Defining Users


Security is the one exception to the rule for which JBoss provides useful defaults. JBoss needs to know how to check the usernames and passwords required to access the application. At first glance it might seem that JBoss could provide a global repository of names and passwords. That would work fine if all that were required were a username and password, but J2EE applications have a notion of role-based authorization. A username needs not only to be valid, but also to be assigned to a specific role named in the deployment descriptor. There's no generic way to map users onto arbitrary roles, so it is necessary to provide that configuration with the application.

How do I do that?


Note: The role name has meaning only to the application. JBoss has no notion of users, administrators, or other such roles.

The default security domain in JBoss looks for user information in properties files inside the application. The first of the properties files is users.properties. It provides usernames and passwords. You can find the file in the web/WEB-INF/classes/ directory:

     pinky=duh     brain=conquest 

The property name (on the lefthand side of the equals sign) is the username, and the property value is the password. Go ahead and add your own user to the file.

The other important file is roles.properties, which maps users onto roles. We declared the application to require the User role in the web-security.xml merge file. We need to make sure that the application users have that role:

     pinky=User     brain=User 

The property name is the username, and the property value is the role assigned to the user. The ToDo application uses only one role, but if we had more than one, we would separate them with commas:


Note: We will configure application security in Chapter 5.
     brain=User,Admin 

You can assign your new user the User role by adding the appropriate line to the roles.properties file.

What just happened?

You just added a user to the ToDo application using the default properties file-based authentication mechanism. Although JBoss doesn't provide a configuration-free way to add security to an application, we didn't have to change JBoss in any way to make use of the default mechanism.



JBoss. A Developer's Notebook
JBoss: A Developers Notebook
ISBN: 0596100078
EAN: 2147483647
Year: 2003
Pages: 106

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net