JAAS Authentication

Java Authentication and Authorization Service (JAAS) is the Java implementation of the standard Pluggable Authentication Module (PAM) for authentication.

1 A prompt requests credentials to validate the user using JAAS. The security policy defined in JBoss determines which users JAAS accepts.

2 If the user is authorized, the login implementation sends the JAAS credentials to the appropriate authentication provider.

3 The authentication provider checks if the user is a valid Web UI user and validates the credentials that the user provided.

1 Define the login method and the authorization fail URL.

a Locate the precision.properties file. The path is usually:

2 Add a JBoss application policy to define which users JAAS accepts.

a Locate the file ${jboss_home}\server\default\conf\login-conf.xml

b Add an application policy. Ensure that the name of this policy matches the DjaasSecurityDomain parameter set up in step 5.

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">

<module-option name="usersProperties">props/user.properties</module-option>

<module-option name="rolesProperties">props/roles.properties</module-option>

Example: An example in user.properties using the UsersRolesLoginModule:

Example: An example in roles.properties using the UsersRolesLoginModule:

Note: The role webUI is defined in step 3 but also in the web.xml file within the application EAR file; these definitions must be consistent. If you assign incorrect roles to users, then the user passes JAAS authentication but an access denied screen displays.

Note: UsersRolesLoginModule is just one of the login modules that JBoss provides. You can configure this application policy using a different login module that meets your needs.

a Locate the file ${jboss_home}\ server\default\deploy\jboss-web.deployer\conf\web.xml

4 If you are using autologin when JBoss starts up, then complete these JBoss scheduler changes:

a Locate the file ${jboss_home}\server\default\deploy\scheduler-service.xml and make the following changes:

• Replace servlet/controller with servlet/jaas/controller

• Replace htm/command-controller.htm with htm/command-controller.xj

a Running the Web UI as a local JBoss application from a developer environment, add the following properties to JBoss Server arguments:

-DjaasHttpMethod1=GET -DjaasHttpMethod2=POST -DjaasHttpMethod3=PUT -DjaasHttpMethod4=DELETE -DjaasHttpMethod5=HEAD -DjaasHttpMethod6=OPTIONS -DjaasHttpMethod7=TRACE -DjaasRoleName=webUI -DjaasSecurityDomain=JAAS

Note: To access the JBoss Server arguments, go to Launch Configurations|Arguments tab|VM arguments.

• Running the Web UI as a service, locate the ${webUI_home}\service\WrapperJBossService.conf file and, below the last wrapper.app.parameter line, add these new parameters:

• wrapper.app.parameter.<x>=-DjaasHttpMethod2=POST

• wrapper.app.parameter.<x>=-DjaasHttpMethod4=DELETE

• wrapper.app.parameter.<x>=-DjaasHttpMethod5=HEAD

• wrapper.app.parameter.<x>=-DjaasHttpMethod6=OPTIONS

• wrapper.app.parameter.<x>=-DjaasHttpMethod7=TRACE

• wrapper.app.parameter.<x>=-DjaasSecurityDomain=JAAS

where <x> is the last sequence number incremented by 1.

6 Optionally, you can configure your log4j to print DEBUG information in the following packages:

• com.precisionsoftware.providers.AbstractAuthenticationProvider

• com.precisionsoftware.trax.app.controller.login.JaasLoginController

The resulting DEBUG information may help you to investigate configuration problems.