1) Setup the logging levels, this will save you some headaches, trust me. Don't forget to change it back once you are setup. Open up jboss-logging.xml under server/default/deploy, under the 'console-handler' tag, there is a 'level' tag, replace 'INFO' with 'TRACE'. Also, add by the other loggers the following:
2) Add your security domain. To do this create a new XML file, name it something like my-app-name-jaas-jboss-beans.xml and place it in the server/default/deploy folder. Add the following to the file:
IMPORTANT: The role query has to have two coloums, the second of which is always 'Roles' exactly like stated. It's a JBoss quirk.java:/jdbc/myapp select PASSWORD from USER where USERNAME=? SELECT r.NAME, 'Roles' FROM ROLE r, USER_ROLE ur, USER u WHERE u.USERNAME=? AND u.USERNAME=ur.USERNAME AND ur.ROLE_NAME=r.NAME
3) You have a security domain, now you have to tell your application to use it. Create or edit jboss-web.xml in your applications WEB-INF folder, it needs the security doman specified like so:
/myapp java:/jaas/myapp-realm
4) Your application is set to use the domain now, but you haven't told it what needs securing and when to authenticate. For testing purposes I have used BASIC authentication, in reality you should use FORM based. I will leave you to research the difference. To test your security add the following to your web.xml:
Secure Pages secure-pages /test/* MANAGER USER BASIC myapp-realm MANAGER USER
So I have covered authentication, and EJB 3.1 JEE authorization is covered tons everywhere. One thing lacking in the JEE world is full Identity management, i.e. something where you say identity.createUser("bob") and it will create a user in any abstracted back end user store, LDAP, Database or whatever. This tool does exist, and it is PicketLink. I haven't had a chance to play with it, but it looks promising. I would dare say it is overkill for most applications though, at least until it becomes more mainstream and simple to use.
1 comment:
Your blog is a good one.
Post a Comment