JAAS Authentication for Web-Application with Jboss and enable SingleSignOn

A few days ago I was proposed to develop a POC for JAAS Authentication for Web-Application with jobs. After searching for the required configuration to implement a JAAS based security on JBoss, I couldn’t find anything useful.

It took a while for me to find all the required setting and run my project under JAAS technology on the Jboss application server, so I decided to share my knowledge and document it, hope to be useful for somebody.

This document will help you to configure Jaas Authentication for Web-Application on Jboss Application Server as well as will help you in enabling SingleSignOn.

Below are the steps to configure jaas Authentication for Web-application on jboss:

Step-1: Define a new application policy in login-config.xml (C:\Software\jboss-4.2.3.GA\server\default\conf\login-config.xml)

To define an application policy, you need to modify login-config.xml to add the application policy: Below is the example policy.

<application-policy name = “web-console”>

<authentication>

<login-module code=”org.jboss.security.auth.spi.UsersRolesLoginModule”

flag = “required”>

<module-option name=”usersProperties”>props/web-console-users.properties</module-option>

<module-option name=”rolesProperties”>props/web-console-roles.properties</module-option>

</login-module>

</authentication>

</application-policy>

Add web-console-user.properties file in props folder (C:\Software\jboss-4.2.3.GA\server\default\conf\props) containing user and password information. Below is the example content in this file:

admin=admin

kumar=kumar

Add web-console-roles.properties file in props folder (C:\Software\jboss-4.2.3.GA\server\default\conf\props) containing user and role information. Below is the example content in this file:

admin=Administrator,user

kumar=user

Step-2: Create Security Domain

To define a security domain, you need to create a file named jboss‐web.xml in the

WEB‐INF directory of your web application.

Example of jboss‐web.xml:

<?xml version=”1.0″ encoding=”UTF-8″?>

<jboss-web>

<security-domain>java:/jaas/web-console</security-domain>

<context-root>/jaasTest</context-root>

</jboss-web>

web-console in the above example is the name of the defined application policy in the first

step.

Step-3: Secure the Application

In this step we secure the web application. For this we need to modify the web.xml file in the WEB‐INF directory.

These are changes need to apply to the web.xml file:

1. Authentication: We should tell JBoss to authenticate users before allowing them to enter the application. This is done by adding <login‐config> element to the web.xml.

<login-config>

<auth-method>FORM</auth-method>

<realm-name>web-console</realm-name>

<form-login-config>

<form-login-page>/login.jsp</form-login-page>

<form-error-page>/login.jsp?error=yes</form-error-page>

</form-login-config>

</login-config>

In this example we tell JBoss that we need a form‐based authentication (redirects users to our own login form). login.jsp is the designed login page and if the authentication fails, users are redirected to loginfail.jsp.

1. Create Login Page: Login page is a very simple JSP page with a form where the action of the form is set to j_security_check and a text box, j_username for username and apassword box, j_password for Password. For Example

<form method=”POST” action=”j_security_check”>

Login: <input type=”text” name=”j_username”><br/>

Passwort: <input type=”password” name=”j_password”><br/>

<input type=”submit” value=”Login”/>

</form>

1. Secure Web Resources: Now we define our secured resources and required roles to access them. This is done by adding <security‐constraint> element to web.xml

<security-constraint>

<web-resource-collection>

<web-resource-name>CSF</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>Administrator</role-name>

<role-name>user</role-name>

</auth-constraint>

</security-constraint>

In this example we are securing the entire pages of web-application.

Enable SingleSignOn on Jboss

SingleSignOn will help you in sharing user credential of one authenticated application to other applications that are deployed on same jboss server.

To enable SingleSignOn on jboss uncomment the following valve from server.xml (C:\Software\jboss-4.2.3.GA\server\default\deploy\jboss-web.deployer\server.xml)

<Valve className=”org.apache.catalina.authenticator.SingleSignOn” />

Thanks,

~Kumar