This example shows you how to configure the TicketMonster application provided by the JBoss Developer Framework to use the PicketBox Security layer.
Basically, we'll use PicketBox to provide the following features:
Authentication using the HTTP FORM method
Properties-based Identity Store for users credentials
Authorization using the PicketBox Drools module
Logout
The TicketMonster users can be categorized in two types:
User
Adminstrators
This example will show you how to configure:
A login page to let users authenticate
A simple authorization rule using Drools to restrict access for the Administration UIs
Before you start, it is important that you understand some key concepts like:
If you like you can also clone a TicketMonster version configured with PicketBox from here. This is a temporary repository.
Before continuing, please follow the TicketMonster Tutorial about how to configure your environment, build and run the application.
Make sure you have configured the Administration UI as described in the TicketMonster tutorial.
PicketBox can be easily enabled in the TicketMonster application by using the PicketBox Solder module. This module provides an integration layer for CDI applications to create a security layer that provides all PicketBox Security capabilities.
After having your TicketMonster application properly configured and running (with the administration UIs) you need to:
Configure the PicketBox Solder and PicketBox Drools Maven dependencies
Create a JBoss AS7 Module for Drools (org.drools)
Configure the org.drools module as dependency for your application
Create a Solder Configuration file with the PicketBox configuration
Create a properties file from which users credentials will be retrieved from
Create a login page
Create the Authorization rules
Logout
If you are using Maven, please configure your pom.xml with the following dependencies:
<!-- PicketBox dependencies -->
<dependency>
<groupId>org.picketbox</groupId>
<artifactId>picketbox-solder</artifactId>
<version>${picketbox.version}</version>
</dependency>
<dependency>
<groupId>org.picketbox</groupId>
<artifactId>picketbox-drools</artifactId>
<version>${picketbox.version}</version>
<exclusions>
<exclusion>
<groupId>antlr</groupId>
<artifactId>antlr</artifactId>
</exclusion>
</exclusions>
</dependency>
Download the Drools distribution.
Create the follow directory structure in your JBoss Application Server v7 installation:
jboss-as-7.1.1.Final/modules/org/drools/main
Create a file named module.xml inside the main directory:
<module xmlns="urn:jboss:module:1.1" name="org.drools">
<resources>
<resource-root path="drools-core-5.4.0.Final.jar"/>
<resource-root path="drools-compiler-5.4.0.Final.jar"/>
<resource-root path="knowledge-internal-api-5.4.0.Final.jar"/>
<resource-root path="knowledge-api-5.4.0.Final.jar"/>
<resource-root path="mvel2-2.1.0.drools16.jar"/>
<resource-root path="antlr-runtime-3.3.jar"/>
<resource-root path="antlr-3.3.jar"/>
<resource-root path="ecj-3.5.1.jar"/>
</resources>
<dependencies>
<module name="javax.api" />
</dependencies>
</module>
Extract the Drools distribution package and copy all files referenced above to the same directory where the module.xml file was created.
Edit the WEB-INF/jboss-deployment-structure.xml file and add the org.drools module dependency:
<jboss-deployment-structure>
<deployment>
<exclusions>
</exclusions>
<!-- This allows you to define additional dependencies, it is the same
as using the Dependencies: manifest attribute -->
<dependencies>
<module name="org.jboss.as.naming" />
<module name="org.jboss.as.server" />
<module name="org.jboss.msc" />
<!-- Drools module dependency -->
<module name="org.drools" />
</dependencies>
</deployment>
</jboss-deployment-structure>
Create a Solder XML Configuration file in the classpath: META-INF/seam-beans.xml. If you are using Maven this file is usually located at the src/main/resources directory.
