Java Reference
In-Depth Information
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>Manager</role-name>
</security-role>
</web-app>
This configuration will add a security constraint on any JSP/servlet of the web application
that will restrict access to users authenticated with the role Manager . All login modules
shown in the earlier section define this role, so you can just use the login module that suits
your needs best.
From Java EE 7, there are two more methods to express your security constraints. Firstly,
you can use a new container provided role: ** . It indicates that you are referring to any
authenticated user, without taking its roles into account.
The second one is the deny-http-uncovered-methods tag, which can be used in a
web.xml file to forbid access to every HTTP method that is not covered by a separate
security constraint.
The next configuration tweak needs to be performed on the JBoss web deployment's
descriptor, WEB-INF/jboss-web.xml . You need to declare the security domain here,
which will be used to authenticate the users. Since we are using RealmDirect , which is
part of the other built-in login module, we will need to include the java:/jaas/oth-
er context information:
<jboss-web>
<security-domain>java:/jaas/other</security-domain>
</jboss-web>
Search WWH ::




Custom Search