How to configure HTTP authentication with Jboss?

Asked

Viewed 1,058 times

9

I would like to protect my entire site with user and password, I saw that it is possible to do this using HTTP authentication, but I would like to know how to do this in Jboss.

server-side authentication jboss

  • A good place to start is http://docs.jboss.org/jbossas/jboss4guide/r1/html/ch8.chapter.html

  • If anyone knows the steps to do this please post here, because the documentation is too extensive and it is difficult to know what of all this I must do. I just want to configure 1 user and 1 password for access. As simple as possible.

  • I thought it would be some simple setup to do, but apparently it isn’t. I’ll read all the documentation and try to solve it myself.

  • Boy, if your site is exposed on the Web, it’s probably a good thing you put an Apache or Nginx in front of Jboss. It is not considered good practice to put Jboss itself to serve websites (listening on 0.0.0.0)

  • Why not just use Jboss? Jboss is an application server, just like Tomcat or Apache, or I’m wrong?

  • So both Jboss and Tomcat can serve Java web applications. But it’s good practice to put an HTTP service like Apache or Nginx in front of them, so you don’t have to expose the application server to the web -- they just need to talk to Apache/Nginx. It is common for security holes to appear on application servers, so hiding them behind Apache gives greater stability.

  • Anyway, which version of Jboss you are using?

  • I am using Jboss EAP 6.1

  • Daniel T. Sobrosa, I believe the answer: here may help in understanding your question.

Show 4 more comments

2 answers

4


The Servlets API makes it possible to specify resource authentication in web.xml. See an example of documentation of Jboss 6:

<web-app>
<!-- ... -->
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Secure Content</web-resource-name>
        <url-pattern>/restricted/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>AuthorizedUser</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<!-- ... -->
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>The Restricted Zone</realm-name>
</login-config>
<!-- ... -->
<security-role>
    <description>The role required to access restricted content </description>
    <role-name>AuthorizedUser</role-name>
</security-role>

As I said, this is part of the Java API and is even mandatory for those who do the certification now known as OCEJWCD.

However, the "registration" of users is performed in the Application Server (Container). Specifically in Jboss, there is this documentation that teaches you how to put these users in files properties, but it also says that it is possible to store in a database or access an LDAP service.

Basically, what you need to do is specify the desired authentication module. In the case of files properties is the UsersRolesLoginModule. Then you configure the module, like this example:

<deployment xmlns="urn:jboss:bean-deployer:2.0"> 

   <!-- ejb3 test application-policy definition --> 
   <application-policy xmlns="urn:jboss:security-beans:1.0" name="ejb3-sampleapp"> 
      <authentication> 
         <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> 
            <module-option name="usersProperties">ejb3-sampleapp-users.properties</module-option> 
            <module-option name="rolesProperties">ejb3-sampleapp-roles.properties</module-option> 
         </login-module> 
      </authentication> 
   </application-policy> 

</deployment>

Finally, you create the files with the papers (roles) and user passwords (users):

username1=role1,role2,...
username1.RoleGroup1=role3,role4,...
username2=role1,role3,...

and:

username1=password1
username2=password2
  • 1

    It is worth noting that the OP mentioned EAP 6, not AS 6. It is a bit confusing, but EAP 6 is based on AS 7 :-)

  • @jpkrohling Thanks, I hadn’t noticed this.

3

utluiz’s answer is correct, especially because it deals with Jboss AS 6. For Jboss AS 7 (including Jboss EAP 6) and Wildfly, you must create a remake in the standalone.xml and create users within this remake. The easiest is to use the script add-user.sh, which is inside the directory bin. This is easy for one or the other user, and I imagine this is your case, but if you want to expand this authentication to hundreds of users, then it is recommended that you read more about JAAS, the standard defining authentication and authorization for Java EE applications.

Worth a read on EAP security documentation 6.2, for more details and options.

Browser other questions tagged server-side authentication jboss

You are not signed in. Login or sign up in order to post.