Procedure 14.1. Configure Your Application to Use a Security Domain

1. Define the Security Domain

   You can define the security domain either in the server's configuration file or the application's descriptor file.

   • Configure the security domain in the server's configuration file

     The security domain is configured in the security subsystem of the server's configuration file. If the JBoss EAP 6 instance is running in a managed domain, this is the domain/configuration/domain.xml file. If the JBoss EAP 6 instance is running as a standalone server, this is the standalone/configuration/standalone.xml file.
     The other, jboss-web-policy, and jboss-ejb-policy security domains are provided by default in JBoss EAP 6. The following XML example was copied from the security subsystem in the server's configuration file.

     <subsystem xmlns="urn:jboss:domain:security:1.2">
         <security-domains>
             <security-domain name="other" cache-type="default">
                 <authentication>
                     <login-module code="Remoting" flag="optional">
                         <module-option name="password-stacking" value="useFirstPass"/>
                     </login-module>
                     <login-module code="RealmDirect" flag="required">
                         <module-option name="password-stacking" value="useFirstPass"/>
                     </login-module>
                 </authentication>
             </security-domain>
             <security-domain name="jboss-web-policy" cache-type="default">
                 <authorization>
                     <policy-module code="Delegating" flag="required"/>
                 </authorization>
             </security-domain>
             <security-domain name="jboss-ejb-policy" cache-type="default">
                 <authorization>
                     <policy-module code="Delegating" flag="required"/>
                 </authorization>
             </security-domain>
         </security-domains>
     </subsystem>
     

     You can configure additional security domains as needed using the Management Console or CLI.

   • Configure the security domain in the application's descriptor file

     The security domain is specified in the <security-domain> child element of the <jboss-web> element in the application's WEB-INF/jboss-web.xml file. The following example configures a security domain named my-domain.

     <jboss-web>
         <security-domain>my-domain</security-domain>
     </jboss-web>
     

     This is only one of many settings which you can specify in the WEB-INF/jboss-web.xml descriptor.

2. Add the Required Annotation to the EJB

   You configure security in the EJB using the @SecurityDomain and @RolesAllowed annotations. The following EJB code example limits access to the other security domain by users in the guest role.

   package example.ejb3;
   
   import java.security.Principal;
   
   import javax.annotation.Resource;
   import javax.annotation.security.RolesAllowed;
   import javax.ejb.SessionContext;
   import javax.ejb.Stateless;
   
   import org.jboss.ejb3.annotation.SecurityDomain;
   
   /**
    * Simple secured EJB using EJB security annotations
    * Allow access to "other" security domain by users in a "guest" role.
    */
   @Stateless
   @RolesAllowed({ "guest" })
   @SecurityDomain("other")
   public class SecuredEJB {
   
      // Inject the Session Context
      @Resource
      private SessionContext ctx;
   
      /**
       * Secured EJB method using security annotations
       */
      public String getSecurityInfo() {
         // Session context injected using the resource annotation
         Principal principal = ctx.getCallerPrincipal();
         return principal.toString();
      }
   }

   For more code examples, see the ejb-security quickstart in the JBoss EAP 6 Quickstarts bundle, which is available from the Red Hat Customer Portal.