JAAS – Authentication with JBOSS, FORM-BASED tutorial PART1

Posted: May 2, 2011 in Computers and Internet, Configuration, Java, JBOSS, Security, Tutorials, Web Development

Java Authentication and Authorization Service, Form based Authentication

JAAS helps in authentication and authorization of a person, system or an automated process. It decreases the concerns for individuals about security, as this will be the first layer user has to go through before going to interact with actual method, interface or a page.
JAAS enables security to be plug able into you project, and it can be replaced by any criteria of security while your main application remain intact.

user/system/process —–>| JAAS ->| Application

JAAS also enables you to configure multiple login module for different section of you project.
How it works.

when user try to access secure content, JAAS get activated and ask for username and password depending upon the “login configuration” (Authentication method Form based or simple)

Form based security will show a user defined form to take inputs, simple will popup a window for username and password. in this tutorial we will concentrate on FORM based authetication.(Please note authorization is not included in this tutorial)

for more detail on JAAS please read following links
Java Authentication and Authorization Service

A simple and very easy JBOSS JAAS authentication and authorization tutorial.
Here is directory struture of my project
	[mazhar] (my web project)
		+- [WebContent]
			+- [admin] (this is our secure folder)
				  + salary.jsp 

			+- [WEB-INF]
				+- jboss-web.xml
				+- web.xml

			+- login.jsp
			+- loginfail.jsp

1) First we need to define application authetication policy at jboss


Here we define application policy named as "mazhar_policy"
and jndi name as "mazhards" which will correspond to "jboss/.../deploy/mazhar-ds.xml"

<application-policy name = "mazhar_policy">
          <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
             <module-option name = "unauthenticatedIdentity">guest</module-option>
			 <module-option name = "dsJndiName">java:/mazhards</module-option>
             <module-option name = "principalsQuery">SELECT password FROM myuser WHERE username=?</module-option>
             <module-option name = "rolesQuery">SELECT role, 'Roles' FROM myuser_roles WHERE username=?</module-option>

2nd) Create Security Domain

create jboss-web.xml file in you WEB-INF directory of your web application

<?xml version="1.0" encoding="UTF-8"?>

3rd) Secure the Application

modify web.xml in WEB-INF directory
and add following configuration

3.1 web.xml

		<web-resource-name>Admin Pages</web-resource-name>
		<description>Only allow users from following roles</description>

carate login.jsp in "webContent"
<form method="post" action="j_security_check">
	<input type="text" name="j_username" /><br/>
	<input type="password" name="j_password" /><br/>
	<input type="submit" value="Login" />

4th) Datasource at jboss

<?xml version="1.0" encoding="UTF-8"?>
    <new-connection-sql>some arbitrary sql</new-connection-sql>
    <check-valid-connection-sql>some arbitrary sql</check-valid-connection-sql>

5th) Database structure
Table1 : myuser
iduser username password
1	mazhar	123
2	fahad	123
Table2 : myuser_roles
role username
superuser mazhar guest fahad 
  1. […] JAAS JBOSS authentication and authorization simple and easy tutorial […]

  2. […] JAAS JBOSS authentication and authorization simple and easy tutorial […]

  3. […] JAAS JBOSS authentication and authorization simple and easy tutorial […]

  4. […] JAAS – Authentication with JBOSS, FORM-BASED tutorial PART1 […]

  5. gabriel says:

    Dude why are you using Jboss 4?

  6. JavaPins says:

    JAAS – Authentication with JBOSS, FORM-BASED tutorial PART1 « Development Code Bank…

    Thank you for submitting this cool story – Trackback from JavaPins…

  7. Pramod Thakur says:

    How can I get the Loginexception thrown while authentication

    • You actually cannot using this tutorial, In case of failure it will take you to loginfail.jsp, What is the usecase? I will recommend using Spring Security for the reason 1 – It is simple, 2 – It runs everywhere on all servers (tomcat, glassfish, JBoss). Otherwise you have to write custom login module.

  8. Adel Salah says:

    How to apply the same tutorial in JBOSS 5.0.1 GA ?

    Thanks in advance

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s