This week's giveaway is in the EJB and other Java EE Technologies forum.
We're giving away four copies of EJB 3 in Action and have Debu Panda, Reza Rahman, Ryan Cuprak, and Michael Remijan on-line!
See this thread for details.
The moose likes JBoss/WildFly and the fly likes Security features in Jboss Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Security features in Jboss" Watch "Security features in Jboss" New topic
Author

Security features in Jboss

Mark Henryson
Ranch Hand

Joined: Jul 11, 2005
Posts: 200
I want to implement security feature for the web application with JBoss 4.2.2.
I have seen some examples of implementing authorization,authentication, confidentiality and integrity in Tomcat server, by adding the users and roles in the vendor specific xml file and then configure it to DD.
How can we achieve it in JBoss? In tomcat, I have come across the realm concept. I don't want to use memory realm (hardcoding the roles and users details in xm).
i want to use it from DB (like JDBC realm). How can we do for JBoss?

Another question: We can restrict the user to access the constrainted resources with Http method (in securit-constraint - web level). If that is the case, then why we need to restrict the methods in ejb (in assembly descriptor - application level)?
Any one is enough right? Am i missing anything? please advice.
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 9317
    
109

I want to implement security feature for the web application with JBoss 4.2.2.
...
How can we achieve it in JBoss?

See if this helps http://www.jboss.org/community/docs/DOC-12185

Another question: We can restrict the user to access the constrainted resources with Http method (in securit-constraint - web level). If that is the case, then why we need to restrict the methods in ejb (in assembly descriptor - application level)?


Its not just HTTP servlets which act as clients of EJB. If you have a standalone java class or a webservice or something else - those clients too can access the EJB. Applying the permission access restrictions on the EJB (which is nothing but a resource) helps in taking care of security of the EJB without having to worry about the type of clients.



[My Blog] [JavaRanch Journal]
Mark Henryson
Ranch Hand

Joined: Jul 11, 2005
Posts: 200
I am refering the link provided by you.My requirement is to provide authenication and authorization using relational database.
So I have referred DatabaseServerLoginModule. I have couple of doubts in it.

http://www.jboss.org/file-access/default/members/jbossas/freezone/docs/Server_Configuration_Guide/4/html/Using_JBoss_Login_Modules-DatabaseServerLoginModule.html

1. Whether we need the Principals and Roles table with the same column name specific to JBoss.?
2. Whether we can define our own tables for users and user roles.?
3. I will copy the below code in login-config.xml, after that how can i invoke it to get the result in Struts action/servlet?
What are the corresponding changes needs to be done at jboss-web.xml? PLease throw some light on it.
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 9317
    
109

Mark Henryson wrote:

1. Whether we need the Principals and Roles table with the same column name specific to JBoss.?


No. You can name the columns and tables to anything of your choice. All you have to do is provide that query in the login-config.xml and use the datasource that contains these tables.
Mark Henryson wrote:
2. Whether we can define our own tables for users and user roles.?

Yes, you can.

Mark Henryson wrote:
What are the corresponding changes needs to be done at jboss-web.xml? PLease throw some light on it.

Your jboss-web.xml should refer to this application policy in the login-config.xml:

Mark Henryson
Ranch Hand

Joined: Jul 11, 2005
Posts: 200
I am not clear with one thing.
1. I have created two tables users and userroles.
2. Added the below coding to login-config.xml



3. Added the bleow code to jboss-web.xml



4. created a JSP page with the username and password and submitting it will go to the action servlet. How can i get these password/roles for the users?

Step 4 is confusing. Any other thing I am missing?? please advice
Mark Henryson
Ranch Hand

Joined: Jul 11, 2005
Posts: 200
Sorry, I have confused little bit.
I have added the following entries in web.xml:



I can able to get the pop up, asking for user name and password.



I have a query: Whether it is possible to customise the principalsQuery and rolesquery? Like I am having more fields in the users and usersroles table and checking some other conditions in principalsQuery and rolesquery?
Dejan Mratinkovic
Ranch Hand

Joined: Nov 20, 2008
Posts: 65
Increasing security log level can help:

http://primalcortex.wordpress.com/2007/11/28/jboss-and-jaas-debug/

Instructions are related for JAAS, but I believe they log all others too. You will be able to see exact query executed, as well as parameters provide to query, so you can see what role you got.

