Securing The JBoss JAAS Subject Reader Application with J2EE Security

Uncategorized

Introduction

This article continues the J2EE Security Series from the past few months. Here we expand the Simple J2EE Web Application that was introduced in this article to use J2EE Security.

User Repository

The User Repository used in this example is described in this article.

The Users

InetPerson objects defined in the LDAP Tree described here make up the user population. There are 5000 users defined. The cn of the users are called 1,2, ., 5000.

The Groups

In an attempt to demonstrate a real-world use, this example makes use of LDAP Groups as described here. The group used in this example is called Group1.

The J2EE Roles

All protected Web Resources are mapped to the same J2EE Role, tm1.

The Resources

There are two Web Resources defined in web.xml:

  • /UnprotectedSubjectServlet
  • /ProtectedSubjectServlet

Only /ProtectSubjectservlet is protected by J2EE Security.

Authentication Mechanism

This example will use Form-based authentication. More information can be found here.

Form-based authentication requires two paths to be defined: a login path and an error path.

login.jsp

In this example, the login path is login.jsp, which kept in the document root directory of the WAR file.

error.jsp

In this example, the error path is error.jsp, which is also kept in the document root directory of the WAR file.

web.xml

The web.xml from the Simple Web Application tutorial has been enhanced to use J2EE Security. The web.xml file can be found here.

application.xml

The application.xml from Simple Web Application tutorial been been enhanced to setup J2EE Security. The new application.xml can be found here.

jboss-web.xml

A jboss-web.xml file has been added to the Web Application to map the application to a Security Domain.

Ant Build.xml

The build.xml for this example is here.

Screen Shots

Hitting the initial URL will redirect to the login page.

image

Enter a valid userid and password (2/secret).

image

Click Submit.

image

JAAS Subject Contents

The information generated by the Subject Servlet screenshot is as follows:


Full dump of JAAS Subject

JAAS Subject: Subject: Principal: 2 Principal: Roles(members:tm1,Group1)

Principals

Principal: 2

Principal Classname: org.jboss.security.SimplePrincipal

Principal: Roles

Principal Classname: org.jboss.security.SimpleGroup

Member: tm1

Member: Group1

Public Credentials:

Private Credentials:

The JAAS Subject contains two principal objects: SimplePrincipal and SimpleGroup. The SimplePrincipal object contains the “username” that was introduced in the form field userid. The SimpleGroup principal contains two Roles/Groups: tm1 and Group1. “tm1” is the J2EE Role. “Group1” is the LDAP Group that the user “2” belongs to (it is only a member of one LDAP Group

There are no Public Credential objects.

There are no Private Credential objects.

Download

The full source, Deployment Descriptors, and Ant build.xml can be downloaded here.