Basic HTTP Authentication in JBoss AS 7
I’ve started playing around with the new and improved JBoss AS 7 lately. It’s really quite nice. I haven’t had a great deal of experience with the older versions but as I understand it it’s quite different from before. It’s really rich on great features and very snappy. I’d recommend anyone that does Java EE development to check it out.
That it’s new and different might also explain why it was so frackin’ hard to find the proper way to set up Basic HTTP Authentication for a web application in JBoss AS 7. Not even the official documentation seems entirely updated (or maybe I just didn’t have the patience to read the docs thoroughly..) so I spent a great deal of time searching the web and piecing together little bits here and there before I finally reached a solution.
First I had to add a security domain to the configuration-file standalone.xml like this:
<?xml version='1.0' encoding='UTF-8'?>
<server name="myserver" xmlns="urn:jboss:domain:1.0">
...
<subsystem xmlns="urn:jboss:domain:security:1.0">
<security-domains>
<security-domain name="mysecuritydomain">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties"
value="${jboss.server.config.dir}/users.properties"/>
<module-option name="rolesProperties"
value="${jboss.server.config.dir}/roles.properties"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
...
</server>
Then I had to create the files referenced in the module-options above and place them in the appropriate directory – in my case the same directory as the standalone.xml-file. The contents of these files should look something like this:
users.properties: myuser1=mypass1 myuser2=mypass2 roles.properties: myuser1=user,admin myuser2=user
The next step was specifying my security domain in the file jboss-web.xml and putting it in the WEB-INF-directory of my web app:
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <security-domain>mysecuritydomain</security-domain> </jboss-web>
Finally the following was added to my web.xml (also in the WEB-INF-directory):
<?xml version="1.0" encoding="UTF-8"?> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> ... <security-constraint> <web-resource-collection> <web-resource-name>MyResourceName</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>qvuser</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>My kinda secure web application</realm-name> </login-config> <security-role> <description>Role for simple users</description> <role-name>user</role-name> </security-role> <security-role> <description>Role for administrators</description> <role-name>admin</role-name> </security-role> ... </web-app>
Now when I access my web app I’m prompted with the very familiar type of window asking me for a username and a password. All done!
