Author: Sherif F. Makary, Pedro Igor Level: Intermediate Technologies: Servlet, Security Summary: Demonstrates how to use Java EE declarative security to control access to Servlet 3 Target Product: EAP
This example demonstrates the use of Java EE declarative security to control access to Servlets and Security in JBoss Enterprise Application Platform 6 and JBoss AS7.
When you deploy this example, two users are automatically created for you: user quickstartUser
with password quickstartPwd1!
and user guest
with password guest
. This data is located in the src/main/resources/import.sql
file.
This quickstart takes the following steps to implement Servlet security:
standalone.xml
configuration file using the Database JAAS LoginModule.Add an application user with access rights to the application
User Name: quickstartUser
Password: quickstartPwd1!
Role: quickstarts
Add another user with no access rights to the application.
User Name: guest
Password: guestPwd1!
Role: notauthorized
Add a security domain reference to WEB-INF/jboss-web.xml
.
Add a security constraint to the WEB-INF/web.xml
.
Add a security annotation to the EJB declaration.
Please note the allowed user role quickstarts
in the annotation -@RolesAllowed
- is the same as the user role defined in step 2.
All you need to build this project is Java 6.0 (Java SDK 1.6) or better, Maven 3.0 or better.
The application this project produces is designed to be run on JBoss Enterprise Application Platform 6 or JBoss AS 7.
If you have not yet done so, you must Configure Maven before testing the quickstarts.
Using the add-user utility script, you must add the following users to the ApplicationRealm
:
UserName | Realm | Password | Roles |
---|---|---|---|
quickstartUser | ApplicationRealm | quickstartPwd1! | quickstarts |
guest | ApplicationRealm | guestPwd1! | notauthorized |
The first application user has access rights to the application. The second application user is not authorized.
For an example of how to use the add-user utility, see instructions in the root README file located here: Add User.
This quickstart authenticates users using a simple database setup. The datasource configuration is located in the /src/main/webapp/WEB-INF/servlet-security-quickstart-ds.xml
file. You can configure the security domain using the JBoss CLI or by manually editing the configuration file.
Start the JBoss Enterprise Application Platform 6 or JBoss AS 7 Server with the web profile by typing the following:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
To start the JBoss CLI tool, open a new command line, navigate to the JBOSS_HOME directory, and type the following:
For Linux: bin/jboss-cli.sh --connect
For Windows: bin\jboss-cli.bat --connect
At the prompt, type each of the following commands. After each one, you should see a response with the first line "outcome" => "success"
.
/subsystem=security/security-domain=servlet-security-quickstart/:add(cache-type=default)
/subsystem=security/security-domain=servlet-security-quickstart/authentication=classic:add(login-modules=[{"code"=>"Database", "flag"=>"required", "module-options"=>[("dsJndiName"=>"java:jboss/datasources/ServletSecurityDS"),("principalsQuery"=>"SELECT PASSWORD FROM USERS WHERE USERNAME = ?"), ("rolesQuery"=>"SELECT R.NAME, 'Roles' FROM USERS_ROLES UR INNER JOIN ROLES R ON R.ID = UR.ROLE_ID INNER JOIN USERS U ON U.ID = UR.USER_ID WHERE U.USERNAME = ?")]}])
/:reload
JBOSS_HOME/standalone/configuration/standalone.xml
JBOSS_HOME/standalone/configuration/standalone.xml
file in an editor and locate the subsystem urn:jboss:domain:security
. Add the following XML to the :
<security-domain name="servlet-security-quickstart" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/ServletSecurityDS"/>
<module-option name="principalsQuery" value="SELECT PASSWORD FROM USERS WHERE USERNAME = ?"/>
<module-option name="rolesQuery" value="SELECT R.NAME, 'Roles' FROM USERS_ROLES UR INNER JOIN ROLES R ON R.ID = UR.ROLE_ID INNER JOIN USERS U ON U.ID = UR.USER_ID WHERE U.USERNAME = ?"/>
</login-module>
</authentication>
</security-domain>
Please note that the security domain name servlet-security-quickstart
must match the one defined in the /src/main/webapp/WEB-INF/jboss-web.xml
file.
The following shows the command line to start the server with the web profile:
For Linux: JBOSS_HOME/bin/standalone.sh
For Windows: JBOSS_HOME\bin\standalone.bat
NOTE: The following build command assumes you have configured your Maven user settings. If you have not, you must include Maven setting arguments on the command line. See Build and Deploy the Quickstarts for complete instructions and additional options.
Type this command to build and deploy the archive:
mvn clean package jboss-as:deploy
This will deploy target/jboss-as-servlet-security.war
to the running instance of the server.
The application will be running at the following URL http://localhost:8080/jboss-as-servlet-security/.
When you access the application, you should get a browser login challenge.
Log in using the username quickstartUser
and password quickstartPwd1!
. The browser will display the following security info:
Successfully called Secured Servlet
Principal : quickstartUser
Remote User : quickstartUser
Authentication Type : BASIC
Now close the browser. Open a new browser and log in with username guest
and password guestPwd1!
. The browser will display the following error:
HTTP Status 403 - Access to the requested resource has been denied
type Status report
message Access to the requested resource has been denied
description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
When you are finished testing, type this command to undeploy the archive:
mvn jboss-as:undeploy
You can also start the server and deploy the quickstarts from Eclipse using JBoss tools. For more information, see Use JBoss Developer Studio or Eclipse to Run the Quickstarts
If you want to debug the source code or look at the Javadocs of any library in the project, run either of the following commands to pull them into your local repository. The IDE should then detect them.
mvn dependency:sources
mvn dependency:resolve -Dclassifier=javadoc