Securing JBoss applications using the ApplicationRealm

JBoss AS 7 and the EAP 6 provide out of the box a Security Domain which can be used for securing your applications. Let’s see how to use it in a few simple steps.

What is JBoss Application Realm?

When applications are deployed to the application server they are associated with a security domain within the security subsystem. The “other” security domain is provided to work with the ApplicationRealm, this domain is defined with a pair of login modules named respectively: “Remoting” and “RealmDirect” (“RealmUsersRoles” for AS7 ).

  • The Remoting login module is used to check if the request currently being authenticated is a request received over a Remoting connection, if so the identity that was created during the authentication process is used and associated with the current request.
  • The RealmDirect when the request did not arrive over a Remoting connection, the application server makes use of this login module and then use the realm to load the users roles.

The advantage of this approach is that all of the backing store configuration can be left within the realm with the security domain just delegating to the realm.

Differences between JBoss AS 7.1.1 and EAP 6.1

The main difference between AS7 and the EAP 6 is that JBoss AS 7 uses the RealmUsersRoles as basic mechanism for the Application/Management realm and contains the user/roles file definitions as options:

<security-domain name="other" cache-type="default">

   . . . . .
    <login-module code="RealmUsersRoles" flag="required">
       <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
       <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
       <module-option name="unauthenticatedIdentity" value="guest"/>
       <module-option name="password-stacking" value="useFirstPass"/>
    </login-module>

</security-domain>

On the other hand, the EAP 6 uses the RealmDirect which delegates the file definitions to the ApplicationRealm:

<security-domain name="other" cache-type="default">

   . . . . . 
   <login-module code="RealmDirect" flag="required">
       <module-option name="password-stacking" value="useFirstPass"/>
   </login-module>

</security-domain>

That being said, let’s see how to secure a simple Web application using the ApplicationRealm. Start by creating an user using the add-user script:

What type of user do you wish to add?
 a) Management User (mgmt-users.properties)
 b) Application User (application-users.properties)
(a): b
Enter the details of the new user to add.
Realm (ApplicationRealm) :
Username : admin1234
Password :
Re-enter Password :
What roles do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]: Manager
About to add user 'admin1234' for realm 'ApplicationRealm'
Is this correct yes/no? yes
Added user 'admin1234' to file 'C:\jboss\jboss-eap-6.1\standalone\configuration\application-users.properties'
Added user 'admin1234' with roles Manager to file 'C:\jboss\jboss-eap-6.1\standalone\configuration\application-roles.properties'

As you can see, we have added an user named admin1234 as part of the Manager group. This information has been stored into the files application-user.properties and application-roles.properties.

Let’s configure a web application to use this security domain. Let’s start with web.xml:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>HtmlAuth</web-resource-name>
            <description>application security constraints
       </description>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Manager</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>ApplicationRealm</realm-name>
    </login-config>

    <security-role>
        <role-name>Manager</role-name>
    </security-role>

And here’s the jboss-web.xml section, which binds the application to the Security domain named “other”:

<jboss-web> 
      <security-domain>java:/jaas/other</security-domain>
</jboss-web>

As it is, the Web application will issue a BASIC authentication window once you try to access your Web application.

Found the article helpful? if so please follow us on Socials