Securing The JBoss JAAS Subject Reader Application with J2EE Security


This article continues the J2EE Security Series from the past few months. Here we expand the Simple J2EE Web Application that was introduced in this article to use J2EE Security.

User Repository

The User Repository used in this example is described in this article.

The Users

InetPerson objects defined in the LDAP Tree described here make up the user population. There are 5000 users defined. The cn of the users are called 1,2, ., 5000.

The Groups

In an attempt to demonstrate a real-world use, this example makes use of LDAP Groups as described here. The group used in this example is called Group1.

The J2EE Roles

All protected Web Resources are mapped to the same J2EE Role, tm1.

The Resources

There are two Web Resources defined in web.xml:

  • /UnprotectedSubjectServlet
  • /ProtectedSubjectServlet

Only /ProtectSubjectservlet is protected by J2EE Security.

Authentication Mechanism

This example will use Form-based authentication. More information can be found here.

Form-based authentication requires two paths to be defined: a login path and an error path.


In this example, the login path is login.jsp, which kept in the document root directory of the WAR file.


In this example, the error path is error.jsp, which is also kept in the document root directory of the WAR file.


The web.xml from the Simple Web Application tutorial has been enhanced to use J2EE Security. The web.xml file can be found here.


The application.xml from Simple Web Application tutorial been been enhanced to setup J2EE Security. The new application.xml can be found here.


A jboss-web.xml file has been added to the Web Application to map the application to a Security Domain.

Ant Build.xml

The build.xml for this example is here.

Screen Shots

Hitting the initial URL will redirect to the login page.


Enter a valid userid and password (2/secret).


Click Submit.


JAAS Subject Contents

The information generated by the Subject Servlet screenshot is as follows:

Full dump of JAAS Subject

JAAS Subject: Subject: Principal: 2 Principal: Roles(members:tm1,Group1)


Principal: 2

Principal Classname:

Principal: Roles

Principal Classname:

Member: tm1

Member: Group1

Public Credentials:

Private Credentials:

The JAAS Subject contains two principal objects: SimplePrincipal and SimpleGroup. The SimplePrincipal object contains the “username” that was introduced in the form field userid. The SimpleGroup principal contains two Roles/Groups: tm1 and Group1. “tm1” is the J2EE Role. “Group1” is the LDAP Group that the user “2” belongs to (it is only a member of one LDAP Group

There are no Public Credential objects.

There are no Private Credential objects.


The full source, Deployment Descriptors, and Ant build.xml can be downloaded here.