Chapter 11. Deploying Security Domains

Modular Security Domain
A security domain deployment method, where the security domain declaration is included in a deployment descriptor . A modular security domain takes the form *-jboss-beans.xml. It is included in the META-INF directory of EJB Jars, or the WEB-INF directory of web application (WAR).
Deployment Descriptor
A declarative XML configuration file that describes the deployment settings of an application. The way an application is deployed can be changed within this file, eliminating the need to make changes to the underlying code of the application.
There are two ways of deploying a security domain in JBoss Enterprise Application Platform:
  1. Declare the security domain in the jboss-as/server/$PROFILE/conf/login-config.xml file.
  2. Create and deploy a modular security domain.

Procedure 11.1. Modular Security Domain configuration

Follow this procedure to configure a basic modular security domain deployment descriptor with two domains for EJB and web applications.
Each domain uses the UsersRolesLoginModule for the authorization policy, however you are not limited to this login module when creating a modular security domain. Refer to Section 12.1, “Using Modules” for additional login modules shipped with JBoss Enterprise Application Platform.

  1. Create deployment descriptor

    You must create a deployment descriptor file to contain the security domain configuration.
    If you have already created a deployment descriptor for your application, you can skip this step and proceed to step 2.
    The file name takes the format [domain_name]-jboss-beans.xml. While the domain_name is arbitrary, you should choose a name that is meaningful to the application ensure the name of the deployment descriptor is unique across the server profile.
    The file must contain the standard XML declaration, and a correctly configured <deployment> element. 
    <?xml version="1.0" encoding="UTF-8"?>

<deployment xmlns="urn:jboss:bean-deployer:2.0">


</deployment>

  2. Define application policies

    Individual security domains are defined within the <deployment> element.
    In the example below, two security domains are specified. Each authentication policy uses the same login module, and module parameters.

    Note

    Other login modules are available for use with the Enterprise Application Platform. For more information about the available login modules, refer to Section 12.1, “Using Modules” 
    <?xml version="1.0" encoding="UTF-8"?>

<deployment xmlns="urn:jboss:bean-deployer:2.0">

  <application-policy xmlns="urn:jboss:security-beans:1.0" name="web-test">
    <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
        <module-option name="unauthenticatedIdentity">anonymous</module-option>
        <module-option name="usersProperties">u.properties</module-option>
        <module-option name="rolesProperties">r.properties</module-option>
      </login-module>
    </authentication>
  </application-policy>

  <application-policy xmlns="urn:jboss:security-beans:1.0" name="ejb-test">
    <authentication>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
        <module-option name="unauthenticatedIdentity">anonymous</module-option>
        <module-option name="usersProperties">u.properties</module-option>
        <module-option name="rolesProperties">r.properties</module-option>
      </login-module>
    </authentication>
  </application-policy>

</deployment>

  3. Deploy or package the deployment descriptor

    Move the deployment descriptor file to the jboss-as/server/$PROFILE/deploy directory of the required server profile in your installation.
    If you are distributing your application to a wider audience, package the deployment descriptor in the META-INF directory of the EJB Jar, or the WEB-INF directory of your web application (WAR).