Skip to content

Latest commit

 

History

History
101 lines (68 loc) · 4.67 KB

README.md

File metadata and controls

101 lines (68 loc) · 4.67 KB

Template for secured Java web applications

Simple Java web application template with the secured content.

Get it

Get a released version or build the app yourself.

How to build it

Use git to get it

git clone git://github.com/kwart/secured-webapp-template.git

or download current sources as a zip file

You need to have Maven installed

cd secured-webapp-template
mvn clean install

Configure the application server

The vendor specific deployment descriptors (WEB-INF/jboss-web.xml and WEB-INF/jboss-ejb3.xml) refers to a web-tests security domain. You have to add it to your configuration. Define the new security domain, either by using JBoss CLI (jboss-cli.sh / jboss-cli.bat):

Use Elytron security

Elytron is the new security framework in WildFly 11+ and EAP 7.1+.

Compared to legacy security, Elytron doesn't allow to load property files from classpath in properties-realm implementation. We'll use a FileSystemRealm to introduce test users population.

bin/jboss-cli.sh << EOT
embed-server

# create realm with users
/subsystem=elytron/filesystem-realm=web-tests:add(path=web-tests,relative-to=jboss.server.config.dir)

/subsystem=elytron/filesystem-realm=web-tests:add-identity(identity=user)
/subsystem=elytron/filesystem-realm=web-tests:set-password(identity=user, clear={password="user"})
/subsystem=elytron/filesystem-realm=web-tests:add-identity-attribute(identity=user, name=groups, value=["Users"])

/subsystem=elytron/filesystem-realm=web-tests:add-identity(identity=admin)
/subsystem=elytron/filesystem-realm=web-tests:set-password(identity=admin, clear={password="admin"})
/subsystem=elytron/filesystem-realm=web-tests:add-identity-attribute(identity=admin, name=groups, value=["Users", "Admin"])

# create security domain and other necessary config objects
/subsystem=elytron/simple-role-decoder=web-tests:add(attribute=groups)
/subsystem=elytron/constant-permission-mapper=web-tests:add(permissions=[{class-name="org.wildfly.security.auth.permission.LoginPermission"}])
/subsystem=elytron/security-domain=web-tests:add(default-realm=web-tests, permission-mapper=web-tests, realms=[{role-decoder=web-tests, realm=web-tests}]

# add Elytron security domain mapping from Undertow and EJB subsystems 
/subsystem=elytron/provider-http-server-mechanism-factory=web-tests:add()
/subsystem=elytron/http-authentication-factory=web-tests:add(security-domain=web-tests, \
  http-server-mechanism-factory=web-tests, \
  mechanism-configurations=[ \
    {mechanism-name=DIGEST,mechanism-realm-configurations=[{realm-name=web-tests}]}, \
    {mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=web-tests}]}, \
    {mechanism-name=FORM}])
/subsystem=undertow/application-security-domain=web-tests:add(http-authentication-factory=web-tests)
/subsystem=ejb3/application-security-domain=web-tests:add(security-domain=web-tests)

EOT

Use Legacy security (JBoss AS 7 / EAP 6+ / WildFly 8+)

Just use UsersRoles JAAS login module which is available in the application server and it will read users.properties and roles.properties files from deployment classpath (WEB-INF/classes)

/subsystem=security/security-domain=web-tests:add(cache-type=default)
/subsystem=security/security-domain=web-tests/authentication=classic:add( \
  login-modules=[{"code"=>"UsersRoles", "flag"=>"required"}]) {allow-resource-service-restart=true}

How to use DIGEST authentication with Legacy security

If you want to enable the DIGEST authentication in web.xml deployment descriptor, you also need to configure the web-tests security to hash passwords stored in the user.properties files.

The CLI commands to do it:

/subsystem=security/security-domain=web-tests:add(cache-type=default)
/subsystem=security/security-domain=web-tests/authentication=classic:add(login-modules=[{"code"=>"UsersRoles", "flag"=>"required", "module-options" => {"hashAlgorithm" => "MD5", "hashEncoding" => "RFC2617","hashUserPassword" => "false", "hashStorePassword" => "true","passwordIsA1Hash" => "false", "storeDigestCallback" => "org.jboss.security.auth.callback.RFC2617Digest" }}]) {allow-resource-service-restart=true}

Deploy and use application

Copy the produced secured-webapp.war from the target folder to the deployment folder of your container.

Open the application URL in the browser. E.g. http://localhost:8080/secured-webapp/

License