Regarding queries, you can create as complex SQL Query as you wish, as long as you DB can execute it. The only important thing is that you select only:



so, result of your query sold be something like:


Regardless of actual column name (userRoles) on your database

Same goes for the password. You need query to return something to match password you enter, regardless of column and table names. You have single input which is question mark (?) to be replaced with data you enter. Further more you can specify encoding of password if you don't have plain text passwords.

Mark Henryson
Ranch Hand

Joined: Jul 11, 2005
Posts: 200
I have a query:

I don't want to store the password as a clear text in db, so I am using some sort of encryption technique to encrypt it and then storing it in DB.
Now, using the DatabaseServerLoginModule, how it will verify the password?



Now, when the pop up is asking for the password, the user will key in "passwd" in the password text box.
How DatabaseServerLoginModule will verify the password?

Another query:
I have added the below code in web.xml in securit-constraint for SSL. But I could able to bring up the applicarion. any configuration setting needs to be done for SSL?
Dejan Mratinkovic
Ranch Hand

Joined: Nov 20, 2008
Posts: 65
Mark,

Please check: http://www.jboss.org/community/wiki/DatabaseServerLoginModule

There you can see that some of the optional parameters are: hashAlgorithm and hashEncoding (you can also see there which are default). Set them to match your password encoding. If you wish to use alternative (your own specific) way of password encoding, I am afraid you would need to extend login-module class, and introduce your custom password handling, which I would not recommend.

Regarding confidential communication, you would need to set up url pattern, as this is only are which will be affected by <security-constraint>

I.e <url-pattern>/*</url-pattern>.

Setting up CONFIDENTIAL will auto redirect all HTTP communication to HTTPS (of all requests that match url pattern).

NOTE: If you have multiple security constraints within same web.xml that first match will be applied.
Mark Henryson
Ranch Hand

Joined: Jul 11, 2005
Posts: 200
Below is ny code. Yes, I want my application with Https protocal.
Please advice the below one is having any corrections?

Dejan Mratinkovic
Ranch Hand

Joined: Nov 20, 2008
Posts: 65
Code seems to be fine, but you are missing <realm-name> from <login-config> .

This would need to match security-domain from jboss-web.xml, which need to match application-policy from login-config.xml.

I am not sure this is minimal, as I am using certificate login which is a bit different than yours, but it works fine for me.
Mark Henryson
Ranch Hand

Joined: Jul 11, 2005
Posts: 200
I an trying to encrypt the password using the message digest - MD5(given below) and store it in the mysql DB.
Using DatabaseServerLoginModule, I am trying to authenticate, but it's failing. Please help on this.







Geting the error message:


But for the userid: ram and passwd, I am able to login. Whereas for the user "tiger" with the encrypted password, I couldn't able to login.
Please throw some light on it. Please help to check the configuration in login-config.xml

And I have an another doubt. If the user is attempting to enter invalid password for more than 5 times, we need to lock his account.
Whether JBoss' DatabaseServerLoginModule or any other loginmodule is providing this functionality? If not, how to achieve?
Mark Henryson
Ranch Hand

Joined: Jul 11, 2005
Posts: 200
please help on this.
Mark Henryson
Ranch Hand

Joined: Jul 11, 2005
Posts: 200
Please help on the below query.

I am trying to encrypt the password using the message digest - MD5(given below) and store it in the mysql DB.
Using DatabaseServerLoginModule, I am trying to authenticate, but it's failing. Please help on this.







Geting the error message:


But for the userid: ram and passwd, I am able to login. Whereas for the user "tiger" with the encrypted password, I couldn't able to login.
Please throw some light on it. Please help to check the configuration in login-config.xml

And I have an another doubt. If the user is attempting to enter invalid password for more than 5 times, we need to lock his account.
Whether JBoss' DatabaseServerLoginModule or any other loginmodule is providing this functionality? If not, how to achieve?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Security features in Jboss
 
Similar Threads
Don't understand defining roles in HFJS book
Declarative security : mapping user to security roles
question about tomcat JDBC realm.
tomcat realm
what is realm. ???