In this post I explain how to setup Java Authentication and Authorization Service (JAAS) using JBoss AS 6.1 and an Eclipse RCP client that will be making calls on an EJB 3 Session Bean.
Part 1 will cover JBoss configuration and Part 2 will cover the code required in the Eclipse RCP client.
Steps
Setting up JBoss for JAAS will involve the following steps:
- Setting up a datasource to validate user IDs and passwords.
- Add an application policy.
- Deploy a login config service
- Deploy an ear with a security domain that matches the application policy.
Setting up a Datasource to Validate User IDs and Passwords
Setting up a datasource involves deploying an xml file using the -ds.xml naming convention, such as myAppJaas-ds.xml. This file should be saved in the deploy directory of your Jboss server.
Assuming you have a local mysql database jaas and that you’ve already granted access to user JBossAS, the content of your file will read as follows:
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE jboss-app PUBLIC "-//JBoss//DTD Java EE Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-app_5_0.dtd"> <jboss-app> <security-domain>oxb-server</security-domain> </jboss-app> <datasources> <local-tx-datasource> <jndi-name>jaas-ds</jndi-name> <connection-url>jdbc:mysql://localhost:3306/jaas</connection-url> <connection-property name="useUnicode">true </connection-property> <connection-property name="characterEncoding">utf8 </connection-property> <driver-class>com.mysql.jdbc.Driver</driver-class> <user-name>jbossAS</user-name> <password>secretPw</password> </local-tx-datasource> </datasources>
JBoss will need access to the JDBC driver for mySQL. The jar file containing the driver should be copied to directory [jboss-6.1.0.Final]/server/default/lib. In this case. I’m using the default server configuration.
Add an Application Policy
The application policy is defined through a -config.xml file saved in your server conf directory. The content of the file will be similar to the following myApp-config.xml file:
<?xml version='1.0'?> <!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN" "http://www.jboss.org/j2ee/dtd/security_config.dtd"> <policy> <application-policy name = "myApp"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "dsJndiName">java:jaas-ds</module-option> <module-option name = "principalsQuery">SELECT password FROM contact WHERE userId=?</module-option> <module-option name = "rolesQuery">SELECT role, 'Roles' FROM contact a JOIN roleset b on a.roleSet_id = b.id JOIN roleset_role c on b.id = c.roleset WHERE a.userId=?</module-option> </login-module> </authentication> </application-policy> </policy>
As you can see, this file makes reference to the datasource that we defined in the prior step. This application policy entry asumes you have already created the tables contact, roleset, and roleset_role. Your table structures can be whatever makes sense for your application. The important thing here is that you need a query that returns a password for a user id and another query that returns a result set with role name as the first column and the string Roles as the second column.
Another thing to keep in mind is that your application policy name will be used as the security domain in your ear file below.
Deploy a Login Config Service
The step above defined how passwords and roles should be checked. In this step we tell the application server to start a JAAS service that makes use of the application policy defined in the previous step. Here we will deploy a file myApp-login-config-service.xml. The file name must end in -service.xml and the content will be as follows:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE server> <server> <mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="jboss:service=DynamicLoginConfig"> <attribute name="AuthConfig">myApp-config.xml</attribute> <depends optional-attribute-name="LoginConfigService"> jboss.security:service=XMLLoginConfig </depends> <depends optional-attribute-name="SecurityManagerService"> jboss.security:service=JaasSecurityManager </depends> </mbean> </server>
Notice that this file makes reference to the application policy file from the previous step.
Deploy an ear with a Security Domain that Matches the Application Policy
Your session beans should be deployed through and ear file with the following structure:
yourEJB3.jar
META-INF/application.xml
META-INF/jboss-app.xml
The jboss-app.xml file will set the security domain with the following content. The security domain should match the application policy name created above.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE jboss-app PUBLIC "-//JBoss//DTD Java EE Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-app_5_0.dtd"> <jboss-app> <security-domain>myApp</security-domain> </jboss-app>
References
You should read the post JBoss 6: Client authentication, security domain by Andrej.
