Set authorization policies for specific EJB and Web components
Setting authorization for specific EJB and WEB components If applications require more granular security policies, you can declare multiple authorization security policies for each application policy. New security domains can inherit base settings from another security domains, and override specific settings such as the authorization policy module. Procedure 8.2. Set authorization policies for specific security domains You can override authorization for a particular component. This procedure describes how to inherit settings from other security domain definitions, and specify different authorization policies per security domain. In this procedure, two security domains are defined. The test-domain security domain uses the UsersRolesLoginModule login module and uses JACC authorization. The test-domain-inherited security domain inherits the login module information from test-domain, and specifies XACML authorization must be used. Open the security policy You can specify the security domain settings in the jboss-as/server/$PROFILE/conf/login-config.xml file, or create a deployment descriptor file containing the settings. Choose the deployment descriptor if you want to package the security domain settings with your application. Locate and open login-config.xml Navigate to the login-config.xml file for the server profile you are using and open the file for editing. $JBOSS_HOME/jboss-as/server/$PROFILE/conf/login-config.xml Create a jboss-beans.xml descriptor Create a [prefix]-jboss-beans.xml descriptor, replacing [prefix] with a meaningful name (for example, test-war-jboss-beans.xml) Save this file in the /deploy directory of the server profile you are configuring. jboss-as/server/$PROFILE/deploy/[prefix]-jboss-beans.xml Specify the test-domain security domain In the target file chosen in step 1, specify the test-domain security domain. This domain contains the authentication information, including the definition, and the JACC authorization policy module definition. anonymous u.properties r.properties Append the test-domain-inherited security domain Append the test-domain-inherited application policy definition after the test-domain application policy. Set the extends attribute to other, so the login module information is inherited. Specify the XACML authorization module in the element. anonymous u.properties r.properties Restart server You have now configured the target file with two security domains that use different authorization methods. Restart the server to ensure the new security policy takes effect.