How to Secure a Stand-Alone Web Application in JBoss EAP

SampleServlet.java

import java.io.IOException;

import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.annotation.HttpConstraint;
import javax.servlet.annotation.ServletSecurity;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@SuppressWarnings("serial")
@WebServlet(name = "SampleServlet", value = "/")
@ServletSecurity(@HttpConstraint(rolesAllowed = "SampleRole"))
public final class SampleServlet extends HttpServlet {

  @Override
  protected void doGet(final HttpServletRequest req, final HttpServletResponse resp) throws IOException, ServletException {
    final RequestDispatcher dispatcher = req.getRequestDispatcher("/WEB-INF/jsp/index.jsp");

    dispatcher.forward(req, resp);
  }

}

index.jsp


<html>
<head>
  <title>Sample Application</title>
</head>
<body>
  <p><%=request.getRemoteUser()%></p>
  <p><%=request.isUserInRole("SampleRole")%></p>
</body>
</html>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
  <login-config>
    <auth-method>BASIC</auth-method> <!-- for HTTP basic authentication -->
    <realm-name>SampleSecurityDomain</realm-name>
  </login-config>
  <security-role>
    <role-name>SampleRole</role-name>
  </security-role>
</web-app>

jboss-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
  <security-domain>SampleSecurityDomain</security-domain>
  <use-jboss-authorization>true</use-jboss-authorization> <!--- default is false -->
  <disabled-audit>false</disable-audit> <!-- default is true -->
</jboss-web>

standalone.xml

<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:1.3">
  ...
  <profile>
    ...
    <subsystem xmlns="urn:jboss:domain:security:1.2">
      ...
      <security-domains>
        ...
        <security-domain name="SampleSecurityDomain" cache-type="...">
          <mapping>
            <mapping-module code="..." type="..."/>
          </mapping>
          <authentication>
            <login-module code="..." flag="..."/>
          </authentication>
          <authorization>
            <policy-module code="..." flag="..."/>
          </authorization>
          <audit>
            <provider-module code="..."/>
          </audit>
        </security-domain>
      </security-domains>
    </subsystem>
    ...
  </profile>
  ...
</server>

A sample is available here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s