Optional: Add, edit, or remove module options.

If you need to add options to your module, click its entry in the Login Modules list, and select the Module Options tab in the Details section of the page. Click the Add button, and provide the key and value for the option. To edit an option that already exists, click the key or to change it. Use the Rem ove button to remove an option.

Result

Your authorization policy module is added to the security domain, and is immediately available to applications which use the security domain.

Report a bug

5.12.1. About Java Authorization Contract for Containers (JACC)

Java Authorization Contract for Containers (JACC) is a standard which defines a contract between containers and authorization service providers, which results in the implementation of providers for use by containers. It was defined in JSR-115, which can be found on the Java Community Process website at http://jcp.org/en/jsr/detail?id=115. It has been part of the core Java Enterprise Edition (Java EE)

specification since Java EE version 1.3.

JBoss EAP 6 implements support for JACC within the security functionality of the security subsystem. Report a bug

5.12.2. Configure Java Authorization Contract for Containers (JACC) Security

To configure Java Authorization Contract for Containers (JACC), you need to configure your security domain with the correct module, and then modify your jboss-web.xm l to include the correct parameters.

Add JACC Support to the Security Domain

To add JACC support to the security domain, add the JACC authorization policy to the authorization stack of the security domain, with the required flag set. The following is an example of a security domain with JACC support. However, the security domain is configured in the Management Console or Management CLI, rather than directly in the XML.

<security-domain name="jacc" cache-type="default"> <authentication>

<login-module code="UsersRoles" flag="required"> </login-module>

</authentication> <authorization>

<policy-module code="JACC" flag="required"/> </authorization>

</security-domain>

Configure a Web Application to use JACC

The jboss-web.xm l is located in the MET A-INF/ or WEB-INF/ directory of your deployment, and contains overrides and additional JBoss-specific configuration for the web container. To use your JACC- enabled security domain, you need to include the <security-dom ain> element, and also set the <use-jboss-authorization> element to true. The following application is properly configured to use the JACC security domain above.

<jboss-web>

<security-domain>jacc</security-domain>

<use-jboss-authorization>true</use-jboss-authorization> </jboss-web>

Configure an EJB Application to Use JACC

Configuring EJBs to use a security domain and to use JACC differs from Web Applications. For an EJB, you can declare method permissions on a method or group of methods, in the ejb-jar.xm l

Example 5.20. Example JACC Method Permissions in an EJB

<ejb-jar>

<method-permission>

<description>The employee and temp-employee roles may access any method of the EmployeeService bean </description>

<role-name>employee</role-name> <role-name>temp-employee</role-name> <method>

<ejb-name>EmployeeService</ejb-name> <method-name>*</method-name>

</method>

</method-permission> </ejb-jar>

You can also constrain the authentication and authorization mechanisms for an EJB by using a security domain, just as you can do for a web application. Security domains are declared in the jboss-

ejb3.xm l descriptor, in the <security> child element. In addition to the security domain, you can also specify the run-as principal, which changes the principal the EJB runs as.

Example 5.21. Example Security Domain Declaration in an EJB

<security>

<ejb-name>*</ejb-name>

<security-domain>myDomain</security-domain> <run-as-principal>myPrincipal</run-as-principal> </security>

Report a bug

5.12.3. Fine Grained Authorization Using XACML

5.12.3.1. About Fine Grained Authorization and XACML

Fine Grained Authorization caters to the changing requirements and multiple variables involved in the decision making process, which becomes the basis of providing authorization for accessing a module. Hence, the process of Fine Grained Authorization is complex in itself.

JBoss uses XACML as a medium to achieve Fine Grained Authorization. XACML provides standards based solution to the complex nature of achieving Fine Grained Authorization. XACML defines a policy language and an architecture for decision making. The XACML architecture includes a Policy

Enforcement Point (PEP), which intercepts any requests in a normal program flow, then asks a Policy Decision Point (PDP) to make an access decision based on the policies associated with the PDP. The PDP evaluates the XACML request created by the PEP and runs through the policies to make one of the following access decisions:

PERMIT - The access is approved. DENY - The access is denied.

INDETERMINATE - There is an error at the PDP.

The following are the features of the XACML: Oasis XACML v2.0 library

JAXB v2.0 based object model

ExistDB Integration for storing/retrieving XACML Policies and Attributes Report a bug

5.12.3.2. Configure XACML for Fine Grained Authorization The following is the procedure to configure XACML.

In document JBoss Enterprise Application Platform 6.2 Security Guide (Page 62-65)