S E C U R I T Y  

Chapter  

8 

8. Security 

Controlling J2EE Component Access by Scott Stark 

JBoss provides a JAAS based security manager that supports the J2EE declarative security 

model defined in the EJB and servlet specifications. This chapter will introduce the security 

services configuration and the steps needed to secure EJBs and web applications. 

Security Services Configuration 

There are three MBean services that control the security layer configuration, 

SecurityConfig, XMLLoginConfig and JaasSecurityManagerService. They are configured in 

the server//conf/jboss service.xml core services descriptor. 

org.jboss.security.plugins.SecurityConfig 

The SecurityConfig service MBean manages the active JAAS login configuration 

implementation. It support replacing the default JAAS configuration as well as chaining 

configurations together. Its sole attribute is: 

LoginConfig, the ObjectName string of the mbean that provides the default JAAS 

login configuration. This name is used to lookup the MBean which provides the 

javax.security.auth.login.Configuration implementation to install as the default. The 

named MBean must implement an operation with this signature: 

javax.security.auth.login.Configuration 

getConfiguration(javax.security.auth.login.Configuration parent) 

org.jboss.security.auth.login.XMLLoginConfig 

The XMLLoginConfig service MBean provides an implementation of 

javax.security.auth.login.Configuration that uses an XML configuration file. The 

configurable attributes of the XMLLoginConfig service include: 

ConfigURL, Set the URL of the XML login configuration file that should be loaded 

by this mbean on startup. 

63