Hi,

Usually in production environments we don’t want to use the “$PROFILE/conf/props/jmx-console-users.properties” to place the user name and password of different users. So in that case we have different options to tell JBoss EAP on how to Authenticate and Authorize different users and where to store the username and password informations in more secured fashion.

In this example we are going to see how we can use the Database Authentication in order to perform jmx-console or any other deployed web applications security. This can be achieved using “org.jboss.security.auth.spi.DatabaseServerLoginModule”.

Step1). Add the following inside your “$PROFILE/conf/login-config.xml” file.

  <application-policy name="DBAuthTest">
  	<authentication>
  	<login-module  code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
  	      <module-option name="dsJndiName">java:/TestDS</module-option>
   	      <module-option name="principalsQuery">select password from  PRINCIPLES where principal_id=?</module-option>
    	      <module-option name="rolesQuery">select user_role, 'Roles' from  ROLES where  principal_id=?</module-option>
  	</login-module>

  	<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
	      <module-option name="rolesProperties">props/test-roles.properties</module-option>
	      <module-option name="replaceRole">false</module-option>
        </login-module>
  	</authentication>
  </application-policy>

Step2). Create a file “$PROFILE/conf/props/test-roles.properties” with the following line:

TestUserOneGroup=TestRoleOne

Step3). Now set up the Database by creating and inserting following records in the DB :

CREATE TABLE PRINCIPLES ( principal_id VARCHAR(64) primary key,password VARCHAR(64));
CREATE TABLE ROLES ( principal_id VARCHAR(64),user_role VARCHAR(64),role_group VARCHAR(64));

Insert into PRINCIPLES values('TestUserOne','PasswordOne');
Insert into PRINCIPLES values('TestUserTwo','PasswordTwo');

Insert into ROLES values('TestUserOne','TestRoleOne','TestUserOneGroup');
Insert into ROLES values('TestUserTwo','TestRoleTwo','TestUserTwoGroup');

Step4). Now create a DataSource file like “oracle-ds.xml” and then place it inside your “$PROFILE/deploy” directory:

<?xml version="1.0" encoding="UTF-8"?>
<datasources>
  <local-tx-datasource>
    <jndi-name>TestDS</jndi-name>
    <connection-url>jdbc:oracle:thin:@10.10.10.10:1521:xe</connection-url>
    <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
    <user-name>dbuser</user-name>
    <password>dbpassword</password>
    <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
      <metadata>
         <type-mapping>Oracle9i</type-mapping>
      </metadata>
  </local-tx-datasource>
</datasources>

Step5). Now place the “oracle6.jar” (Oracle Driver) inside your “$PROFILE/lib” directory. (You can choose whatever database and database driver you want to chose based on your requirement)

Step6). Make sure that your application has the following kind of tags written inside the  WEB-INF/”web.xml” file:

   <security-constraint>
     <web-resource-collection>
       <web-resource-name>HtmlAdaptor</web-resource-name>
       <url-pattern>/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
       <role-name>TestRoleOne</role-name>
     </auth-constraint>
   </security-constraint>
   <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>TestRealm</realm-name>
   </login-config>
   <security-role>
       <role-name>TestRoleOne</role-name>
   </security-role>

Step7). Make sure that your application has “jboss-web.xml” like following:

<!DOCTYPE jboss-web PUBLIC
   "-//JBoss//DTD Web Application 5.0//EN"
   "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
<jboss-web>
      <security-domain>java:/jaas/DBAuthTest</security-domain>
</jboss-web>

Step8). Restart your Server and then access the application. You can enter username as “TestUserOne” and password as “PasswordOne”.

NOTE: If you are facing any issue or authentication failure then please enable the following category in your “$PROFILE/conf/jboss-log4j.xml” file to get TRACE level informations related to security ….then check the “server.log” to find out why the authentication is failing :

   <category name="org.jboss.security">
      <priority value="TRACE"/>
   </category>

.
.
Thanks
Middleware Magic Team

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.