By default few of the security features are turned off in OpenShift JBoss 7.1 cartridge.
If you want to use the Java EE security features first you need to define your security roles and constraints in
your deployment descriptor, e.g. web.xml
:
<?xml version="1.0" encoding="UTF-8"?>
<web-app>
// ...
<security-role>
<role-name>admin</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/admin/login.xhtml</form-login-page>
<form-error-page>/admin/login.xhtml?error=1</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Modify questions section</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
</web-app>
(I’ve omitted the logging form source code as it’s not the main point here.)
If you’ve downloaded your local JBoss archive the default standalone.xml
has already preconfigured security
module, so you don’t need to care about it.
However, in OpenShift some of the security features are disabled and you need to enable them explicitly.
In the above case you’d need to fiddle with your $YOUR_OPENSHIFT_REPO/.openshift/config/standalone.xml
file and
configure your security module similar to this:
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<!-- other security domains defined here -->
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="RealmUsersRoles" flag="required">
<module-option name="usersProperties"
value="${jboss.server.config.dir}/application-users.properties"/>
<module-option name="rolesProperties"
value="${jboss.server.config.dir}/application-roles.properties"/>
<module-option name="realm" value="ApplicationRealm"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
The most important options are the usersProperties
and rolesProperties
. They point to the properties files
generated by the JBoss (or manually crafted). Remember to use the server-relative path to define their location!
We still lack appropriate users and their roles entries in those usersProperties
and rolesProperties
files. If
you SSH to your OpenShift application instance, you’ll notice that there is no add-user.sh
script in $JBOSS_HOME/bin
.
The easiest solution I could find was to invoke $JBOSS_HOME/bin/add-user.sh
from your local JBoss AS 7 instance,
and copy the content of updated $JBOSS_HOME/standalone/configuration/application-users.properties
and
$JBOSS_HOME/standalone/configuration/application-roles.properties
to the respective files on your OpenShift box.
Note: The realm name becomes a part of the user’s hash in application-users.properties
, so remember to use the
correct value in your case. In the end – don’t forget to restart your JBoss cartridge.
Many thanks to bdecoste who answered a lot of my OpenShift questions.