Database backed declarative security in JBoss

This had me looking through the docs for a while to find, so I thought I would share.

If you need to secure a Java EE app, be it a web or EJB module, and want to use container-based security instead of coding it yourself, JBoss provides a nice convenience model for pulling out Principals (users)  and Roles (permissions)  from a table in your database.

What you have to do is edit the file <jboss_home>/server/login-config.xml and add an entry using the org.jboss.security.auth.spi.DatabaseServerLoginModule. Here’s the one I’m using:


    
        
            
            java:/AdminPanelDS
            
                 select password from entry_user where username=?
            
                select role, 'Roles' from entry_user_roles where username=?
            SHA-1
            
        
    

After that, add to your applications WEB-INF/jboss-web.xml if it’s a webapp or META-INF/jboss.xml if it’s an EJB jar the name of your policy:

jboss-web.xml:


    java:/jaas/CaptchaUserDB

jboss.xml


    java:/jaas/CaptchaUserDB

After that, obviously configure security using the @RolesAllowed annotation on the methods or class of your EJBs or the security elements in web.xml of your webapp

 

Further detail can be found at the JBoss Documentation.

Leave a Reply

Your email address will not be published. Required fields are marked *