Code Monkey home page Code Monkey logo

secured-webapp-template's Introduction

Template for secured Java web applications

Simple Java web application template with the secured content.

Get it

Get a released version or build the app yourself.

How to build it

Use git to get it

git clone git://github.com/kwart/secured-webapp-template.git

or download current sources as a zip file

You need to have Maven installed

cd secured-webapp-template
mvn clean install

Configure the application server

The vendor specific deployment descriptors (WEB-INF/jboss-web.xml and WEB-INF/jboss-ejb3.xml) refers to a web-tests security domain. You have to add it to your configuration. Define the new security domain, either by using JBoss CLI (jboss-cli.sh / jboss-cli.bat):

Use Elytron security

Elytron is the new security framework in WildFly 11+ and EAP 7.1+.

Compared to legacy security, Elytron doesn't allow to load property files from classpath in properties-realm implementation. We'll use a FileSystemRealm to introduce test users population.

bin/jboss-cli.sh << EOT
embed-server

# create realm with users
/subsystem=elytron/filesystem-realm=web-tests:add(path=web-tests,relative-to=jboss.server.config.dir)

/subsystem=elytron/filesystem-realm=web-tests:add-identity(identity=user)
/subsystem=elytron/filesystem-realm=web-tests:set-password(identity=user, clear={password="user"})
/subsystem=elytron/filesystem-realm=web-tests:add-identity-attribute(identity=user, name=groups, value=["Users"])

/subsystem=elytron/filesystem-realm=web-tests:add-identity(identity=admin)
/subsystem=elytron/filesystem-realm=web-tests:set-password(identity=admin, clear={password="admin"})
/subsystem=elytron/filesystem-realm=web-tests:add-identity-attribute(identity=admin, name=groups, value=["Users", "Admin"])

# create security domain and other necessary config objects
/subsystem=elytron/simple-role-decoder=web-tests:add(attribute=groups)
/subsystem=elytron/constant-permission-mapper=web-tests:add(permissions=[{class-name="org.wildfly.security.auth.permission.LoginPermission"}])
/subsystem=elytron/security-domain=web-tests:add(default-realm=web-tests, permission-mapper=web-tests, realms=[{role-decoder=web-tests, realm=web-tests}]

# add Elytron security domain mapping from Undertow and EJB subsystems 
/subsystem=elytron/provider-http-server-mechanism-factory=web-tests:add()
/subsystem=elytron/http-authentication-factory=web-tests:add(security-domain=web-tests, \
  http-server-mechanism-factory=web-tests, \
  mechanism-configurations=[ \
    {mechanism-name=DIGEST,mechanism-realm-configurations=[{realm-name=web-tests}]}, \
    {mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=web-tests}]}, \
    {mechanism-name=FORM}])
/subsystem=undertow/application-security-domain=web-tests:add(http-authentication-factory=web-tests)
/subsystem=ejb3/application-security-domain=web-tests:add(security-domain=web-tests)

EOT

Use Legacy security (JBoss AS 7 / EAP 6+ / WildFly 8+)

Just use UsersRoles JAAS login module which is available in the application server and it will read users.properties and roles.properties files from deployment classpath (WEB-INF/classes)

/subsystem=security/security-domain=web-tests:add(cache-type=default)
/subsystem=security/security-domain=web-tests/authentication=classic:add( \
  login-modules=[{"code"=>"UsersRoles", "flag"=>"required"}]) {allow-resource-service-restart=true}

How to use DIGEST authentication with Legacy security

If you want to enable the DIGEST authentication in web.xml deployment descriptor, you also need to configure the web-tests security to hash passwords stored in the user.properties files.

The CLI commands to do it:

/subsystem=security/security-domain=web-tests:add(cache-type=default)
/subsystem=security/security-domain=web-tests/authentication=classic:add(login-modules=[{"code"=>"UsersRoles", "flag"=>"required", "module-options" => {"hashAlgorithm" => "MD5", "hashEncoding" => "RFC2617","hashUserPassword" => "false", "hashStorePassword" => "true","passwordIsA1Hash" => "false", "storeDigestCallback" => "org.jboss.security.auth.callback.RFC2617Digest" }}]) {allow-resource-service-restart=true}

Deploy and use application

Copy the produced secured-webapp.war from the target folder to the deployment folder of your container.

Open the application URL in the browser. E.g. http://localhost:8080/secured-webapp/

License

secured-webapp-template's People

Contributors

kwart avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

liweinan abdoegy littlejohnii sjroot mchoma aelkz rakhafe21

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.