17.3.3. Configuring a Datasource to Use Login Modules

Procedure 17.1. Configuring a Datasource to Use Login Modules

  1. Add the <security-domain-parameter> to the XML file for the datasource.

  2. Add an application policy to the login-config.xml file.

    The authentication section needs to include the configuration for your login-module. For example, to encrypt the database password, use the SecureIdentityLoginModule login module.
    <application-policy name="MyDomain">
          <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
             <module-option name="username">scott</module-option>
             <module-option name="password">-170dd0fbd8c13748</module-option>
             <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=OracleDSJAAS</module-option>
  3. If you plan to fetch the data source connection from a web application, authentication must be enabled for the web application, so that the Subject is populated.
  4. If users need the ability to connect anonymously, add an additional login module to the application-policy, to populate the security credentials.
  5. Add the UsersRolesLoginModule module to the beginning of the chain. The usersProperties and rolesProperties parameters can be directed to dummy files.
    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
       <module-option name="unauthenticatedIdentity">nobody</module-option>
       <module-option name="usersProperties">props/users.properties</module-option>
       <module-option name="rolesProperties">props/roles.properties</module-option>