17.3. Use a Security Domain in Your Application

Procedure 17.1. Configure Your Application to Use a Security Domain

1. Define the Security Domain

   You need to define the security domain in the server's configuration file, and then enable it for an application in the application's descriptor file.

   1. Configure the security domain in the server's configuration file

      The security domain is configured in the security subsystem of the server's configuration file. If the JBoss EAP 6 instance is running in a managed domain, this is the domain/configuration/domain.xml file. If the JBoss EAP 6 instance is running as a standalone server, this is the standalone/configuration/standalone.xml file.
      The other, jboss-web-policy, and jboss-ejb-policy security domains are provided by default in JBoss EAP 6. The following XML example was copied from the security subsystem in the server's configuration file.

      <subsystem xmlns="urn:jboss:domain:security:1.2">
          <security-domains>
              <security-domain name="other" cache-type="default">
                  <authentication>
                      <login-module code="Remoting" flag="optional">
                          <module-option name="password-stacking" value="useFirstPass"/>
                      </login-module>
                      <login-module code="RealmDirect" flag="required">
                          <module-option name="password-stacking" value="useFirstPass"/>
                      </login-module>
                  </authentication>
              </security-domain>
              <security-domain name="jboss-web-policy" cache-type="default">
                  <authorization>
                      <policy-module code="Delegating" flag="required"/>
                  </authorization>
              </security-domain>
              <security-domain name="jboss-ejb-policy" cache-type="default">
                  <authorization>
                      <policy-module code="Delegating" flag="required"/>
                  </authorization>
              </security-domain>
          </security-domains>
      </subsystem>

      Copy to Clipboard Toggle word wrap
      You can configure additional security domains as needed using the Management Console or CLI.

   2. Enable the security domain in the application's descriptor file

      The security domain is specified in the <security-domain> child element of the <jboss-web> element in the application's WEB-INF/jboss-web.xml file. The following example configures a security domain named my-domain.

      <jboss-web>
          <security-domain>my-domain</security-domain>
      </jboss-web>

      Copy to Clipboard Toggle word wrap
      This is only one of many settings which you can specify in the WEB-INF/jboss-web.xml descriptor.

2. Add the Required Annotation to the EJB

   You configure security in the EJB using the @SecurityDomain and @RolesAllowed annotations. The following EJB code example limits access to the other security domain by users in the guest role.

   package example.ejb3;
   
   import java.security.Principal;
   
   import javax.annotation.Resource;
   import javax.annotation.security.RolesAllowed;
   import javax.ejb.SessionContext;
   import javax.ejb.Stateless;
   
   import org.jboss.ejb3.annotation.SecurityDomain;
   
   /**
    * Simple secured EJB using EJB security annotations
    * Allow access to "other" security domain by users in a "guest" role.
    */
   @Stateless
   @RolesAllowed({ "guest" })
   @SecurityDomain("other")
   public class SecuredEJB {
   
      // Inject the Session Context
      @Resource
      private SessionContext ctx;
   
      /**
       * Secured EJB method using security annotations
       */
      public String getSecurityInfo() {
         // Session context injected using the resource annotation
         Principal principal = ctx.getCallerPrincipal();
         return principal.toString();
      }
   }

   Copy to Clipboard Toggle word wrap
   For more code examples, see the ejb-security quickstart in the JBoss EAP 6 Quickstarts bundle, which is available from the Red Hat Customer Portal.