aspose file tools*
The moose likes JBoss/WildFly and the fly likes Securing Application for JBoss5.1.0 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Securing Application for JBoss5.1.0" Watch "Securing Application for JBoss5.1.0" New topic
Author

Securing Application for JBoss5.1.0

Chris Kie
Greenhorn

Joined: Nov 30, 2009
Posts: 14
Hi all,

I'm writing an application and I'm using Jboss5.1.0

Security is an important thing now a days so also for my application.
I have tried lots of tutorials and examples but nothings works in the way i want it to.

THE QUESTION: Is it possible to secure the lookup ?

I already tryed some things by using JAAS and DatabaseServerLoginModul but this doesn't work

thanks for your help and your know how ;)

greez Chris

Mark E Hansen
Ranch Hand

Joined: Apr 01, 2009
Posts: 643
Can you please explain further what you mean by secure the lookup?
Chris Kie
Greenhorn

Joined: Nov 30, 2009
Posts: 14
The best way to explain this is showing it in praktice



auth.conf file


thanks for your help
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5779
    
    7

Is this client code that you posted? The auth.conf on the client is not used (at least, not for server authorization) - you have to configure authorization on the server.

Maybe if you explained a little more about what you are trying to do it would help.


JBoss In Action
Chris Kie
Greenhorn

Joined: Nov 30, 2009
Posts: 14
hi Peter

Yes this up there is clientcode.

I want to validate username and password before any lookup is done.

In other words securing Jboss with username and password stored in a database
that you can't do a lookup on a Bean before passing a validation.

Sorry for my bad english.

Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5779
    
    7

As far as I know there is no way to secure JNDI lookup. The only thing you can secure is the call to the EJB.
Chris Kie
Greenhorn

Joined: Nov 30, 2009
Posts: 14
LoginContext.login();

is this method only to pass on username and password ?

Is it possible to secure all EJB's at once or do i have to secure
each EJB on it's own with



I think i do need this auth.conf for JAAS .. ??!?!??

Mark E Hansen
Ranch Hand

Joined: Apr 01, 2009
Posts: 643
Do you have the book: JBoss in Action? This goes through all the steps necessary to secure a J2EE application on JBoss.
Note that there are two parts. First is assigning roles to the EJB methods, using the @RolesAllowed() annotation (as well as the @SecurityDomain() annotation). The second is that you need to cause the web user to authenticate, so there will be roles associated with him, which can be checked against your @RolesAllowed() annotation.

I just went through this using JBoss 5.1.0.GA and the DatabaseServerLoginModule. If you want, I can walk you through all the steps I used to get this up and running on my end.

However, best thing would be to get Peter's book. It is a very good and helpful book. (I don't get anything for this plug )

Best Regards,

Chris Kie
Greenhorn

Joined: Nov 30, 2009
Posts: 14
no i don't have Jboss in action ...

i would be very glad if you could walk me through all the steps ...
Mark E Hansen
Ranch Hand

Joined: Apr 01, 2009
Posts: 643
Okay, here we go.

First, you need to create a database. I used MySQL. This database will have the two tables used by the DatabaseServerLoginModule. By default these tables are called Principals and Roles, although you can change this with configuration (we'll see later). Here are the create table statements I used on mysql:


You then need to insert rows into both tables. The Principals table holds the user login and password. The Roles table holds the list of roles you wish the user to participate in. Note that the RoleGroup column must have a value of 'Roles' (but we can eliminate this requirement in the configuration, which we'll see later).

If you're not sure what data to load into the tables, ask.

You'll need to configure JBoss to use the MySQL driver. This involves getting the driver jar on the server's classpath. Ask if you need help doing this, but the mysql installation instructions should give you what you need.

Next you'll need to create a datasource deployment descriptor. I named mine mysql-ds.xml, and deploy it by copying it to the server/default/deploy directory in JBOSS_HOME (note: "default" is the server name. If you're using a different server, just replace the name. I'll refer to the server as "default" in this post). Here is what my mysql-ds.xml file looks like: Note you you will need to assign your specific values to the connection-url, user-name and password elements.
These are not the web-user credentails, but the user/password used to access the MySQL database server. Note the <jndi-name> element of MySQLDS. You can make this whatever you want, but it will be used later so if you change it, change the reference used later as well.

You need to add an <application-policy> block element to the JBOSS_HOME/server/default/conf/login-config.xml file. Mine looks like this:
Note the reference to the datasource (MySQLDS). Fix that so it matches your datasource. You will need to select a security domain name. This can be whatever you want, but will be referenced later, so keep track of what you choose.

At this point, you can restart the application server (or start it, if it's not already running).

Next, you need to get the web application to prompt the user for credentials. Basically, once the configuration is set up, the application will prompt the user when they attempt to access something which requires authentication (like an EJB that includes a @RolesAllowed() annotation).
In the web.xml file for the web application, add a <login-config> element, which looks like this:
Add some <security-role> elements for each security role you will to use in the application, like the following:
Add a security constraint to force authentication for your application pages. This example will blanket all application pages. You can change the url-pattern element to lock down only specific pages:
And finally, you need to add a jboss-web.xml file to the web application, which looks like this:
Note that you will need to use your security domain name, as chosen in the login-config.xml file.

Now, in the session EJB, add the following annotations to the class:

And add the following annotation to the bean method:

I went through this rather fast, and hope I didn't miss anything. If anyone sees something wrong, please correct me.

Chris Kie
Greenhorn

Joined: Nov 30, 2009
Posts: 14
Thank you very much

I'm trying this out tomorrow, hope i get it running

but now is partytime (22:45)

Chris Kie
Greenhorn

Joined: Nov 30, 2009
Posts: 14
Thanks a lot for your help ;)

everything works fine so far ...

Sapna Sharma
Greenhorn

Joined: Dec 30, 2009
Posts: 3
is there any algorithm that can give guarantee of data delivery on jboss or any other server.


Er. Sapna Sharma
BSF , New Delhi
Sapnaloksharma@Yahoo.in
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 9343
    
111

Sapna Sharma wrote:is there any algorithm that can give guarantee of data delivery on jboss or any other server.

Sapna, your question doesn't look related to the topic being discussed in this thread. Please create a separate thread to discuss your question.

[My Blog] [JavaRanch Journal]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Securing Application for JBoss5.1.0
 
Similar Threads
running web application on jboss5.1.0
Connecting to MySql in JBOSS5.1.0.GA
Disable web server in JBoss5.1.0
Deployment error in jboss5.1.0
jboss5.1.0 profiling