Search code examples
jboss-eap-6

JAAS Authorization for Web Application on Jboss EAP 6.3

Currently, I am migrating my web application from JBoss EAP 5.2 to EAP 6.3. The application is using customized Realm for Authorization. However, Realm is no longer supported in 6.3 and people suggest using customized LoginModule. I did some research and found the LoginModule is only for Authentication. Am I correct? If LoginModule also provides Authorization service, how do I do it? If not, what are the alternative ways to do Authorization?

Thank you. David

Solution

  • Your LoginModule should override one of the descendants of org.jboss.security.auth.spi.AbstractServerLoginModule. If you implement or override the getRoleSets() method you can add roles to the authenticated user for authorization.

    The getRoleSets() method returns an array of Groups that correspond to the Role sets assigned to the user. You should return a Group called "Roles" that contains the roles assigned to the user. For example:

    @Override
protected Group[] getRoleSets() throws LoginException {
    Group group = new SimpleGroup("Roles");
    try {
        Principal p = createIdentity("ADMIN_ROLE");
        group.addMember(p);
    } catch (Exception e) {
        LOGGER.error("Failed to create principle on login", e);
    }
    return new Group[] { group };
}

    Then add @RolesAllowed annotations to your exposed methods, specifying the roles allowed. For example:

    @RequestScoped
@DenyAll
@Path("admin")
public class AdminServices {

    @POST
    @Path("/myAdminUri")
    @Produces(MediaType.TEXT_PLAIN)
    @RolesAllowed({ "ADMIN_ROLE" })
    public String administerMethod(@Context HttpServletRequest req, @Context HttpServletResponse resp)
            throws SomeException {
    ....

    If the user is not logged in with the required role they are denied access to the method.

    EDIT: The web.xml file can also list security restrictions in a <security-constraint> stanza. The role name should match the role allocated by the getRoleSets() method.

    <security-constraint>
    <web-resource-collection>
        <web-resource-name>Secure resources</web-resource-name>
        <url-pattern>/admin*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>ADMIN_ROLE</role-name>
    </auth-constraint>
</security-constraint>

<security-role>
    <role-name>ADMIN_ROLE</role-name>
</security-role>

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>SecureRealm</realm-name>
</login-config>

    There is a Security Reference Guide available on the Redhat site (support subscription required)