I have a simple JEE application which is deployed to JBoss 5.1.0.GA. The application consists of EJB3 entities, session beans and servlets and later, will include Web Services.
I would like to begin working out how to apply security to the application, but I'm not sure where to start.
I've been pawing over all the documentation available for JBoss (as well as JEE), but I'm not sure what it is I want to look at.
Based on the JEE documentation, I know how to secure the resources in the application to particular roles. I believe I just need to map my runtime users to the application roles.
Do I then just need to build a Login Module (is that the right term?) and configure JBoss AS to use it?
I was not able to find any information on creating a Login Module and configuring JBoss AS. Can you please provide me with a pointer?
Is this JAAS, or is there a newer/better technology available for doing this?
Using this, is it possible to maintain my list of users and roles in my application database, such that it can be updated dynamically?
How you go about it depends on your applications architecture. Let's take a simply architecture - your users access servlets which in turn access EJBs. The entry point into the system is thus the servlet, which means that you have to apply authentication there. This means editing the server/xxx/conf/login-config.xml file to define your login mechanism (add an application-policy entry to the file). Then create a WEB-INF/jboss-web.xml file in your web app (package it with your servlets) and have it reference the application-policy. Then go into the WEB-INF/web.xml file and specify the authentication and access control mechanism (any decent book on JSPs and servlets will tell you how).
Then for access control for your EJBs, use the same roles that you specified in web.xml file.
By the way, JBoss in Action goes into a lot of detail on security.
I don't think you need to resort to JAAS just to add authentication. As long as the users/passwords/roles are in a repository that's compatible with JBoss's servlet security implementation -probably not a high hurdle- you should be good to go. (I'm a but vague because I don't know much about JBoss, and -although the API you'd use in the servlet code is standardized- the way to set it up is server-specific. The JBoss approach is described at http://docs.jboss.org/jbossas/jboss4guide/r5/html/ch8.chapter.html)