Setting up Security in JBoss

1
Setting up Securityin JBoss

• References
• Getting Started with JBoss, J2EE applications on
  the JBoss 3.2.x Server, Luke Taylor and The
  JBoss Group. http//www.jboss.org/modules/html/doc
  s/jbossj2ee.pdf

2
Security Domains (a.k.a Realms)

• Implement security policy within the application
  server
• Based on JAAS
• See JBoss JAAS How To
• http//prdownloads.sourceforge.net/jboss/jaashowto
  -32x.zip?download
• Referenced by DataSources, Web Applications,
  EJBs, etc.
• Centralizes the management/implementation of
  security within the application server
• Security domain name mapped to login modules
  within JBOSS_SERVER/conf/login-config.xml

3
Example Reference in DataSource

• //based on JBOSS_SERVER/deploy/hsqldb_ds.xml
• ltdatasourcesgt
• ltlocal-tx-datasourcegt
• ltjndi-namegtDefaultDSlt/jndi-namegt
• ltconnection-urlgt
• jdbchsqldbjboss.server.data.dir/hyperso
  nic/localDB
• lt/connection-urlgt
• ltdriver-classgtorg.hsqldb.jdbcDriverlt/driver-
  classgt
• ltsecurity-domaingtHsqlDbRealmlt/security-domaingt
• lt/local-tx-datasourcegt
• lt/datasourcesgt

4
Example Reference in Web Application

• //based on JBOSS_SERVER/deploy/jmx-console/WEB-IN
  F/jboss-web.xml
• ltjboss-webgt
• ltsecurity-domaingtjava/jaas/jmx-consolelt/security-
  domaingt
• lt/jboss-webgt

5
Example Reference in EJB

• // EJB/META-INF/jboss.xml
• ltjbossgt
• ltsecurity-domaingtjava/some-domainlt/security-domai
  ngt
• lt/jbossgt

6
JBOSS_SERVER/conf/login-config.xml

• ltpolicygt
• ltapplication-policy name name"gt
• ltauthenticationgt
• ltlogin-module code "LoginModule
  Implementation Class"
• flag satisfaction requirement"gt
• ltmodule-option name
  name"gtvaluelt/module-optiongt
• lt/login-modulegt
• lt/authenticationgt
• lt/application-policygt
• lt/policygt

used as security-domain name
a Java implementation class
states level of requirement for passing of policy
to grant access
module-specific options
7
JBOSS_SERVER/conf/login-config.xml

• application-policy
• name defines security-domain
• missing application-policies are mapped to
  other application-policy at bottom of
  login-config.xml file
• authentication
• contains one or more login modules
• login module
• specifies a JAAS implementation to authenticate
  user
• flags
• required module must succeed for user to be
  authenticated

8
Login Modules

• ConfiguredIdentityModule
• sets the user identity to a constant value
• UsersRolesLoginModule
• uses two property files to authenticate user and
  assign roles

9
ConfiguredIdentityModule

• class org.jboss.security.auth.spi.
  ConfiguredIdentityModule
• sets the user identity to a constant value
• useful when accessing external resource with
  single account while application server manages
  individual accounts
• principal
• ltmodule-option name "principal"gtsalt/module-optio
  ngt
• username
• ltmodule-option name "userName"gtsalt/module-option
  gt
• password
• ltmodule-option name "password"gtlt/module-optiongt

10
UsersRolesLoginModule

• class org.jboss.security.auth.spi.UsersRolesLogin
  Module
• uses two property files to authenticate user and
  assign roles
• users.properties contains user logins and plain
  text passwords
• user1password1
• user2password2
• roles.properties contains mapping of user login
  to roles
• user1role1,role2
• user2role1
• Files located in classpath
• can be within EAR for applications
• Names can be customized with module-options
• ltmodule-option name"usersProperties"gtjmx-console-
  users.propertieslt/module-optiongt
• ltmodule-option name"rolesProperties"gtjmx-console-
  roles.propertieslt/module-optiongt