Java Reference
In-Depth Information
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>Manager</role-name>
</security-role>
</web-app>
This configuration will add a security constraint on any JSP/servlet of the web application
that will restrict access to users authenticated with the role
Manager
. All login modules
shown in the earlier section define this role, so you can just use the login module that suits
your needs best.
From Java EE 7, there are two more methods to express your security constraints. Firstly,
you can use a new container provided role:
**
. It indicates that you are referring to any
authenticated user, without taking its roles into account.
The second one is the
deny-http-uncovered-methods
tag, which can be used in a
web.xml
file to forbid access to every HTTP method that is not covered by a separate
security constraint.
The next configuration tweak needs to be performed on the JBoss web deployment's
descriptor,
WEB-INF/jboss-web.xml
. You need to declare the security domain here,
which will be used to authenticate the users. Since we are using
RealmDirect
, which is
part of the other built-in login module, we will need to include the
java:/jaas/oth-
er
context information:
<jboss-web>
<security-domain>java:/jaas/other</security-domain>
</jboss-web>