JBoss.orgCommunity Documentation

Chapter 7. Dynamic Security Domains

Historically, the Enterprise Application Platform used the static $JBOSS_HOME/server/$PROFILE/conf/login-config.xml file to configure the security domain. Dynamic configuration was provided with the introduction of the DynamicLoginConfig security service. This functionality allowed you to specify a Java Authentication and Authorization Service (JAAS) as part of an application deployment, rather than having to include the configuration information in login-config.xml.

JBoss AS 6 now provides an additional, simplified mechanism to configure security domains.

In JBoss AS, the security domain configuration is important for the authentication, authorization, auditing, and mapping functionality associated with Java EE components such a Web or EJBs.

The latest security implementation allows you to create a logically-named deployment descriptor file and specify the security domains within the file. The deployment descriptor can be deployed directly in the deploy folder, or packaged as part of the application JAR or WAR file.

Procedure 7.1. Security Domain Deployment Descriptor

Follow this procedure to configure a security domain deployment descriptor with two domains named web-test and ejb-test.

  1. Create deployment descriptor

    You must create a deployment descriptor file to contain the security domain configuration.

    The filename takes the format [domain_name]-jboss-beans.xml. The domain_name is arbitrary, however you should choose a name that is meaningful to the application.

    The file must contain the standard XML declaration, and a correctly configured <deployment> element. 

    
<?xml version="1.0" encoding="UTF-8"?>
    

    
<deployment xmlns="urn:jboss:bean-deployer:2.0">
    

    

    
</deployment>
    
            

  2. Define application policies

    Within the <deployment> element, the individual application policies are defined. Each policy specifies the login module to use, and any required options.

    In the example below, two application policies are specified. Each policy uses the same login module, and module parameters.

    Note

    Other login modules are available for use with the Enterprise Application Platform. For more information about the available login modules, refer to Section 10.1, “Using Modules” 

    
<?xml version="1.0" encoding="UTF-8"?>
    

    
<deployment xmlns="urn:jboss:bean-deployer:2.0">
    

    
  <application-policy xmlns="urn:jboss:security-beans:1.0" name="web-test">
    
    <authentication>
    
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
    
        <module-option name="unauthenticatedIdentity">anonymous</module-option>
    
        <module-option name="usersProperties">u.properties</module-option>
    
        <module-option name="rolesProperties">r.properties</module-option>
    
      </login-module>
    
    </authentication>
    
  </application-policy>
    

    
  <application-policy xmlns="urn:jboss:security-beans:1.0" name="ejb-test">
    
    <authentication>
    
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
    
        <module-option name="unauthenticatedIdentity">anonymous</module-option>
    
        <module-option name="usersProperties">u.properties</module-option>
    
        <module-option name="rolesProperties">r.properties</module-option>
    
      </login-module>
    
    </authentication>
    
  </application-policy>
    

    
</deployment>
    

    
            

  3. Deploy or package the deployment descriptor

    Move the deployment descriptor file to the deploy directory of the required server profile in your installation.

    Alternatively, package the deployment descriptor in the META-INF directory of the EJB Jar, or the WEB-INF directory of your web application (WAR).