4.2 Configuring Applications on the JBoss Server

4.2.1 Configuring a Security Domain

JBoss needs to know that your Web application is a part of the security domain that requires the Identity Server JAAS login module. You do this by specifying your application's security domain in the <jboss-web> element of the jboss-web.xml file located in your application’s WEB-INF directory. You might need to create this file, if your application hasn’t already required you to create it.

The J2EE Agent installation program modifies the login-config.xml file in the ${JBOSS_HOME}/server/default/conf directory and sets the name attribute of the <application-policy> element to novell-idp.

You need to set the <security-domain> element in the jboss-web.xml file to this value. Add the following lines to this file:

<jboss-web>
    <security-domain>java:jaas/novell-idp</security-domain>
</jboss-web>

The jboss-web.xml file of the sample application (PayrollApp.ear) has these modifications. (For the location of this application, see Section 2.1, Prerequisites.)

4.2.2 Configuring Security Constraints

If you specify a security constraint similar to the following in the web.xml file of an application, the users are redirected for authentication as soon as they access any URL of the application:

<security-constraint>
   <web-resource-collection>
      <web-resource-name>All web resources</web-resource-name>
      <url-pattern>/*</url-pattern>
   </web-resource-collection>
   <auth-constraint>
      <role-name>Manager</role-name>
   </auth-constraint>
</security-constraint>

After authenticating to the Identity Server, all users receive an error:

  • If the user has the Manager role, the user sees a 404 error stating that j_security_check is not available.

  • If the user does not have the Manager role, the user sees a 403 Access Denied error to the login servlet.

When us the J2EE Agent with a JBoss server, you cannot give the <url-pattern> element a value of /* or / for a login page that requires authentication. The JAAC provider in the JBoss server is not informed about the login servlet. For example, suppose that the login page for the application has a configuration similar to the following:

<login-config>
   <auth-method>FORM</auth-method>
   <form-login-config>
      <form-login-page>/login</form-login-page>
      <form-error-page>/error.jsp</form-error-page>
   </form-login-config>
</login-config>

You need to configure the /login directory to allow access. For example:

<security-constraint>
   <web-resource-collection>
      <web-resource-name>Allow Form Login page</web-resource-name>
      <url-pattern>/login</url-pattern>
   </web-resource-collection>
</security-constraint>

4.2.3 Configuring for Roles

For the J2EE Agent to enforce authentication for a .war file, the JBoss server must have a web.xml file that contains a URL with a role restriction. You can use the generic authenticated role for this URL. This policy triggers authentication, and the J2EE Agent policies can then be used to determine authorization. The following is a sample security constraint for a web.xml file that triggers authentication for any path below the protected directory:

<security-constraint>
   <web-resource-collection>
      <web-resource-name>Protected Content</web-resource-name>
      <url-pattern>/protected/*</url-pattern>
   </web-resource-collection>
   <auth-constraint>
      <role-name>authenticated</role-name>
   </auth-constraint>
</security-constraint>

<security-role>
    <description></description>
    <role-name>authenticated</role-name>
</security-role>

The role must be declared with the <security-role> tags when it is used inside a security constraint.