How to configure HTTP authentication with JBoss?

8

I would like to protect my entire site with username and password, I saw that it is possible to do this using HTTP authentication, but I would like to know how to do this in JBoss.

    
asked by anonymous 11.12.2013 / 19:24

2 answers

4

The Servlet API enables you to specify resource authentication in web.xml. See an example of the JBoss 6 documentation :

<web-app>
<!-- ... -->
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secure Content</web-resource-name>
        <url-pattern>/restricted/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>AuthorizedUser</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<!-- ... -->
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>The Restricted Zone</realm-name>
</login-config>
<!-- ... -->
<security-role>
    <description>The role required to access restricted content </description>
    <role-name>AuthorizedUser</role-name>
</security-role>

As I said, this is part of the Java API and is even mandatory for anyone doing the certification now known as OCEJWCD.

However, user "registration" is performed on the Application Server (Container). Specifically in JBoss, there is this documentation that teaches you to put those users into files properties , but also says that it is possible to store in a database or access an LDAP service.

Basically, what you need to do is specify the authentication module you want. In the case of files properties is UsersRolesLoginModule . Then you configure the module, like this example:

<deployment xmlns="urn:jboss:bean-deployer:2.0"> 

   <!-- ejb3 test application-policy definition --> 
   <application-policy xmlns="urn:jboss:security-beans:1.0" name="ejb3-sampleapp"> 
      <authentication> 
         <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> 
            <module-option name="usersProperties">ejb3-sampleapp-users.properties</module-option> 
            <module-option name="rolesProperties">ejb3-sampleapp-roles.properties</module-option> 
         </login-module> 
      </authentication> 
   </application-policy> 

</deployment>

Finally, you create the files with roles and the users' passwords:

username1=role1,role2,...
username1.RoleGroup1=role3,role4,...
username2=role1,role3,...

e:

username1=password1
username2=password2
    
12.12.2013 / 12:38
3

The utluiz response is correct, especially because it deals with JBoss AS 6. For JBoss AS 7 (including JBoss EAP 6) and Wildfly, you must create a realm in standalone.xml and create users within this realm . The easiest way is to use the add-user.sh script, which is inside the bin directory. This is easy for one or another user, and I imagine this to be your case, but if you want to expand this authentication for hundreds of users then it is recommended that you read more about JAAS , the default setting for authentication and authorization for applications Java EE.

It pays to read the security of EAP 6.2 , for more details and options.

    
13.12.2013 / 14:08