Security is the one exception to the rule for which JBoss provides useful defaults. JBoss needs to know how to check the usernames and passwords required to access the application. At first glance it might seem that JBoss could provide a global repository of names and passwords. That would work fine if all that were required were a username and password, but J2EE applications have a notion of role-based authorization. A username needs not only to be valid, but also to be assigned to a specific role named in the deployment descriptor. There's no generic way to map users onto arbitrary roles, so it is necessary to provide that configuration with the application. How do I do that?Note: The role name has meaning only to the application. JBoss has no notion of users, administrators, or other such roles. The default security domain in JBoss looks for user information in properties files inside the application. The first of the properties files is users.properties. It provides usernames and passwords. You can find the file in the web/WEB-INF/classes/ directory: pinky=duh brain=conquest The property name (on the lefthand side of the equals sign) is the username, and the property value is the password. Go ahead and add your own user to the file. The other important file is roles.properties, which maps users onto roles. We declared the application to require the User role in the web-security.xml merge file. We need to make sure that the application users have that role: pinky=User brain=User The property name is the username, and the property value is the role assigned to the user. The ToDo application uses only one role, but if we had more than one, we would separate them with commas: Note: We will configure application security in Chapter 5. brain=User,Admin You can assign your new user the User role by adding the appropriate line to the roles.properties file. What just happened?You just added a user to the ToDo application using the default properties file-based authentication mechanism. Although JBoss doesn't provide a configuration-free way to add security to an application, we didn't have to change JBoss in any way to make use of the default mechanism. |