Introduction
This article continues the J2EE Security Series from the past few months. Here we expand the Simple J2EE Web Application that was introduced in this article to use J2EE Security.
User Repository
The User Repository used in this example is described in this article.
The Users
InetPerson objects defined in the LDAP Tree described here make up the user population. There are 5000 users defined. The cn of the users are called 1,2, ., 5000.
The Groups
In an attempt to demonstrate a real-world use, this example makes use of LDAP Groups as described here. The group used in this example is called Group1.
The J2EE Roles
All protected Web Resources are mapped to the same J2EE Role, tm1.
The Resources
There are two Web Resources defined in web.xml:
- /UnprotectedSubjectServlet
- /ProtectedSubjectServlet
Only /ProtectSubjectservlet is protected by J2EE Security.
Authentication Mechanism
This example will use Form-based authentication. More information can be found here.
Form-based authentication requires two paths to be defined: a login path and an error path.
login.jsp
In this example, the login path is login.jsp, which kept in the document root directory of the WAR file.
error.jsp
In this example, the error path is error.jsp, which is also kept in the document root directory of the WAR file.
web.xml
The web.xml from the Simple Web Application tutorial has been enhanced to use J2EE Security. The web.xml file can be found here.
application.xml
The application.xml from Simple Web Application tutorial been been enhanced to setup J2EE Security. The new application.xml can be found here.
jboss-web.xml
A jboss-web.xml file has been added to the Web Application to map the application to a Security Domain.
Ant Build.xml
The build.xml for this example is here.
Screen Shots
Hitting the initial URL will redirect to the login page.
Enter a valid userid and password (2/secret).
Click Submit.
JAAS Subject Contents
The information generated by the Subject Servlet screenshot is as follows:
Full dump of JAAS Subject
JAAS Subject: Subject: Principal: 2 Principal: Roles(members:tm1,Group1)
Principals
Principal: 2
Principal Classname: org.jboss.security.SimplePrincipal
Principal: Roles
Principal Classname: org.jboss.security.SimpleGroup
Member: tm1
Member: Group1
Public Credentials:
Private Credentials:
The JAAS Subject contains two principal objects: SimplePrincipal and SimpleGroup. The SimplePrincipal object contains the “username” that was introduced in the form field userid. The SimpleGroup principal contains two Roles/Groups: tm1 and Group1. “tm1” is the J2EE Role. “Group1” is the LDAP Group that the user “2” belongs to (it is only a member of one LDAP Group
There are no Public Credential objects.
There are no Private Credential objects.
Download
The full source, Deployment Descriptors, and Ant build.xml can be downloaded here.