JBoss.orgCommunity Documentation

Part I. Security Overview

Security is a fundamental part of any enterprise application. You need to be able to restrict who is allowed to access your applications and control what operations application users may perform.

The Java Enterprise Edition (J2EE) specification defines a simple role-based security model for Enterprise Java Beans (EJBs) and web components. The JBoss Security Extension (JBossSX) framework handles platform security, and provides support for both the role-based declarative J2EE security model and integration of custom security through a security proxy layer.

The default implementation of the declarative security model is based on Java Authentication and Authorization Service (JAAS) login modules and subjects. The security proxy layer allows custom security that cannot be described using the declarative model to be added to an EJB in a way that is independent of the EJB business object.

Table of Contents

1. J2EE Declarative Security Overview
1.1. Security References
1.2. Security Identity
1.3. Security roles
1.4. EJB method permissions
1.5. Web Content Security Constraints
1.6. Enabling Declarative Security in JBoss
2. Introduction to JAAS
2.1. The JAAS Core Classes
2.1.1. The Subject and Principal Classes
2.1.2. Authentication of a Subject
3. JBoss Security Model
3.1. Enabling Declarative Security in JBoss Revisited
4. The JBoss Security Extension Architecture
4.1. How the JaasSecurityManager Uses JAAS
4.2. The JaasSecurityManagerService MBean
4.2.1. The JNDIBasedSecurityManagement Bean
4.3. The JaasSecurityDomain Bean