<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="https://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
JBoss AS7: Enabling JASPI Authentication for Web Applications
</h3>
<span style="margin-bottom: 10px;">
modified by <a href="https://community.jboss.org/people/jcacek">Josef Cacek</a> in <i>PicketBox Development</i> - <a href="https://community.jboss.org/docs/DOC-17782">View the full document</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>This document describes the steps needed to enable JASPI authentication for Web applications on JBoss AS7.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><h2>Application Server Configuration</h2><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The first step to enable JASPI is to configure a security domain that installs the JASPI login modules. So, in your standalone.xml (or domain.xml if using domain mode), add the JASPI configuration in the security subsystem:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-xml">                <span class="jive-xml-comment"><!-- security domain configuration for the jaspi web basic test --></span>
                <span class="jive-xml-tag"><security-domain name="jaspi-test" cache-type="default"></span>
                    <span class="jive-xml-tag"><authentication-jaspi></span>
                        <span class="jive-xml-tag"><login-module-stack name="lm-stack"></span>
                            <span class="jive-xml-tag"><login-module code="UsersRoles" flag="required"></span>
                                <span class="jive-xml-tag"><module-option name="usersProperties" value="../standalone/configuration/jaspi-users.properties"/></span>
                                <span class="jive-xml-tag"><module-option name="rolesProperties" value="../standalone/configuration/jaspi-roles.properties"/></span>
                            <span class="jive-xml-tag"></login-module></span>
                        <span class="jive-xml-tag"></login-module-stack></span>
                        <span class="jive-xml-tag"><auth-module code="org.jboss.as.web.security.jaspi.modules.HTTPBasicServerAuthModule" login-module-stack-ref="lm-stack" flag="required"/></span>
                    <span class="jive-xml-tag"></authentication-jaspi></span>
                <span class="jive-xml-tag"></security-domain></span>
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>In this example we are configuring the <span style="font-family: courier new,courier;"><strong>HTTPBasicServerAuthModule</strong></span>, which will perform the <strong>BASIC</strong> authentication of a Web application. If <strong>FORM</strong> authentication is desired, just change the auth-module to <span style="font-family: courier new,courier;"><strong>org.jboss.as.web.security.jaspi.modules.HTTPFormServerAuthModule</strong></span>. Notice the configuration style is very similar to what is found in previous JBoss AS versions. The configured JASPI module can delegate the authentication and role mapping processes to a login module stack. In this case, we're using a simple UsersRoles module to authenticate and obtain roles for the users.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The sample security-domain can also be configured by using CLI management tool using following commands:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code">/subsystem=security/security-domain=jaspi-test:add(cache-type=default)
/subsystem=security/security-domain=jaspi-test/authentication=jaspi:add(auth-modules=[{"code"=>"org.jboss.as.web.security.jaspi.modules.HTTPBasicServerAuthModule", "login-module-stack-ref"=>"lm-stack", "flag"=>"required"}])
/subsystem=security/security-domain=jaspi-test/authentication=jaspi/login-module-stack=lm-stack:add(login-modules=[{"code"=>"UsersRoles", "flag"=>"required", "module-options"=>{"usersProperties"=>"../standalone/configuration/jaspi-users.properties", "rolesProperties"=>"../standalone/configuration/jaspi-roles.properties"}}], operation-headers={"allow-resource-service-restart"=>"true"})
</code></pre><h3>Web Application Configuration</h3><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The next step is to configure the Web application. First, we specify the type of authentication that is to be performed. For example, an application that requires <span style="font-family: courier new,courier;"><strong>BASIC</strong></span> authentication must specify that in the<span style="font-family: courier new,courier;"><strong> WEB-INF/web.xml</strong></span> file:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-xml"><span class="jive-xml-tag"><?xml version="1.0" encoding="UTF-8"?></span>
