[jboss-user] [Security & JAAS/JBoss] - securing a web project on jboss using https(SSL)

GajananM do-not-reply at jboss.com
Tue Jun 9 03:40:26 EDT 2009 

Hi 
I facing some problems while securing a web application on jboss...
below are the steps which i  followed.....
I have created a web application in eclipse 3.2.2 on jboss 4.2.2GA .
I want to secure my webappllication using SSL
 for this i have 
    1.generated certificate by using "%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA" command line 
2.I have changed jboss/server/default/deploy/jboss-web.deployer/server.xml file .in this file i replaced <connector port=8080..../> TO
	  

3.Modified web.xml of the web application:
     Added security mappings to web.xml file:

 <servlet-mapping>
    <servlet-name>testsecurity</servlet-name>
    <url-pattern>/testsecurity</url-pattern>
   </servlet-mapping>
   
  <security-constraint>
 <web-resource-collection>
<web-resource-name>All resources</web-resource-name>
Protects all resources
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>WebAppUser</role-name>
</auth-constraint>
</security-constraint>
	
<security-role>
<role-name>WebAppUser</role-name>
</security-role>
<login-config>
	
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>

4. created a jboss-web.xml file in side web-inf and made an entry  of 
<jboss-web>
<security-domain>java:/jaas/myweb-console</security-domain>
</jboss-web>

5. when iam trying to deploy and run the applocation on jboss it is prompting for user name and password.

6.i have changed the boss-4.2.0.GA\server\default\conf\login-config.xml file . added :
    <application-policy name = "myweb-console">
       
          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
             <module-option name="usersProperties">web-console-users.properties</module-option>
             <module-option name="rolesProperties">web-console-roles.properties</module-option>
          </login-module>
       
    </application-policy>

when i specify the username and password i am not able to see my index.jsp page it isgi=ving me status 401 error  authentication.
 my dout is  do i need to specify username password of the certificate in any one of the property file of jboss if so ... please let me know the formate to spaecify....
tel me weather my approach to secure the webapplication on jboss is correct or not 

I am anle to access the jboss console using 
https://localhost:8443/

when iam trying to access https://localhost:8443/testsecurity
 it is giving error asaying status 401 authentication...
it should display index.jsp page ....
looking forward for ur replies .......Please help if any one has idea about ssl security for jboss
  

  

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4236262#4236262

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4236262

More information about the jboss-user mailing list