10.6.11. Use a Security Domain in Your Application


To use a security domain in your application, first you must configure the domain in either the server's configuration file or the application's descriptor file. Then you must add the required annotations to the EJB that uses it. This topic covers the steps required to use a security domain in your application.


If an application is part of a security domain that uses an authentication cache, user authentications for that application will also be available to other applications in that security domain.

Procedure 10.6. Configure Your Application to Use a Security Domain

  1. Define the Security Domain

    You can define the security domain either in the server's configuration file or the application's descriptor file.
    • Configure the security domain in the server's configuration file

      The security domain is configured in the security subsystem of the server's configuration file. If the JBoss EAP 6 instance is running in a managed domain, this is the domain/configuration/domain.xml file. If the JBoss EAP 6 instance is running as a standalone server, this is the standalone/configuration/standalone.xml file.
      The other, jboss-web-policy, and jboss-ejb-policy security domains are provided by default in JBoss EAP 6. The following XML example was copied from the security subsystem in the server's configuration file.
      <subsystem xmlns="urn:jboss:domain:security:1.2">
              <security-domain name="other" cache-type="default">
                      <login-module code="Remoting" flag="optional">
                          <module-option name="password-stacking" value="useFirstPass"/>
                      <login-module code="RealmDirect" flag="required">
                          <module-option name="password-stacking" value="useFirstPass"/>
              <security-domain name="jboss-web-policy" cache-type="default">
                      <policy-module code="Delegating" flag="required"/>
              <security-domain name="jboss-ejb-policy" cache-type="default">
                      <policy-module code="Delegating" flag="required"/>
      You can configure additional security domains as needed using the Management Console or CLI.
    • Configure the security domain in the application's descriptor file

      The security domain is specified in the <security-domain> child element of the <jboss-web> element in the application's WEB-INF/jboss-web.xml file. The following example configures a security domain named my-domain.
      This is only one of many settings which you can specify in the WEB-INF/jboss-web.xml descriptor.
  2. Add the Required Annotation to the EJB

    You configure security in the EJB using the @SecurityDomain and @RolesAllowed annotations. The following EJB code example limits access to the other security domain by users in the guest role.
    package example.ejb3;
    import java.security.Principal;
    import javax.annotation.Resource;
    import javax.annotation.security.RolesAllowed;
    import javax.ejb.SessionContext;
    import javax.ejb.Stateless;
    import org.jboss.ejb3.annotation.SecurityDomain;
     * Simple secured EJB using EJB security annotations
     * Allow access to "other" security domain by users in a "guest" role.
    @RolesAllowed({ "guest" })
    public class SecuredEJB {
       // Inject the Session Context
       private SessionContext ctx;
        * Secured EJB method using security annotations
       public String getSecurityInfo() {
          // Session context injected using the resource annotation
          Principal principal = ctx.getCallerPrincipal();
          return principal.toString();
    For more code examples, see the ejb-security quickstart in the JBoss EAP 6 Quickstarts bundle, which is available from the Red Hat Customer Portal.