<span class="jive-xml-tag"><span><web-app version="2.5" xmlns="</span><a class="jive-link-external-small" href="http://java.sun.com/xml/ns/javaee" target="_blank">http://java.sun.com/xml/ns/javaee</a><span>"
        xmlns:xsi="</span><a class="jive-link-external-small" href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a><span>"
        xsi:schemaLocation="</span><a class="jive-link-external-small" href="http://java.sun.com/xml/ns/javaee" target="_blank">http://java.sun.com/xml/ns/javaee</a><span> </span><a class="jive-link-external-small" href="http://java.sun.com/xml/ns/j2ee/web-app_2_5.xsd" target="_blank">http://java.sun.com/xml/ns/j2ee/web-app_2_5.xsd</a><span>"></span></span>
  <span class="jive-xml-tag"><security-constraint></span>
    <span class="jive-xml-tag"><web-resource-collection></span>
      <span class="jive-xml-tag"><web-resource-name></span>Home<span class="jive-xml-tag"></web-resource-name></span>
      <span class="jive-xml-tag"><url-pattern></span>/*<span class="jive-xml-tag"></url-pattern></span>
    <span class="jive-xml-tag"></web-resource-collection></span>
    <span class="jive-xml-tag"><auth-constraint></span>
      <span class="jive-xml-tag"><role-name></span>architect<span class="jive-xml-tag"></role-name></span>
    <span class="jive-xml-tag"></auth-constraint></span>
  <span class="jive-xml-tag"></security-constraint></span>
  <span class="jive-xml-tag"><login-config></span>
      <span class="jive-xml-tag"><auth-method></span>BASIC<span class="jive-xml-tag"></auth-method></span>
      <span class="jive-xml-tag"><realm-name></span>JASPI<span class="jive-xml-tag"></realm-name></span>
   <span class="jive-xml-tag"></login-config></span>
  <span class="jive-xml-tag"><security-role></span>
    <span class="jive-xml-tag"><role-name></span>architect<span class="jive-xml-tag"></role-name></span>
  <span class="jive-xml-tag"></security-role></span>
<span class="jive-xml-tag"></web-app></span>
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Finally, we need to link the Web application to the security domain that will perform the authentication and configure the valve that will enable the JASPI authentication. Both things are done in the <span style="font-family: courier new,courier;"><strong>WEB-INF/jboss-web.xml</strong></span> file:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-xml"><span class="jive-xml-tag"><?xml version="1.0"?></span>
<span class="jive-xml-tag"><jboss-web></span>
   <span class="jive-xml-tag"><security-domain></span>jaspi-test<span class="jive-xml-tag"></security-domain></span>
   <span class="jive-xml-tag"><valve></span>
      <span class="jive-xml-tag"><class-name></span>org.jboss.as.web.security.jaspi.WebJASPIAuthenticator<span class="jive-xml-tag"></class-name></span>
   <span class="jive-xml-tag"></valve></span>
<span class="jive-xml-tag"></jboss-web></span>
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The specified <span style="font-family: courier new,courier;"><strong><security-domain></strong></span> must match the name of the security domain that has been configured in the application server. It is also important that the <span style="font-family: courier new,courier;"><strong>WebJASPIAuthenticatorValve</strong></span> is configured as this valve replaces the Web container authenticator ir order to perform the JASPI authentication.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><strong>NOTE:</strong> the <span style="font-family: courier new,courier;"><strong>WebJASPIAuthenticator</strong></span> replaces the previous <span style="font-family: courier new,courier;"><strong>org.jboss.web.tomcat.security.jaspi.TomcatJASPIAuthenticator</strong></span> and <strong>MUST</strong> be configured in the <span style="font-family: courier new,courier;"><strong>jboss-web.xml</strong></span> file. JBoss AS7 doesn't allow for the configuration of authenticator valves in the JBossWeb subsystem like previous versions.</p><div class="mcePaste" id="_mcePaste" style="position: absolute; left: 0px; top: 0px; width: 1777px; height: 429px; overflow: hidden; visibility: hidden;"> </div></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Comment by <a href="https://community.jboss.org/docs/DOC-17782">going to Community</a></p>
<p style="margin: 0;">Create a new document in PicketBox Development at <a href="https://community.jboss.org/choose-container!input.jspa?contentType=102&containerType=14&container=2088">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>