Sunday, October 31, 2010

Creating file realm users in JBoss

As promised in an earlier post, I'll show you how to create file realm users in the JBoss application server. A realm is a database that contains user, password, and role information. The application server can use this information to identify users in order to provide container managed security to applications. Realm information can be stored and retrieved in various ways:

  • JDBC
  • Datasource
  • JNDI
  • File (JBoss calls this MemoryRealm)
  • JAAS

We'll be only discussing File realm for this blogpost. When you use File realm, the information is stored in a plain text file.

1. Create a realm
The first step is to create a realm by editing server.xml in your deployment directory of your server. For this example, we'll use the default server configuration in the directory: <JBOSS_DIR>/server/default/deploy/jbossweb.sar. Decide if the realm is shared by applications. You can share it at three different levels:

  • Shared across all applications on all virtual hosts (<Engine>)
  • Shared across all applications on a particular host (<Host>)
  • Not shared, only used by one application (<Context>)

Create and place the <realm>-element nested in one of the elements mentioned above. Example: if you want the realm to be shared for all applictions on a host, you nest the <realm>-element in <host>.
<realm
className="org.apache.catalina.realm.MemoryRealm"
digest="" pathname="conf/users.xml" />

It is recommended to specify a digest to store the passwords encrypted, otherwise the passwords will be stored in clear text. If the attribute pathname is not specified, the default file conf/tomcat-users.xml is used.

2. Create file with users
Create the file specified in the realm configuration, and add users to the file in the following format:

<tomcat-users>
<user name="john"
password="secret"
roles="user" />
<user name="peter"
password="secret"
roles="admin" />
<user name="carol"
password="secret"
roles="role,role2" />
</tomcat-users>

3. Restart JBoss
The realm becomes active when JBoss is restarted.

No comments:

Post a Comment