Google Site Search

Google
 

Friday, May 15, 2009

AS5: Specifying Security Domain Configuration

Historically, JBoss AS has provided the DynamicLoginConfig service to specify your security domain configuration (JAAS login modules). Starting JBoss AS 5.0, we provide a simplified xml version of that as follows:

You will need to create a xxx-jboss-beans.xml file and then you can define your login modules as follows:
===================================
<?xml version="1.0" encoding="UTF-8"?>

<deployment xmlns="urn:jboss:bean-deployer:2.0">

<application-policy xmlns="urn:jboss:security-beans:1.0" name="web-test">
<authentication>
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">anonymous</module-option>
<module-option name="usersProperties">u.properties</module-option>
<module-option name="rolesProperties">r.properties</module-option>
</login-module>
</authentication>
</application-policy>

<application-policy xmlns="urn:jboss:security-beans:1.0" name="ejb-test">
<authentication>
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">anonymous</module-option>
<module-option name="usersProperties">u.properties</module-option>
<module-option name="rolesProperties">r.properties</module-option>
</login-module>
</authentication>
</application-policy>

</deployment>


==================================

We still support the DynamicLoginConfig mbean definition approach also. But the afore mentioned approach is simpler.

DZone Article: http://server.dzone.com/articles/security-features-jboss-510

Frequently Asked Questions
:
1. Where do I place the xxx.properties files for the UsersRolesLoginModule?
You can place them under the conf directory.

9 comments:

Unknown said...

Is there a chance to get this bug https://jira.jboss.org/jira/browse/JBAS-6443 fixed?

work_registries said...

DynamicLoginConfig mbean definition approach allowed for depends on other (m)beans, e.g. a ssl socket factory bean used by a login module

how can I define that in your example, if using urn:jboss:security-beans:1.0 ?

Ondrej Medek said...

Hi,
I have an EAR with an EJB module. And one WAR outside this EAR. The xxx-jboss-beans.xml has to be in the WAR to make it work. I have tried to place it into to the META-INF of EAR or the EJB module, but it does not work.

I would like to keep WAR clean of database access and security details. Is it possible to place xxx-jboss-beans.xml inside EJB module?

Thanks

Ondrej Medek said...

Sorry, it is possible to place xxx-jboss-beans.xml into META-INF of an EJB module. I had a mistake in a SQL.

Deepak Techie said...

I am trying to deploy an EAR with an EJB Module. Following are the steps that I have followed:

1. Created xxx-jboss-beans.xml with authentication policies and have copied it under server/default/deploy directory.

2. Copied the xxx-user.properties and xxx-roles.properties (declared for the application policies) under server/default/deploy directory.

On the server side it throws an exception: "java.lang.SecurityException: Authentication exception, principal=null".

Where do I copy the xxx-user.properties and xxx-roles.properties?

Ondrej Medek said...

Deepak, you can out xxxx.properties into the conf/props/ directory.

I do not know, if you can deploy them. Look into the source of this login module. You can also make your own login module, it's not difficult.

Unknown said...

Is it possible to use my own login module inside the war file?

code ="mydomain.LoginModule"

Unknown said...

Wonderful you have shown us how to register a security domain. But how to we add it to a web application. I mean how do we make a web application use it. Do I need a jboss-web.xml containing something like:

java:/jaas/basic-security

Anil Saldanha said...

Vincent, you should use jboss-web.xml to define a security domain.