JBoss container managed basic authentication

These days I am working on an ACS (Automatic Configuration System) which runs on a JBoss app server. So, yesterday I configured the server for cotnainer-managed authentication. Here is a straight forward tutorial to demonstrate how to secure your applications which hosted in JBoss by BASIC authentication methods. Container-managed authentication methods control how a user's credentials are verified when a web app's protected resource is accessed. This is a straight forward tutorial that shows how to configure JBoss application server to protect resources by a role based simple mechanism. By receiving any request to the protected resources JBoss asks web browser for a username and password. With this authentication method, all passwords are sent across the network in base64-encoded text. This could be fine to review the commented parts of JBoss configurations to find some more facilities If you need.

First step, web.xml modifications
Find the web.xml in the WEB-INF folder of your deployed ear application. This could be find in somewhere like this depends on the OS you use. Add below lines at the bottom of web.xml just before tag.

<security-constraint>
<web-resource-collection>
<web-resource-name>ossmanager</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ossmanager</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>OSS Security</realm-name>
</login-config>

<security-role>
<description>ossmanager is the role required to access under oss</description>
<role-name>ossmanager</role-name>
</security-role>

<security-role>
<description>cpeowner is the role required to access under cpeowner</description>
<role-name>cpeowner</role-name>
</security-role>

Second step, joss-web.xml modifications
Right besides web.xml in the WEB-INF folder you can find jboss-web.xml to add below lines in. Note, datak-oss is the context of the application and acs-security-policy is the optional name that you call your security policy using it.

<jboss-web>
<context-root>datak-oss</context-root>
<security-domain>java:/jaas/acs-security-policy</security-domain>
</jboss-web>

Third step, login-config.xml modifications
Find login-config.xml in server/default/conf folder and add below lines at the proper place.

<application-policy name ="acs-security-policy" >
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties">acs-users.properties</module-option>
<module-option name="rolesProperties">acs-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>

Create acs-users.properties and acs-roles.properties text files into the WEB-INF/classes/ the same as below:

acs-users.properties:
amir=takeiteasy
kamran=mamooshi

acs-roles.properties:
amir=ossmanager,cpeowner
kamran=cpeowner

Exclude a URL by adding a blank security-constraint
I added this part two days later. Because the project manager asked me to exclude a certain URL (/cpe) from the secured zone. I have performed it just adding a new without role constraint. Below code added an excluded path to the secured zone, which every anonymous user can access it. Add below security-constraint to the web.xml the same as security-constraint that you added before.

<security-constraint>
<web-resource-collection>
<web-resource-name>CPE</web-resource-name>
<url-pattern>/cpe/*</url-pattern>
</web-resource-collection>
</security-constraint>