Alright, I have set up authentication up in JBoss AS 6 using JAAS database (jdbc) authentication. The steps:
1) Setup the logging levels, this will save you some headaches, trust me. Don't forget to change it back once you are setup. Open up jboss-logging.xml under server/default/deploy, under the 'console-handler' tag, there is a 'level' tag, replace 'INFO' with 'TRACE'. Also, add by the other loggers the following:
2) Add your security domain. To do this create a new XML file, name it something like my-app-name-jaas-jboss-beans.xml and place it in the server/default/deploy folder. Add the following to the file:
java:/jdbc/myapp
select PASSWORD from USER where USERNAME=?
SELECT r.NAME, 'Roles' FROM ROLE r, USER_ROLE ur, USER u WHERE
u.USERNAME=? AND u.USERNAME=ur.USERNAME AND ur.ROLE_NAME=r.NAME
IMPORTANT: The role query has to have two coloums, the second of which is always 'Roles' exactly like stated. It's a JBoss quirk.
3) You have a security domain, now you have to tell your application to use it. Create or edit jboss-web.xml in your applications WEB-INF folder, it needs the security doman specified like so:
/myapp
java:/jaas/myapp-realm
4) Your application is set to use the domain now, but you haven't told it what needs securing and when to authenticate. For testing purposes I have used
BASIC authentication, in reality you should use FORM based. I will leave you to research the difference. To test your security add the following to your web.xml:
Secure Pages
secure-pages
/test/*
MANAGER
USER
BASIC
myapp-realm
MANAGER
USER
So I have covered authentication, and
EJB 3.1 JEE authorization is covered tons everywhere. One thing lacking in the JEE world is full Identity management, i.e. something where you say identity.createUser("bob") and it will create a user in any abstracted back end user store, LDAP, Database or whatever. This tool does exist, and it is
PicketLink. I haven't had a chance to play with it, but it looks promising. I would dare say it is overkill for most applications though, at least until it becomes more mainstream and simple to use.