access by default

5. Create a rest service with role restrictions

In order to activate Jax-rs, create the following class:

Now it’s time to create our rest service implementation:

Notice that while service is accessible by all roles, the foo method is restricted only to Operator group.

To complete our example we can create a pre process interceptor to add a security layer.

6. Deploy and test our application

compile and deploy war with the following command:

 

Download code

2 comments on “JBoss EAP 6.4.0 – Configure web application security from zero

  1. Fredrik Andersson

    Hello!
    Really interesting! Perhaps I could ask you if you could help me out how to configure JBoss 6 with a custom auth-method?
    We are moving from JBoss 5 to JBoss 6.
    In 5 we got a web.xml with this login-tag

    OURSSO
    oursso

    And a jboss-app.xml
    oursso

    And in login-config.xml

    props/mycomp-users.properties
    props/mycomp-roles.properties
    anonymous

    rsa.access.manager:type=Service,name=RuntimeAPIClient

    props/our-rolemapping-roles.properties
    true

    And in war-deployers-jboss-beans.xml

    BASIC
    org.apache.catalina.authenticator.BasicAuthenticator

    OURSSO
    com.mycomp.OurssoAuthenticator

    It seems like the auth-method in web.xml must match a key in war-deployers-jboss-beans.xml. How is the same accomplish in JBoss 6?
    Best regards
    Fredrik

  2. Fredrik Andersson

    Sorry the tags seems to be replaced, second attempt:

    Hello!
    Really interesting! Perhaps I could ask you if you could help me out how to configure JBoss 6 with a custom auth-method?
    We are moving from JBoss 5 to JBoss 6.
    In 5 we got a web.xml with this login-tag
    <login-config>
    <auth-method>OURSSO</auth-method>
    <realm-name>oursso</realm-name>
    </login-config>

    And a jboss-app.xml
    <security-domain>oursso</security-domain>

    And in login-config.xml
    <application-policy name=”oursso”>
    <authentication>
    <login-module code=”org.jboss.security.auth.spi.UsersRolesLoginModule” flag=”sufficient”>
    <module-option name=”usersProperties”>props/mycomp-users.properties</module-option>
    <module-option name=”rolesProperties”>props/mycomp-roles.properties</module-option>
    <module-option name=”unauthenticatedIdentity”>anonymous</module-option>
    </login-module>
    <login-module code=”rsa.ps.ct.jboss.jaas.OURSSOServerLoginModule” flag=”required”>
    <module-option name=”connectionProvider”>rsa.access.manager:type=Service,name=RuntimeAPIClient</module-option>
    </login-module>
    <login-module code=”org.jboss.security.auth.spi.RoleMappingLoginModule” flag=”optional”>
    <module-option name=”rolesProperties”>props/our-rolemapping-roles.properties</module-option>
    <module-option name=”replaceRole”>true</module-option>
    </login-module>

    </authentication>
    </application-policy>

    And in war-deployers-jboss-beans.xml

    <property name=”authenticators”>
    <map class=”java.util.Properties” keyClass=”java.lang.String” valueClass=”java.lang.String”>
    <entry>
    <key>BASIC</key>
    <value>org.apache.catalina.authenticator.BasicAuthenticator</value>
    </entry>

    <entry>
    <key>OURSSO</key>
    <value>com.mycomp.OurssoAuthenticator</value>
    </entry>
    </map>
    </property>

    It seems like the auth-method in web.xml must match a key in war-deployers-jboss-beans.xml. How is the same accomplish in JBoss 6?
    Best regards
    Fredrik

Leave a Reply

Your email address will not be published. Required fields are marked *