Access Controls
To enforce J2EE-style access controls, Web applications deployed in JBoss must contain a WEB-INF/jboss-web.xml file that defines a security domain as shown here:
<jboss-web><security-domain>java:/jaas/TEST_SECURITY_DOMAIN</security-domain></jboss-web>For these Web applications, JBoss performs authentication as defined in the application's deployment descriptor, the WEB-INF/web.xml file. Here is the relevant sample portion of a WEB-INF/web.xml file:
<security-constraint><web-resource-collection><web-resource-name>TEST_WEB_RESOURCE_NAME</web-resource-name><!-- Define the context-relative URL(s) to be protected --><url-pattern>/*</url-pattern></web-resource-collection><auth-constraint><role-name>TEST_ROLE_NAME</role-name></auth-constraint></security-constraint><login-config><auth-method>BASIC</auth-method><realm-name>TEST_REALM_NAME</realm-name></login-config>This web.xml file sample directs JBoss to obtain a username and password by using the HTTP BASIC pop-up. The sample shown from the jboss-web.xml file directs JBoss to authenticate that username and password by using the login module configured for the security domain, TEST_SECURITY_DOMAIN. You can edit the /opt/UMC/jboss/server/default/conf/login-config.xml file to change the login module for a particular security domain.
If no login module is defined for TEST_SECURITY_DOMAIN, then the "other" security domain is used by default, as shown in this sample from the login-config.xml file:
<!--The default login configuration used by any security domain thatdoes not have a application-policy entry with a matching name.--><application-policy name = "other"><authentication><login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required" /></authentication></application-policy>The org.jboss.security.auth.spi.UsersRolesLoginModule login module authenticates usernames and passwords against the server/default/conf/users.properties file. The authenticated username must be a member of the role specified in the web.xml file. In our example earlier, this is TEST_ROLE_NAME.
To provide access to the Web application to user "anonymous" with password "secret" with the jboss-web.xml and web.xml files shown above, the login module requires the following information:
anonymous=secretFrom server/default/conf/roles.properties: anonymous=TEST_ROLE_NAMEThe following Web applications do not have the jboss-web.xml file; you must add the file to provide J2EE-style access control:
Default Security Roles for Access Control
Some Web applications have default security roles for access control. For example, NIC_Admin is the default security role for NIC Web Admin, and POM_Admin is the default for Policy Web Admin. Security roles require configuration for JBoss. For example, to use these roles when JBoss is your Web application server you must add particular information to the roles.properties and the users.properties files located in the <jboss-install-dir>/jboss/server/default/conf directory.
In the roles.properties file, you associate users for the roles:
nicAdmin=NIC_AdminpomAdmin=POM_AdminIn the users.properties file, you associate a password with those users:
nicAdmin=<password>pomAdmin=<password>Suppose you are using the Dynamic Service Activator application. The default security role for Dynamic Service Activator is DSAAuthorizedClient. In the roles.properties file, you associate users with the role:
Elena=DSAAuthorizedClientSarah=DSAAuthorizedClientanonymous=DSAAuthorizedClientIn the users.properties file, you associate a password with those users:
Elena=<password>Sarah=<password>anonymous=<password>Other Web application servers may have their own configuration requirements for default security roles. See the documentation for the server that you have deployed for more information.