1

I know this question is not a good question because it's open to a gazillion of answers but here it is:

I am new to Java EE 6 (on JBoss AS 7), I am coming from a Tomcat + spring world. My first real web application is something like a simple crud with jsf jpa hibernate and ejb. Now I need to secure a URL (/admin/*) with the most trivial login form. I already have two tables (hibernate entities) named "User" (username, password, role_id and other data) and "Role" (code,name and little more). I could make my own LoginController, session scoped which manage the login related issues but I don't know how to say "hey, it's only for /admin path!" So.... I began reading about web.xml configuration: security constraints, jdbc realms, and so on. However, sorry, but I still can't reach a good knowledge point, I am too addicted to tutorials and learning-by-doing.

Can you help me find an example project with a simple login form? Or at least some tutorial or a few advice on how to bind my login form to my db tables? I don't need 500 pages of accurate documentation. Just trying to make "standard" authentication work.

Arjan Tijms
  • 37,782
  • 12
  • 108
  • 140
Fabio B.
  • 9,138
  • 25
  • 105
  • 177
  • Have a look at [this question and answer](http://stackoverflow.com/q/10483132/620338). The OP has put some interesting links there for you. The answer shows my own (working) example configuration. – Matt Handy May 10 '12 at 05:59

1 Answers1

1

Ok. First of all authentication mechanism is not provided by Java EE standard. Only role-based authentication is a part of specification. So every application server must have its custom authentication mechanism, which enables us to use database, LDAP, etc to store user credentials.

In case of JBoss it looks as follows.

(1) You need to define security-constraint in your web.xml (there are tons of tutorials how to do this). It tells which URLs are need login. You need to define login-config element in order to choose how the user will log-in - using browser popup window or custom form.

(2) You need to define on JBoss side security-domain in configuration/standalone.xml. See this example for instance.

(3) You need to join (1) and (2). This is done in jboss-web.xml file withing WEB-INF of your application. It looks more or less

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
          <security-domain>NAME-OF-DOMAIN-DEFINED-IN-STEP-2</security-domain>
          <context-root>ROOT-OF-YOUR-APP</context-root>
</jboss-web>

I am not sure how it is in case of JBoss 7, but in previous versions you needed to add java:/jaas/ prefix, so security-domain content would be java:/jaas/NAME-OF-DOMAIN-DEFINED-IN-STEP-2.

Besides, if you know Spring Framework you may consider usage of Spring Security, bypassing Java EE mechanisms.

Piotr Kochański
  • 21,862
  • 7
  • 70
  • 77
  • Thank you Piotr, it's a good answer, I'll accept it if I succeed. The first thing that takes my attention is: what about a jboss with 100 webapps deployed? In step2= many ? – Fabio B. May 10 '12 at 07:58
  • 1
    >First of all authentication mechanism is not provided by Java EE standard. - This is not true. Java EE 6 has a standard for this called JASPIC (JASPI/JSR 196). – Arjan Tijms Mar 03 '13 at 11:40