<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="https://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
JBoss AS7: securing subsystem web applications
</h3>
<span style="margin-bottom: 10px;">
modified by <a href="https://community.jboss.org/people/NadirX">Tristan Tarrant</a> in <i>PicketBox Development</i> - <a href="https://community.jboss.org/docs/DOC-18274">View the full document</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>In JBoss AS7 it is possible for extension subsystems to publish web applications programmatically (i.e. without going through the deployer). This, for example, is how the default "welcome" web app in AS7 works (look at <span style="font-family: courier new,courier;">web/src/main/java/org/jboss/as/web/WelcomeContextService.java</span> and <span style="font-family: courier new,courier;">web/src/main/java/org/jboss/as/web/WelcomeContextConsoleServlet.java</span> in the AS7 source to see how it is done). </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Using the <span style="font-family: courier new,courier;">org.apache.catalina.core.StandardContext</span> API it is possible to configure all the aspects that are accessible via the usual web.xml declarative configuration, including security constraints and roles. The class that wires all that configuration into the container is <span style="font-family: courier new,courier;">org.apache.catalina.startup.ContextConfig</span> which needs to be added to the context as a lifecycle listener. Unfortunately, in JBossWeb, that class has been changed not to hook up the authenticators. Instead, a specialized <span style="font-family: courier new,courier;">org.jboss.as.web.deployment.JBossContextConfig</span> has to be used. JBossContextConfig however requires a DeploymentUnit, a container for metadata collected from web.xml, jboss-web.xml and annotations, and setting it up is non-trivial (look at the webservices subsystem for an example of a dynamically generated DeploymentUnit based on JAXWS annotations).</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>An alternative solution is to use the following subclass of the default ContextConfig:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-java"><font color="navy"><b>import</b></font> org.apache.catalina.startup.ContextConfig;
<font color="navy"><b>import</b></font> org.jboss.as.web.WebLogger;
 
<font color="navy"><b>public</b></font> <font color="navy"><b>class</b></font> SecureContextConfig <font color="navy"><b>extends</b></font> ContextConfig <font color="navy">{</font>
   @Override
   <font color="navy"><b>protected</b></font> <font color="navy"><b>void</b></font> completeConfig() <font color="navy">{</font>
      <font color="navy"><b>if</b></font> (ok) <font color="navy">{</font>
         resolveServletSecurity();
      <font color="navy">}</font>
      <font color="navy"><b>if</b></font> (ok) <font color="navy">{</font>
         validateSecurityRoles();
      <font color="navy">}</font>
      <font color="darkgreen">// Configure an authenticator if we need one</font>
      <font color="navy"><b>if</b></font> (ok) <font color="navy">{</font>
         authenticatorConfig();
      <font color="navy">}</font>
      <font color="darkgreen">// Make our application unavailable if problems were encountered</font>
      <font color="navy"><b>if</b></font> (!ok) <font color="navy">{</font>
         WebLogger.WEB_LOGGER.unavailable(context.getName());
         context.setConfigured(<font color="navy"><b>false</b></font>);
      <font color="navy">}</font>
   <font color="navy">}</font>
<font color="navy">}</font>
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Together with the attached SecurityContext custom valve you can then setup your context's security as follows (I'm skipping all context configuration related to docbase, servlets, etc and focusing only on the security bits):</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-java">      StandardContext context = <font color="navy"><b>new</b></font> StandardContext();
      context.addLifecycleListener(<font color="navy"><b>new</b></font> SecureContextConfig());
 
      SecurityConstraint constraint = <font color="navy"><b>new</b></font> SecurityConstraint();
      SecurityCollection webCollection = <font color="navy"><b>new</b></font> SecurityCollection();
      webCollection.addPattern(<font color="red">"/*"</font>);
      webCollection.addMethod(<font color="red">"GET"</font>);
      constraint.addCollection(webCollection);
      constraint.setAuthConstraint(<font color="navy"><b>true</b></font>);
      constraint.addAuthRole(<font color="red">"MyRole"</font>);
      context.addConstraint(constraint);
      LoginConfig login = <font color="navy"><b>new</b></font> LoginConfig();
      login.setAuthMethod(<font color="red">"BASIC"</font>);
      login.setRealmName(<font color="red">"ApplicationRealm"</font>);
      context.setLoginConfig(login);
      JBossWebRealm realm = <font color="navy"><b>new</b></font> JBossWebRealm();
      SecurityDomainContext securityDomainContext = securityDomainContextInjector.getValue();
      realm.setAuthenticationManager(securityDomainContext.getAuthenticationManager());
      realm.setAuthorizationManager(securityDomainContext.getAuthorizationManager());
      realm.setMappingManager(securityDomainContext.getMappingManager());
      realm.setAuditManager(securityDomainContext.getAuditManager());
      context.setRealm(realm);
      context.addValve(<font color="navy"><b>new</b></font> SecurityContext(<font color="red">"/contextPath"</font>, securityDomain));
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Don't forget to add the required security domain as a dependency to your service when constructing your ServiceBuilder</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-java">builder.addDependency(
               SecurityDomainService.SERVICE_NAME.append(securityDomain),
               SecurityDomainContext.class,
               service.getSecurityDomainContextInjector()
);
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Out of the box, the authenticator will automatically support BASIC, FORM, DIGEST and CLIENT-CERT. If you need SPNEGO, add the following valve</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-java"><font color="navy"><b>if</b></font>(<font color="red">"SPNEGO"</font>.equals(authMethod)) <font color="navy">{</font>
         context.addValve(<font color="navy"><b>new</b></font> NegotiationAuthenticator());
<font color="navy">}</font>
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Comment by <a href="https://community.jboss.org/docs/DOC-18274">going to Community</a></p>
<p style="margin: 0;">Create a new document in PicketBox Development at <a href="https://community.jboss.org/choose-container!input.jspa?contentType=102&containerType=14&container=2088">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>