9 min read

(For more resources related to this topic, see here.)

The deployment descriptor is the main configuration file of all the web applications. The container first looks out for the deployment descriptor before starting any application.

The deployment descriptor is an XML file, web.xml, inside the WEB-INF folder. If you look at the XSD of the web.xml file, you can see the security-related schema.

The schema can be accessed using the following URL: http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd.

The following is the schema element available in the XSD:


Getting ready

You will need the following to demonstrate authentication and authorization:

  • JBoss 7
  • Eclipse Indigo 3.7
  • Create a dynamic web project and name it Security Demo
  • Create a package, com.servlets
  • Create an XML file in the WebContent folder, jboss-web.xml
  • Create two JSP pages, login.jsp and logoff.jsp

How to do it…

Perform the following steps to achieve JAAS-based security for JSPs:

  1. Edit the login.jsp file with the input fields j_username, j_password, and submit it to SecurityCheckerServlet:

    PACKT Login Form

    The j_username and j_password are the indicators of using form-based authentication.

  2. Let’s modify the web.xml file to protect all the files that end with .jsp. If you are trying to access any JSP file, you would be given a login form, which in turn calls a SecurityCheckerServlet file to authenticate the user. You can also see role information is displayed. Update the web.xml file as shown in the following code snippet. We have used 2.5 xsd. The following code needs to be placed in between the webapp tag in the web.xml file:

    jaas-jbossindex.htmlindex.htmindex.jspdefault.htmldefault.htmdefault.jspsomethingDeclarative security tests*.jspHEADGETPOSTPUTDELETErole1no descriptionNONEFORM/login.jsp/logoff.jspsome rolerole1packt managersmanagerSecurityCheckerServletSecurityCheckerServletcom.servlets.SecurityCheckerServlet SecurityCheckerServlet/SecurityCheckerServlet

  3. JAAS Security Checker and Credential Handler: Servlet is a security checker. Since we are using JAAS, the standard framework for authentication, in order to execute the following program you need to import org.jboss.security.SimplePrincipal and org.jboss.security.auth.callback.SecurityAssociationHandle and add all the necessary imports. In the following SecurityCheckerServlet, we are getting the input from the JSP file and passing it to the CallbackHandler.

    We are then passing the Handler object to the LoginContext class which has the login() method to do the authentication. On successful authentication, it will create Subject and Principal for the user, with user details. We are using iterator interface to iterate the LoginContext object to get the user details retrieved for authentication.

    In the SecurityCheckerServlet Class:

    package com.servlets; public class SecurityCheckerServlet extends HttpServlet { private static final long serialVersionUID = 1L; public SecurityCheckerServlet() { super(); } protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { char[] password = null; PrintWriter out=response.getWriter(); try { SecurityAssociationHandler handler = new SecurityAssociationHandler(); SimplePrincipal user = new SimplePrincipal(request.getParameter ("j_username")); password=request.getParameter("j_password"). toCharArray(); handler.setSecurityInfo(user, password); System.out.println("password"+password); CallbackHandler myHandler = new UserCredentialHandler(request.getParameter ("j_username"),request.getParameter ("j_password")); LoginContext lc = new LoginContext("other", handler); lc.login(); Subject subject = lc.getSubject(); Set principals = subject.getPrincipals(); List l=new ArrayList(); Iterator it = lc.getSubject().getPrincipals(). iterator(); while (it.hasNext()) { System.out.println("Authenticated: " + it.next().toString() + "
    "); out.println("Authenticated: " + request.getParameter("j_username")+"
    "+it.next().toString() + "
    "); } it = lc.getSubject().getPublicCredentials (Properties.class).iterator(); while (it.hasNext()) System.out.println(it.next().toString()); lc.logout(); } catch (Exception e) { out.println("failed authenticatation.-"+e); } } protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { } }

    Create the UserCredentialHandler file:

    package com.servlets; class UserCredentialHandler implements CallbackHandler { private String user, pass; UserCredentialHandler(String user, String pass) { super(); this.user = user; this.pass = pass; } @Override public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i

    In the jboss-web.xml file:


    Other is the name of the application policy defined in the login-config.xml file. All these will be packed in as a .war file.

  4. Configuring the JBoss Application Server. Go to jboss-5.1.0.GAserver defaultconflogin-config.xml in JBoss. If you look at the file, you can see various configurations for database LDAP and a simple one using the properties file, which I have used in the following code snippet:

    users.properties roles.properties nobody

  5. Create the users.properties file in the same folder. The following is the Users. properties file with username mapped with role.





  6. Restart the server.
  7. How it works…

    JAAS consists of a set of interfaces to handle the authentication process. They are:

    • The CallbackHandler and Callback interfaces
    • The LoginModule interface
    • LoginContext

    The CallbackHandler interface gets the user credentials. It processes the credentials and passes them to LoginModule, which authenticates the user.

    JAAS is container specific. Each container will have its own implementation, here we are using JBoss application server to demonstrate JAAS.

    In my previous example, I have explicitly called JASS interfaces.

    UserCredentialHandler implements the CallbackHandler interfaces.

    So, CallbackHandlers are storage spaces for the user credentials and the LoginModule authenticates the user.

    LoginContext bridges the CallbackHandler interface with LoginModule. It passes the user credentials to LoginModule interfaces for authentication:

    CallbackHandler myHandler = new UserCredentialHandler(request. getParameter("j_username"),request.getParameter("j_password")); LoginContext lc = new LoginContext("other", handler); lc.login()

    The web.xml file defines the security mechanisms and also points us to the protected resources in our application.

    The following screenshot shows a failed authentication window:

    The following screenshot shows a successful authentication window:


    We introduced the JAAs-based mechanism of applying security to authenticate and authorize the users to the application

    Resources for Article:

    Further resources on this subject:

Subscribe to the weekly Packt Hub newsletter. We'll send you the results of our AI Now Survey, featuring data and insights from across the tech landscape.


Please enter your comment!
Please enter your name here