Authentication in JBoss portal builds on the JEE security provided by the JBoss server. The JEE specification defines the roles and constraints under which certain URLs and components are protected. However, this might not always be sufficient for building enterprise applications or portals. Application server providers such as JBoss supplement the authentication and authorization features provided by the JEE specification with additional features such as role-to-group mapping and session logout.
Authentication in JBoss portal can be divided into configuration files and portal server configuration.
The jboss-portal.sar/portal-server.war file is the portal deployment on the JBoss application server. Assuming that the portal server is like any JEE application deployed on an application server, all user authentication configurations go into the WEB-INF/web.xml and the WEB-INF/jboss-web.xml files.
Within the jboss-portal.sar/portal-server.war application, all portal requests are routed through a single servlet called org.jboss.portal.server.servlet.PortalServlet. This servlet is defined twice, as follows, in the configuration file WEB-INF/web.xml to ensure that all possible request sources are covered:
The servlet is mapped four times with variations to address a combination of secure SSL access and authenticated URLs, as follows:
The following snippet from web.xml shows the entries:
<!-- Provide access to unauthenticated users -->
<servlet-mapping>
<servlet-name>PortalServletWithPathMapping</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<!-- Provide secure access to unauthenticated users -->
<servlet-mapping>
<servlet-name>PortalServletWithPathMapping</servlet-name>
<url-pattern>/sec/*</url-pattern>
</servlet-mapping>
<!-- Provide access to authenticated users -->
<servlet-mapping>
<servlet-name>PortalServletWithPathMapping</servlet-name>
<url-pattern>/auth/*</url-pattern>
</servlet-mapping>
<!-- Provide secure access to authenticated users -->
<servlet-mapping>
<servlet-name>PortalServletWithPathMapping</servlet-name>
<url-pattern>/authsec/*</url-pattern>
</servlet-mapping>
The URL patterns can be changed based on personal preference.
Authorization is the process of determining if an authenticated user has access to a particular resource. Similar to authentication, JBoss portal provides in-built support for authorization, through Java Authorization Contract for Containers(JACC). JACC is a JSR-115 specification for the authorization models of the Java2 and JEE enterprise platforms. In the next few sections, we will look at how JBoss portal facilitates authorization using JACC. However, before we go into the details of access controls and authorization configurations, let’s quickly look at how roles are configured in JBoss Portal.
A role is an authorization construct that denotes the group that a user of the portal belongs to. Typically, roles are used to determine the access rights and the extent of these rights for a given resource. We saw in an earlier section how to configured portal assets such as, portals, pages, and portlet instances, to restrict certain actions to specific roles. We used a role called SPECIAL_USER for our examples. However, we never really defined what this role means to JBoss portal.
Let’s use the JBoss portal server console to register this role with the server.
Log in as admin, and then click on the Members tab. This takes us to the User Management and Role Management tabs.
The User Management tab is used for creating new users. We will come back to this shortly, but for now, let’s switch over to the Role Management tab and click on the Create role link on the bottom right of the page. We can now add our SPECIAL_USER role and provide a display name for it. Once we submit it, the role will be registered with the portal server.
As we will see later, every attempt by an authenticated user to access a resource that has security constraints through a specific role will be matched by the portal before granting or denying access to the resource.
Users can be added to a role by using the User Management tab. Each user has a role property assigned, and this can be edited to check all of the roles that we want the user to belong to. We can see that for the user User, we now have an option to add the user to the Special User role.
A permission object carries the relevant permission for a given entity. The org.jboss.portal.security.PortalPermission object is used to describe permission for the portal. Like all the other entity-specific permission classes, it extends the java.security.Permission class, and any permission checked in the portal should extend the PortalPermission as well. Two additional fields of significance are as follows:
The authorization provider is a generic interface of the type org.jboss.portal.security.spi.provider.AuthorizationDomain, and provides access to several services.
public interface AuthorizationDomain
{
String getType();
DomainConfigurator getConfigurator();
PermissionRepository getPermissionRepository();
PermissionFactory getPermissionFactory();
}
Let us look into these classes a bit more in detail:
I remember deciding to pursue my first IT certification, the CompTIA A+. I had signed…
Key takeaways The transformer architecture has proved to be revolutionary in outperforming the classical RNN…
Once we learn how to deploy an Ubuntu server, how to manage users, and how…
Key-takeaways: Clean code isn’t just a nice thing to have or a luxury in software projects; it's a necessity. If we…
While developing a web application, or setting dynamic pages and meta tags we need to deal with…
Software architecture is one of the most discussed topics in the software industry today, and…