currently, migrating web application jboss eap 5.2 eap 6.3. application using customized realm authorization. however, realm no longer supported in 6.3 , people suggest using customized loginmodule. did research , found loginmodule authentication. correct? if loginmodule provides authorization service, how do it? if not, alternative ways authorization?
thank you. david
your loginmodule should override 1 of descendants of org.jboss.security.auth.spi.abstractserverloginmodule. if implement or override getrolesets() method can add roles authenticated user authorization.
the getrolesets() method returns array of groups correspond role sets assigned user. should return group called "roles" contains roles assigned user. example:
@override protected group[] getrolesets() throws loginexception { group group = new simplegroup("roles"); try { principal p = createidentity("admin_role"); group.addmember(p); } catch (exception e) { logger.error("failed create principle on login", e); } return new group[] { group }; } then add @rolesallowed annotations exposed methods, specifying roles allowed. example:
@requestscoped @denyall @path("admin") public class adminservices { @post @path("/myadminuri") @produces(mediatype.text_plain) @rolesallowed({ "admin_role" }) public string administermethod(@context httpservletrequest req, @context httpservletresponse resp) throws someexception { .... if user not logged in required role denied access method.
edit: web.xml file can list security restrictions in <security-constraint> stanza. role name should match role allocated getrolesets() method.
<security-constraint> <web-resource-collection> <web-resource-name>secure resources</web-resource-name> <url-pattern>/admin*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin_role</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>admin_role</role-name> </security-role> <login-config> <auth-method>basic</auth-method> <realm-name>securerealm</realm-name> </login-config> there security reference guide available on redhat site (support subscription required)
