Skip to content

kwart/secured-webapp-template

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

70 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Template for secured Java web applications

Simple Java web application template with the secured content.

Get it

Get a released version or build the app yourself.

How to build it

Use git to get it

git clone git://github.com/kwart/secured-webapp-template.git

or download current sources as a zip file

You need to have Maven installed

cd secured-webapp-template
mvn clean install

Configure the application server

The vendor specific deployment descriptors (WEB-INF/jboss-web.xml and WEB-INF/jboss-ejb3.xml) refers to a web-tests security domain. You have to add it to your configuration. Define the new security domain, either by using JBoss CLI (jboss-cli.sh / jboss-cli.bat):

Use Elytron security

Elytron is the new security framework in WildFly 11+ and EAP 7.1+.

Compared to legacy security, Elytron doesn't allow to load property files from classpath in properties-realm implementation. We'll use a FileSystemRealm to introduce test users population.

bin/jboss-cli.sh << EOT
embed-server

# create realm with users
/subsystem=elytron/filesystem-realm=web-tests:add(path=web-tests,relative-to=jboss.server.config.dir)

/subsystem=elytron/filesystem-realm=web-tests:add-identity(identity=user)
/subsystem=elytron/filesystem-realm=web-tests:set-password(identity=user, clear={password="user"})
/subsystem=elytron/filesystem-realm=web-tests:add-identity-attribute(identity=user, name=groups, value=["Users"])

/subsystem=elytron/filesystem-realm=web-tests:add-identity(identity=admin)
/subsystem=elytron/filesystem-realm=web-tests:set-password(identity=admin, clear={password="admin"})
/subsystem=elytron/filesystem-realm=web-tests:add-identity-attribute(identity=admin, name=groups, value=["Users", "Admin"])

# create security domain and other necessary config objects
/subsystem=elytron/simple-role-decoder=web-tests:add(attribute=groups)
/subsystem=elytron/constant-permission-mapper=web-tests:add(permissions=[{class-name="org.wildfly.security.auth.permission.LoginPermission"}])
/subsystem=elytron/security-domain=web-tests:add(default-realm=web-tests, permission-mapper=web-tests, realms=[{role-decoder=web-tests, realm=web-tests}]

# add Elytron security domain mapping from Undertow and EJB subsystems 
/subsystem=elytron/provider-http-server-mechanism-factory=web-tests:add()
/subsystem=elytron/http-authentication-factory=web-tests:add(security-domain=web-tests, \
  http-server-mechanism-factory=web-tests, \
  mechanism-configurations=[ \
    {mechanism-name=DIGEST,mechanism-realm-configurations=[{realm-name=web-tests}]}, \
    {mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=web-tests}]}, \
    {mechanism-name=FORM}])
/subsystem=undertow/application-security-domain=web-tests:add(http-authentication-factory=web-tests)
/subsystem=ejb3/application-security-domain=web-tests:add(security-domain=web-tests)

EOT

Use Legacy security (JBoss AS 7 / EAP 6+ / WildFly 8+)

Just use UsersRoles JAAS login module which is available in the application server and it will read users.properties and roles.properties files from deployment classpath (WEB-INF/classes)

/subsystem=security/security-domain=web-tests:add(cache-type=default)
/subsystem=security/security-domain=web-tests/authentication=classic:add( \
  login-modules=[{"code"=>"UsersRoles", "flag"=>"required"}]) {allow-resource-service-restart=true}

How to use DIGEST authentication with Legacy security

If you want to enable the DIGEST authentication in web.xml deployment descriptor, you also need to configure the web-tests security to hash passwords stored in the user.properties files.

The CLI commands to do it:

/subsystem=security/security-domain=web-tests:add(cache-type=default)
/subsystem=security/security-domain=web-tests/authentication=classic:add(login-modules=[{"code"=>"UsersRoles", "flag"=>"required", "module-options" => {"hashAlgorithm" => "MD5", "hashEncoding" => "RFC2617","hashUserPassword" => "false", "hashStorePassword" => "true","passwordIsA1Hash" => "false", "storeDigestCallback" => "org.jboss.security.auth.callback.RFC2617Digest" }}]) {allow-resource-service-restart=true}

Deploy and use application

Copy the produced secured-webapp.war from the target folder to the deployment folder of your container.

Open the application URL in the browser. E.g. http://localhost:8080/secured-webapp/

License

About

Simple Java web application template with secured content.

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages