JBoss.org Community Documentation

Chapter 8. Security on JBoss

J2EE Security Configuration and Architecture

8.1. J2EE Declarative Security Overview
8.1.1. Security References
8.1.2. Security Identity
8.1.3. Security roles
8.1.4. EJB method permissions
8.1.5. Web Content Security Constraints
8.1.6. Enabling Declarative Security in JBoss
8.2. An Introduction to JAAS
8.2.1. What is JAAS?
8.3. The JBoss Security Model
8.3.1. Enabling Declarative Security in JBoss Revisited
8.4. The JBoss Security Extension Architecture
8.4.1. How the JaasSecurityManager Uses JAAS
8.4.2. The JaasSecurityManagerService MBean
8.4.3. The JaasSecurityDomain MBean
8.5. Defining Security Domains
8.5.1. Loading Security Domains
8.5.2. The DynamicLoginConfig service
8.5.3. Using JBoss Login Modules
8.5.4. Writing Custom Login Modules
8.6. The Secure Remote Password (SRP) Protocol
8.6.1. Providing Password Information for SRP
8.6.2. Inside of the SRP algorithm
8.7. Running JBoss with a Java 2 security manager
8.8. Using SSL with JBoss using JSSE
8.9. Configuring JBoss for use Behind a Firewall
8.10. How to Secure the JBoss Server
8.10.1. The JMX Console
8.10.2. The Web Console
8.10.3. The HTTP Invokers
8.10.4. The JMX Invoker

Security is a fundamental part of any enterprise application. You need to be able to restrict who is allowed to access your applications and control what operations application users may perform. The J2EE specifications define a simple role-based security model for EJBs and web components. The JBoss component framework that handles security is the JBossSX extension framework. The JBossSX security extension provides support for both the role-based declarative J2EE security model and integration of custom security via a security proxy layer. The default implementation of the declarative security model is based on Java Authentication and Authorization Service (JAAS) login modules and subjects. The security proxy layer allows custom security that cannot be described using the declarative model to be added to an EJB in a way that is independent of the EJB business object. Before getting into the JBoss security implementation details, we will review EJB and servlet specification security models, as well as JAAS to establish the foundation for these details.