JAAS - Authentication with JBOSS, FORM-BASED tutorial PART1

Java Authentication and Authorization Service, Form based Authentication

JAAS helps in authentication and authorization of a person, system or an automated process. It decreases the concerns for individuals about security, as this will be the first layer user has to go through before going to interact with actual method, interface or a page.
JAAS enables security to be plug able into you project, and it can be replaced by any criteria of security while your main application remain intact.

user/system/process —–>| JAAS ->| Application

JAAS also enables you to configure multiple login module for different section of you project.
How it works.

when user try to access secure content, JAAS get activated and ask for username and password depending upon the “login configuration” (Authentication method Form based or simple)

Form based security will show a user defined form to take inputs, simple will popup a window for username and password. in this tutorial we will concentrate on FORM based authetication.(Please note authorization is not included in this tutorial)

for more detail on JAAS please read following links
JavaRanch.com
Java Authentication and Authorization Service

A simple and very easy JBOSS JAAS authentication and authorization tutorial.
Here is directory struture of my project
	[mazhar] (my web project)
		+- [WebContent]
			+- [admin] (this is our secure folder)
				  + salary.jsp 

			+- [WEB-INF]
				+- jboss-web.xml
				+- web.xml

			+- login.jsp
			+- loginfail.jsp

1) First we need to define application authetication policy at jboss

D:\jboss-4.2.3.GA\server\mmazharhassan.com\conf\login-config.xml

Here we define application policy named as "mazhar_policy"
and jndi name as "mazhards" which will correspond to "jboss/.../deploy/mazhar-ds.xml"

<application-policy name = "mazhar_policy">
       <authentication>
          <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
             <module-option name = "unauthenticatedIdentity">guest</module-option>
			 <module-option name = "dsJndiName">java:/mazhards</module-option>
             <module-option name = "principalsQuery">SELECT password FROM myuser WHERE username=?</module-option>
             <module-option name = "rolesQuery">SELECT role, 'Roles' FROM myuser_roles WHERE username=?</module-option>
          </login-module>
       </authentication>
    </application-policy>

2nd) Create Security Domain

create jboss-web.xml file in you WEB-INF directory of your web application

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
	<security-domain>java:/jaas/mazhar_policy</security-domain>
</jboss-web>

3rd) Secure the Application

modify web.xml in WEB-INF directory
and add following configuration

3.1 web.xml

<security-constraint>
	<web-resource-collection>
		<web-resource-name>Admin Pages</web-resource-name>
		<url-pattern>/admin/*</url-pattern>
		<http-method>POST</http-method>
		<http-method>GET</http-method>
	</web-resource-collection>
	<auth-constraint>
		<description>Only allow users from following roles</description>
		<role-name>administrator</role-name>
		<role-name>superuser</role-name>
	</auth-constraint>
</security-constraint>
<login-config>
	<auth-method>FORM</auth-method>
	<form-login-config>
		<form-login-page>/login.jsp</form-login-page>
		<form-error-page>/loginfail.jsp</form-error-page>
	</form-login-config>
</login-config>

3.2
carate login.jsp in "webContent"
<form method="post" action="j_security_check">
	<input type="text" name="j_username" /><br/>
	<input type="password" name="j_password" /><br/>
	<input type="submit" value="Login" />
</form>

4th) Datasource at jboss
D:\jboss-4.2.3.GA\server\mmazharhassan.com\deploy\
mazhar-ds.xml

<?xml version="1.0" encoding="UTF-8"?>
<datasources>
  <local-tx-datasource>
    <jndi-name>mazhards</jndi-name>
    <connection-url>jdbc:mysql://localhost:3306/mazhar_db?useUnicode=true&amp;characterEncoding=UTF-8</connection-url>
    <driver-class>com.mysql.jdbc.Driver</driver-class>
    <user-name>umazhar</user-name>
    <password>mazhar</password>
    <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.MySQLExceptionSorter</exception-sorter-class-name>
    <valid-connection-checker-class-name>org.jboss.resource.adapter.jdbc.vendor.MySQLValidConnectionChecker</valid-connection-checker-class-name>
    <new-connection-sql>some arbitrary sql</new-connection-sql>
    <check-valid-connection-sql>some arbitrary sql</check-valid-connection-sql>
    <metadata>
       <type-mapping>mySQL</type-mapping>
    </metadata>
  </local-tx-datasource>
</datasources>

5th) Database structure
Table1 : myuser
iduser username password
1	mazhar	123
2	fahad	123
Table2 : myuser_roles
role username
superuser mazhar guest fahad 
 

About these ads