Security in JBoss 5.x

This wiki page describes all the changes that affect security in JBoss 5.x

Web Layer

Previously the server.xml of the tomcat service contained either the JaasSecurityMgrRealm or JaccAuthorizationRealm (for JACC) in the server.xml

Starting JBoss5, we have consolidated the realms into one "org.jboss.web.tomcat.security.JBossWebRealm". The Authorization Framework is used to plugin default, jacc or xacml authorization modes.

General Configuration

We are making an effort to get away from the previous JaasSecurityManagerService MBean service configuration in conf/jboss-service.xml.  We are trying to introduce POJO beans such as the ones defined in deployers/security-deployer-beans.xml

   <!-- JNDI Object Factory to establish SecurityDomainContext objects -->
   <bean name="SecurityDomainObjectFactory" class="org.jboss.security.integration.SecurityDomainObjectFactory" ></bean>

   <!-- JNDI Context legacy establishment of java:/jaas/securityDomain -->
   <bean name="JBossSecurityJNDIContextEstablishment" class="org.jboss.security.integration.JNDIContextEstablishment"></bean>

   <!-- JNDI Based Security Management -->
   <bean name="JNDIBasedSecurityManagement" class="org.jboss.security.integration.JNDIBasedSecurityManagement">
   </bean>

Security Context

• We have the concept of SecurityContext to replace the legacy SecurityAssociation. Now it is possible to inject custom securitycontext objects by providing the FQN of it in the ejb2/web deployers.

In the file:  deployers/ejb-deployer-beans.xml

   <bean name="EJB2xDeployer" class="org.jboss.ejb.deployers.EjbDeployer">
    ...
           <!-- Specify an unauthenticated identity -->
       <property name="unauthenticatedIdentity">anonymous</property>

       <!-- Specify a SecurityManagement Wrapper -->
       <property name="securityManagement">
         <inject bean="JNDIBasedSecurityManagement"></inject>
       </property>
       <!-- Specify a SecurityContext FQN class name -->
       <property name="securityContextClassName">org.jboss.security.plugins.JBossSecurityContext</property>

       <!-- Specify a SecurityDomain as fallback -->
       <property name="defaultSecurityDomain">jboss-ejb-policy</property>

For the web deployer,

In the file:  deployers/jbossweb.deployer/META-INF/war-deployer-beans.xml

<!-- The WebMetaData to service mbean deployer -->
   <bean name="WarDeployer" class="org.jboss.web.tomcat.service.deployers.TomcatDeployer">
      ...
      <!-- The JAAS security domain to use in the absense of an explicit
      security-domain specification in the war WEB-INF/jboss-web.xml
      -->
      <property name="defaultSecurityDomain">java:/jaas/jboss-web-policy</property>
      <property name="securityManagerService">
         <inject bean="jboss.security:service=JaasSecurityManager" ></inject>
      </property>

       <!-- Specify a SecurityManagement Wrapper -->
       <property name="securityManagement">
         <inject bean="JNDIBasedSecurityManagement"></inject>
       </property>

       <!-- Specify a SecurityContext FQN class name -->
       <property name="securityContextClassName">org.jboss.security.plugins.JBossSecurityContext</property> 

Default Security Domains for the EJB and WEB deployments.

• We have defined application policies "jboss-ejb-policy" and "jboss-web-policy" as the fall back security domains for the ejb and web layers. These are defined in deploy/security-policies-service.xml