Red Hat Training

A Red Hat training course is available for JBoss Enterprise SOA Platform

Chapter 7. Configuring User Accounts

7.1. User Accounts

A user needs an account to be able to log in and use the JBoss Enterprise SOA Platform's various web-based consoles. The default security system reads plain text files (namely soa-users.properties and soa-roles.properties) to check a user's password and determine their level of access. SOA uses the Java Authentication and Authorization Service (JAAS) to authenticate user accounts.

Warning

Red Hat does not recommend that you run production servers configured with user passwords in clear text files as it compromises security.

7.2. Create User Accounts

Procedure 7.1. Add a New User

  1. Open the soa-users.properties file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/conf/props/soa-users.properties. Add the user's name and password on a new line, using this syntax: username=password.
    Here is an example for a user with the login name "Harold":
    harold=@dm1nU53r
    

    Note

    Any line in this file that begins with a hash (#) is ignored. (You can use this convention to temporarily disable a user account.)
  2. Save the changes to the file and exit the text editor.
  3. Open the soa-roles.properties file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/conf/props/soa-roles.properties. Add the user and the roles you wish to assign to them on a new line, using this syntax: username=role1,role2,role3.
    harold=JBossAdmin,HttpInvoker,user,admin
    

    Note

    You can assign any number of roles. Note that a user must be assigned the JBossAdmin, HttpInvoker, user and admin roles in order to be able to log into the server consoles.
    Any line in this file that begins with a hash (#) is ignored. You can use this convention to temporarily disable user roles.
  4. Save the changes to the file and exit the text editor.
Result

The user will now be able to log in to the server console at http://localhost:8080. You do not have to restart the server.

7.3. Security Roles

Table 7.1. List of Security Permissions for JBoss Enterprise SOA Platform Console Users

Role Description
JBossAdmin The JBossAdmin role is required to log into the various management components of SOA. It is the primary role so all system administrators should be assigned this role.
HttpInvoker The HttpInvoker role is used by the Http Invoker to access JNDIs and EJBs from remote locations.
user This is used to grant user access to services deployed in SOA if they are configured to utilize the JAAS security domains. The jBPM Console relies on this one role only.
admin This is used to grant administrative access to services deployed in SOA if they are configured to utilize the JAAS security domains.

7.4. Java Authentication and Authorization Service (JAAS)

The JAAS 1.0 API consists of a set of Java packages designed for user authentication and authorization. The API implements a Java version of the standard Pluggable Authentication Modules (PAM) framework and extends the Java 2 Platform access control architecture to support user-based authorization.
JAAS was first released as an extension package for JDK 1.3 and is bundled with JDK 1.6.

7.5. Disable a User's Account

Procedure 7.2. Disable a User's Account

  1. Open the soa-users.properties file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/conf/props/soa-users.properties. Either delete the entire line containing the user's name and password or simply put a hash (#) in front of it to "comment it out."
    Here is an example for a user with the login name "Harold":
    #harold=@dm1nU53r
    
  2. Save the changes to the file and exit the text editor.
Result

The user will no longer be able to log in to the server console. You do not have to restart the server.