Java cooking stories

May 11, 2009

Getting started with Jboss and Jaas

Filed under: Uncategorized — grigoresculiviu @ 5:34 pm
Tags: , , ,

When designing a web application one of the first things to consider is the security architecture. There are two major parts that need our attention – authenticating and authorising user’s actions. While jboss supports both configurations this article will primarily deal with authentication leaving other topics open for future articles.

My choise for how to present this was to start with a simple web application whose single purpose is to authenticate the user and if successfull show the main page. Jboss 4.2.3 and 5.0.0 were used to host the app but other versions should work without a glitch as what I’ve done is pretty standard.

Warm up

Before doing any real work it should be told that the whole security model is configured in three places.

Jboss security

Jboss security

Wonder what security domains and login modules are?

To sumarize, a security domain tells Jboss how to authenticate the user. It receives a username and a password and decides whether they are correct or not. This doesn’t mean it is limited only to usernames/passwords. It may work with digital certificates as well or any other object that may be used to authenticate a user. Anyway, we’ll stick with username/password below.

So what are login modules used for? Well, the security domain will ask each login module whether the username/password combination is correct and if all of them say yes the user is considered authenticated. Another way to do it wold be to consider a user logged it if at least a login module successfully authenticated the user. All those scenarios are possible by login module configuration parameters.

For this article we’ll use a builtin login module entitled UsersRolesLoginModule which happens to read the information about how to authenticate and authorise the users from a text file that resides inside web application’s classpath.

Just another word before getting to practical facts. What we’re going to do here is to secure the application using declarative security. This meaning most security aspects of the application are controlled using configuration files. Another way to do this would be to do it programmatically but this is way outside the scope of this article.

Configure Jboss

Consider JBOSS_SERVER_HOME as the path to jboss. In my case it is /devel/jboss-4.2.3.GA/server/default/.

Edit JBOSS_SERVER_HOME/conf/login-config.xml and add a security domain .

  <application-policy name = "jaas1SD">
      <login-module code="" flag = "required">
        <module-option name="unauthenticatedIdentity">guest</module-option>
        <module-option name="usersProperties"></module-option>
        <module-option name="rolesProperties"></module-option>

We will later associate this security domain with Jaas1 application.

Configure web app

You could do it in a number of ways. The way I’ve done it was to build a dynamic web project using Eclipse. This creates a standard J2ee web framework that we’ll use to add useful stuff. I named it ‘Jaas1’.

For reference you can download the source code using this link.

Follows the structure of the application.

  • Jaas1
    • src
    • WebContent
      • WEB-INF
        • login
          • login.jsp
        • jboss-web.xml
        • web.xml
      • index.jsp
      • logout.jsp

Here’s what happens – when the user accesses index.jsp for the first time the login page (login.jsp) is shown. After a successful login the contents of index.jsp becomes available.

As I said earlier the users of this application will be configured inside a file that sits in the classpath of the application. For this reason there is file within src directory.


This means three users are available to login each of them having the password ‘pass’.

Although I said we will only authenticate the user we will also have to specify authorisation informationbecause this is what UsersRolesLoginModule requires in order to work correctly. This happens inside file.


This says that all users belong to the same role. Roles are normally used to provide authorisation but we will use only one dummy role here.

It is time now to associate Jaas1 application with the security domain defined earlier. This is configured inside jboss-web.xml.

<?xml version="1.0" encoding="UTF-8"?>

The last thing before testing our little app is to decide what pages should trigger the authentication mechanism. This is easily done using web.xml. I’ll show here only the parts that specify our security.

		<description />
		<description />



The above is pretty obvious.

<url-pattern> specifies what parts of the application are protected. ‘/*’ means every page of the application starting at root is protected by configured security domain. To protect a single resource ‘/index.jsp’ would be used instead.

<auth-constraint> indicates the role the user will be into when accessing the pages protected by this security constraint.

By using </transport-guarantee> we could for example ensure that some pages are available only by using SSL and the others are available with or without SSL. Our application doesn’t care about SSL and as a consequence we used ‘NONE’.

<login-config> defines the way the user is authenticated. There are four possibilities for authentication method: BASIC, FORM, DIGEST and CLIENT_CERT. FORM tells that authentication information (username and password) are
gathered using a web page present on the server.

That was it.

Restart your Jboss server, deploy the application and feel free to use the comment section below just in case there is something not working.

And because I don’t want to letft some important things untouched I present them below.

  1. Servlet 2.x specification defines the way login.jsp is supposed to send the user/password information.
  2. As login.jsp doesn’t need to be directly available to the user it may sit within WEB-INF as in our example. However it may reside anywhere else inside the application.
  3. In order to logout it is enough to invalidate the session or to let it expire. An example where we programatically invalidate the session is shown inside logout.jsp.
  4. Whatever role is used inside <auth-constraint> it must be defined inside <security-role>
  5. If keeping usernames/passwords in a file bothers you have a look at DatabaseServerLoginModule
  6. Hashing passwords may enhance your security. Applying this is just a matter of configuration. Found more details inside this Password Hashing article.
  7. If you want to get the username from inside your servlet/jsp just use request.getUserPrincipal()

Some links you may found usefull.



Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

%d bloggers like this: