EAP 6: How to configure DatabaseServerLoginModule

Solution Verified - Updated -

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • Version 6

Issue

  • How to configure the DatabaseServerLoginModule for authentication in a Java EE application.
  • In EAP 4.3 there was the following configuration specified. How to achieve the same in EAP 6?
<application-policy name = "someName">
       <authentication>
          <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
             flag = "required">
             <module-option name = "dsJndiName">java:/DefaultDS</module-option>
             <module-option name = "principalsQuery">select Password from Principals where PrincipalID=?</module-option>
             <module-option name = "rolesQuery">select Role, RoleGroup from Roles where PrincipalID=?</module-option>
          </login-module>
       </authentication>
    </application-policy>

Resolution

An overview of this and other login modules can be found in the documentation

As an example, the following tables are in the database :

Table_Name Column 1 Column 2
Principals PrincipalID (text) Password (text)
Roles PrincipalID (text) RoleGroup (text)

The corresponding configuration for the security subsystem is then:

<security-domain name="DatabaseRealm" cache-type="default">
  <authentication>
    <login-module code="Database" flag="required">
       <module-option name="dsJndiName" value="java:jboss/datasources/database"/>
       <module-option name="principalsQuery" value="select Password from Principals where PrincipalID=?"/>
       <module-option name="rolesQuery" value="select Role, RoleGroup from Roles where PrincipalID=?"/>
    </login-module>
  </authentication>
</security-domain>

where "jboss/datasources/database" represents the JNDI name of the datasource defined in the datasource subsystem, e.g

<datasource jndi-name="java:jboss/datasources/database" pool-name="database" enabled="true" use-ccm="true">
                    <connection-url>jdbc:oracle:thin:@dbhost:1521/service_name</connection-url>
                    <driver>oracle</driver>
                    <pool>
                        <min-pool-size>2</min-pool-size>
                        <max-pool-size>10</max-pool-size>
                        <prefill>true</prefill>
                        <use-strict-min>true</use-strict-min>
                    </pool>
                    <security>
                        <user-name>username</user-name>
                        <password>password</password>
                    </security>
                    <validation>
                        <valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker"/>
                        <validate-on-match>true</validate-on-match>
                        <stale-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnectionChecker"/>
                        <exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter"/>
                    </validation>
                </datasource>

Note: The tables name, column names and select statements can be changed based on the requirement.

To use this login module in the application, include the following in the web.xml, assuming the role JBossUsers exists in the database

 <security-constraint>
        <display-name>Constraint1</display-name>
        <web-resource-collection>
            <web-resource-name>all</web-resource-name>
            <description/>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>JBossUsers</role-name>
        </auth-constraint>
    </security-constraint>
...
  </login-config>
    <security-role>
        <description/>
        <role-name>JBossUsers</role-name>
    </security-role>

add jboss-web.xml with the following content

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
  <context-root>/testApp</context-root>
  <security-domain>DatabaseRealm</security-domain>
</jboss-web>

After the application has been deployed to JBoss, any user who has the role JBossUsers should be able to log into the application.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.