Database backed declarative security in JBoss

This had me looking through the docs for a while to find, so I thought I would share.

If you need to secure a Java EE app, be it a web or EJB module, and want to use container-based security instead of coding it yourself, JBoss provides a nice convenience model for pulling out Principals (users)  and Roles (permissions)  from a table in your database.

What you have to do is edit the file <jboss_home>/server/login-config.xml and add an entry using the Here’s the one I’m using:

                 select password from entry_user where username=?
                select role, 'Roles' from entry_user_roles where username=?

After that, add to your applications WEB-INF/jboss-web.xml if it’s a webapp or META-INF/jboss.xml if it’s an EJB jar the name of your policy:





After that, obviously configure security using the @RolesAllowed annotation on the methods or class of your EJBs or the security elements in web.xml of your webapp


Further detail can be found at the JBoss Documentation.

Leave a Reply

Your email address will not be published. Required fields are marked *