Show Table of Contents
Chapter 7. Configuring User Accounts
7.1. User Accounts
A user needs an account to be able to log in and use the JBoss Enterprise SOA Platform's various web-based consoles. The default security system reads plain text files (namely
soa-users.properties and soa-roles.properties) to check a user's password and determine their level of access. SOA uses the Java Authentication and Authorization Service (JAAS) to authenticate user accounts.
Warning
Red Hat does not recommend that you run production servers configured with user passwords in clear text files as it compromises security.
7.2. Create User Accounts
Procedure 7.1. Add a New User
- Open the
soa-users.propertiesfile in a text editor:vi SOA_ROOT/jboss-as/server/PROFILE/conf/props/soa-users.properties. Add the user's name and password on a new line, using this syntax:username=password.Here is an example for a user with the login name "Harold":harold=@dm1nU53r
Note
Any line in this file that begins with a hash (#) is ignored. (You can use this convention to temporarily disable a user account.) - Save the changes to the file and exit the text editor.
- Open the
soa-roles.propertiesfile in a text editor:vi SOA_ROOT/jboss-as/server/PROFILE/conf/props/soa-roles.properties. Add the user and the roles you wish to assign to them on a new line, using this syntax:username=role1,role2,role3.harold=JBossAdmin,HttpInvoker,user,admin
Note
You can assign any number of roles. Note that a user must be assigned theJBossAdmin,HttpInvoker,userandadminroles in order to be able to log into the server consoles.Any line in this file that begins with a hash (#) is ignored. You can use this convention to temporarily disable user roles. - Save the changes to the file and exit the text editor.
Result
The user will now be able to log in to the server console at http://localhost:8080. You do not have to restart the server.
7.3. Security Roles
Table 7.1. List of Security Permissions for JBoss Enterprise SOA Platform Console Users
| Role | Description |
|---|---|
| JBossAdmin | The JBossAdmin role is required to log into the various management components of SOA. It is the primary role so all system administrators should be assigned this role. |
| HttpInvoker | The HttpInvoker role is used by the Http Invoker to access JNDIs and EJBs from remote locations. |
| user | This is used to grant user access to services deployed in SOA if they are configured to utilize the JAAS security domains. The jBPM Console relies on this one role only. |
| admin | This is used to grant administrative access to services deployed in SOA if they are configured to utilize the JAAS security domains. |
7.4. Java Authentication and Authorization Service (JAAS)
The JAAS 1.0 API consists of a set of Java packages designed for user authentication and authorization. The API implements a Java version of the standard Pluggable Authentication Modules (PAM) framework and extends the Java 2 Platform access control architecture to support user-based authorization.
JAAS was first released as an extension package for JDK 1.3 and is bundled with JDK 1.6.
7.5. Disable a User's Account
Procedure 7.2. Disable a User's Account
- Open the
soa-users.propertiesfile in a text editor:vi SOA_ROOT/jboss-as/server/PROFILE/conf/props/soa-users.properties. Either delete the entire line containing the user's name and password or simply put a hash (#) in front of it to "comment it out."Here is an example for a user with the login name "Harold":#harold=@dm1nU53r
- Save the changes to the file and exit the text editor.
Result
The user will no longer be able to log in to the server console. You do not have to restart the server.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.