August 21, 2013

Configure UsersRolesLoginModule for JBoss EAP 6

Introduction

In this blog I will show you how to configure a simple JAAS login module, that holds username, passwords and roles in properties file. The login module for this job is org.jboss.security.auth.spi.UsersRolesLoginModule.

Finding the correct source code and documentation for the JBoss EAP 6 login modules, can be a bit tricky and the reason for that, is that the concrete implementation for them are hosted in the sister project Picketbox. For example the exact version that is shipped with JBoss EAP 6.1.0 is 4.0.17.Final-redhat-1. And the jar is located under $JBOSS_HOME/modules/system/layers/base/org/picketbox/main/.

The UsersRolesLoginModule has more to offer than I will show you here, and that is to store the password scrambled and not in clear text. But since the UsersRolesLoginModule is merely for test purpose, I will leave that out here.

Configuration

I will use JBoss EAP 6 in standalone mode, which means that the JBoss configuration file is $JBOSS_HOME/standalone/configuration/standalone.xml. Open it and add the below JAAS security-domain.

Create Users and Assing Roles

Creating users and theirs associated roles are easy since them are located in clear plain text files located under $JBOSS_HOME/standalone/configuration/. Here I will only create one user and one role, but you can create as many as you please.

Configuration

The easiest way to test the security, is to either take an existing war project or create a new zip file add a welcome file (index.html), web.xml and jboss-web.xml. Either way the relevant configuration for the web.xml is below.

And the relevant portion in jboss-web.xml.

2 comments:

Andrew Nicholson said...

Thank you for this resource, Magnus. This is by far the best resource I have found on how to set up a security domain. There are a couple of things to note, though. I might be mistaken here, or I might be stating something obvious (shows how much I know!), but I think if you fail to add the picketbox dependency to your pom.xml then you're going to have dependency issues. At the time of writing this is the dependency declaration:
org.picketbox picketbox 4.0.18.Final

You can check here for the proper dependency by searching "picketbox".

Another thing is that it might be easier and safer to do this configuration using the management console, i.e. localhost:9990. I was having some issues getting this to work, so I started the process over using the management console and I got it to work that way. I don't think it makes any material difference but I think it's easier to make mistakes if you edit the xml files manually. The management console is pretty intuitive; just go to proile->security->security domains to add/edit the appropriate security domain.

Wenslauw said...

Thank you for this article. I have a question. I see you setup the user and group configuration files under the security domain, while other examples set it up under the security realm. What's the reason for this and is option to be preferred over the other? Thank you for any answer in advance.