<beans
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:s="urn:java:ee"
xmlns:mail="urn:java:org.jboss.seam.mail.core"
xmlns:pbhttpauth="urn:java:org.picketbox.http.authentication"
xmlns:pbhttpr="urn:java:org.picketbox.http.resource"
xmlns:pbr="urn:java:org.picketbox.http.resource"
xmlns:pbauthmgr="urn:java:org.picketbox.core.authentication.manager"
xmlns:pbs="urn:java:org.picketbox.solder.authentication"
xmlns:pbauthzd="urn:java:org.picketbox.drools.authorization"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://docs.jboss.org/cdi/beans_1_0.xsd">
<!-- Configures a HTTPFormAuthentication bean -->
<pbhttpauth:HTTPFormAuthentication>
<s:replaces/>
<pbs:AuthenticationScheme/>
<pbhttpauth:formAuthPage>
<s:value>/login.html</s:value>
</pbhttpauth:formAuthPage>
</pbhttpauth:HTTPFormAuthentication>
<!-- Configures a properties-based Authentication Manager -->
<pbauthmgr:PropertiesFileBasedAuthenticationManager/>
<!-- Configures the PicketBox Drools Authorization Manager -->
<pbauthzd:PicketBoxDroolsAuthorizationManager/>
<!-- Configures which resources should be protected. By defaul all are protected. -->
<pbhttpr:HTTPProtectedResourceManager>
<s:replaces/>
<pbhttpr:resources>
<s:value>
<pbr:ProtectedResource pattern="/resources/*" constraint="NOT_PROTECTED" />
</s:value>
<s:value>
<pbr:ProtectedResource pattern="/admin/*" constraint="ALL">
<pbr:roles>
<s:value>admin</s:value>
</pbr:roles>
</pbr:ProtectedResource>
</s:value>
</pbhttpr:resources>
</pbhttpr:HTTPProtectedResourceManager>
</beans>
The configuration above defines a HTTP Form Authentication using the <pbhttpauth:HTTPFormAuthentication> element. We also define a properties file based authentication (you can always use others authentication stores like LDAP or JDBC/JPA) using the <pbauthmgr:PropertiesFileBasedAuthenticationManager/>.
For authorization, the configuration defines a Drools based authentication with the <pbauthzd:PicketBoxDroolsAuthorizationManager/> element and the <pbhttpr:HTTPProtectedResourceManager> for URL Security.
In this example we will use a properties file to retrieve users credentials. Just create a properties file called users.properties in your classpath. If you are using Maven this file is usually located at your src/main/resources directory
admin=admin user=user
This example uses a Properties File Based Authentication Manager. If you need other forms of authentication such as a DB or an LDAP, take a look at https://docs.jboss.org/author/display/SECURITY/Authentication+Manager
As we are using FORM authentication as described in the previous sections, we need to create a login page for users provide their credentials. By default, PicketBox uses a file named login.jsp that must be located at your application's root path.
This page must define a JEE compliant authentication HTML form like the one bellow:
<form id="authenticationForm" name="authenticationForm" method="POST" action="j_security_check" enctype="application/x-www-form-urlencoded">
<div style="margin-left: 15px;">
<p>
<label for="username"> Username</label><br />
<input id="username" type="text" name="j_username" size="20" />
</p>
<p>
<label for="password"> Password</label><br />
<input id="password" type="password" name="j_password" value="" size="20" />
</p>
<center>
<input id="submit" type="submit" name="submit" value="Login" />
</center>
</div>
</form>
As we are using the PicketBox Drools Authentication Manager, you need now to create a file named authorization.drl in your classpath. If you are using Maven this file is usually located at your src/main/resources directory.
package org.picketbox.drools.authorization;
import java.security.Principal;
import org.picketbox.http.authorization.resource.WebResource;
dialect "mvel"
rule "Simple example rule that disables the section allocation"
dialect "java"
no-loop
when
$principal : Principal( name == "admin" ) // condition
$resource : WebResource(getRequest().getRequestURI().contains("/admin/sectionAllocation"))
then
modify ($resource){
setAuthorized(false)
};
end
The rule above is just a simple example that disables the "Section Allocation" functionality.
To logout an user you just need to send him to the following path:
<li><a href="#{request.contextPath}/picketbox_logout">Logout</a></li>
Remember-me