Java Reference
In-Depth Information
Role-based security
In JBoss 7, a logged-in administrator has unlimited power over every configuration aspect
of a running server. This could be a problem in a production environment when multiple
users have access to the server to do different tasks. One user could only be interested in
deploying new applications, another should only be able to restart the server, and there
could be one who should not be able to change anything (for example, a monitoring agent
sending data about the execution of an application).
To support these kinds of requirements, WildFly brings two access control strategies:
• Simple, which is the all-or-nothing approach known from JBoss AS 7 and EAP in
versions earlier than 6.2 (every authenticated administrator has full access to the
application server). This is the default strategy.
• Role based access control (RBAC), which allows you to assign administrative
users to specific management roles.
Let's navigate to
http://localhost:8080/console
and log in with our adminis-
trator password. The upper menu contains a tab named
Administration
. This is used to
configure the access control mechanism. Once you click on it (you should see a message
box informing you that RBAC is not yet enabled), we will see three subtabs:
Users
,
Groups
, and
Roles
. Let's take a closer look at each of these objects.
Users are defined using the
add-user.bat
(
.sh
) scripts in the
JBOSS_HOME/bin
directory. We have already defined one before the first time we accessed the JBoss console.
The created user, however, requires some additional information in order to determine his
or her security level. The easiest way to achieve this is to organize them into groups. The
assignment can be done via the user creation scripts or by the
mgmt-
groups.properties
files in the WildFly's configuration directory. Another way to do
this is to define a security realm connected to an external source (an LDAP server for in-
stance). We will talk more about security realms in the next chapter. For now, you can cre-
ate a user assigned to a group named
TestGroup
.
A group is mapped to a set of security roles to provide specific permissions. For example,
we can create user groups for developers and junior administrators and map them to a sub-
set of desired roles. A user can be part of multiple groups, so there is also a possibility to
exclude a role for a specific group so that no other group could grant it.
