Red Hat Training

A Red Hat training course is available for Red Hat JBoss Data Virtualization

14.4. JAAS Configuration

Each JAAS implementation will be configured differently. In the case of the PicketBox implementation, configuration is done via a jaas.conf.xml file on the classpath. There are quite a few modules to choose from, including LDAP, database, XACML, and even a simple file-based option. Here is an example of a jaas.conf.xml file that uses the users and roles defined in local files: 
<?xml version='1.0'?>
<policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:jboss:security-config:5.0" xmlns="urn:jboss:security-config:5.0">
        <application-policy name="modeshape-jcr">
                <authentication>
                        <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
                <module-option name="usersProperties">security/users.properties</module-option>
                <module-option name="rolesProperties">security/roles.properties</module-option>
                        </login-module>
                </authentication>
        </application-policy>
</policy>
This file sets up a JAAS policy named modeshape-jcr that uses the User-Roles Login Module, and defines the users and passwords in the security/users.properties file and the roles in the security/roles.properties file.
The users file contains a line for each user, of the form username=password. The roles file also contains a line for each user, but this format is a little more complicated: 
{{<username>=<role>\[,<role>,...\]}}
where:
  • <username> is the name of the user,
  • <role> is an expression describing a role for the user and which adheres to the format <role>=<roleName>[.<workspaceName], where:
    • <roleName> is one of admin, readonly, readwrite, or (for WebDAV and RESTful access) connect
    • <workspaceName> is the name of the repository workspace to which the role is granted; if absent, the role will be granted for all workspaces in the repository
For example, the following line provides all roles to user 'jsmith' for all workspaces in the configured repository: 
jsmith=admin,connect,readonly,readwrite
while 
jsmith=connect,readonly,readwrite.ws1
provides connect and read access to all workspaces, but only write access to the ws1 workspace.