Friday, July 01, 2011

JEE 6 Security - Part Two (the implementation)

Alright, I have set up authentication up in JBoss AS 6 using JAAS database (jdbc) authentication. The steps:

1) Setup the logging levels, this will save you some headaches, trust me. Don't forget to change it back once you are setup. Open up jboss-logging.xml under server/default/deploy, under the 'console-handler' tag, there is a 'level' tag, replace 'INFO' with 'TRACE'. Also, add by the other loggers the following:

      
   

2) Add your security domain. To do this create a new XML file, name it something like my-app-name-jaas-jboss-beans.xml and place it in the server/default/deploy folder. Add the following to the file:

  
    
      
        java:/jdbc/myapp
        
          select PASSWORD from USER where USERNAME=?
        
          SELECT r.NAME, 'Roles' FROM ROLE r, USER_ROLE ur, USER u WHERE
          u.USERNAME=? AND u.USERNAME=ur.USERNAME AND ur.ROLE_NAME=r.NAME
        
      
    
  

IMPORTANT: The role query has to have two coloums, the second of which is always 'Roles' exactly like stated. It's a JBoss quirk.

3) You have a security domain, now you have to tell your application to use it. Create or edit jboss-web.xml in your applications WEB-INF folder, it needs the security doman specified like so:

    /myapp
    java:/jaas/myapp-realm


4) Your application is set to use the domain now, but you haven't told it what needs securing and when to authenticate. For testing purposes I have used BASIC authentication, in reality you should use FORM based. I will leave you to research the difference. To test your security add the following to your web.xml:

        Secure Pages
        
            secure-pages
            
            /test/*
        
        
            
            MANAGER
            USER
        
    
    
        BASIC
        myapp-realm
    
    
        
        MANAGER
    
    
        
        USER
    

So I have covered authentication, and EJB 3.1 JEE authorization is covered tons everywhere. One thing lacking in the JEE world is full Identity management, i.e. something where you say identity.createUser("bob") and it will create a user in any abstracted back end user store, LDAP, Database or whatever. This tool does exist, and it is PicketLink. I haven't had a chance to play with it, but it looks promising. I would dare say it is overkill for most applications though, at least until it becomes more mainstream and simple to use.

1 comment:

Laurie Sanders said...

Your blog is a good one.