DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations
The Latest "Software Integration: The Intersection of APIs, Microservices, and Cloud-Based Systems" Trend Report
Get the report
  1. DZone
  2. Coding
  3. Frameworks
  4. Securing AJAX Servlets in JBoss Portal

Securing AJAX Servlets in JBoss Portal

Andy Pemberton user avatar by
Andy Pemberton
·
Dec. 31, 08 · Interview
Like (0)
Save
Tweet
Share
13.51K Views

Join the DZone community and get the full member experience.

Join For Free

Before the Portlet 2 specification (JSR286), the recommended method for adding AJAX functionality to a JSR168 portlet was to deploy an additional servlet to the portal server (either inside the same WAR as your portlet(s) or in a stand-alone WAR) to handle asynchronous requests. Requests to these servlets are then handled by the servlet container as opposed to being routed through the portlet container, so they don’t automatically inherit the security context from the portal, as your portlets would.

The goal of this article is to describe how to enable security in your AJAX servlets in JBoss Portal 2.6.

JBoss Portal 2.7 supports JSR286, which has features built into portlets for serving AJAX requests. So while this technique may be less useful in that environment, nothing precludes the use of AJAX servlets in the 286 environment, so this technique may still come in handy.

Securing AJAX servlets in JBoss Portal 2.6 involves four high-level steps.

 

Step 1: Add the Portal’s Security Application Policy to the Servlet Container

Step 1 is mostly a copy/paste effort. The key point here is that you’re configuring the servlet container to use the same JAAS settings that you’ve configured the Portal to use. You’ll want to look at the Portal’s JAAS settings in: $PS_HOME/server/default/deploy/jboss-portal.sar/conf/login-config.xml

There should be a block that looks something like: - you’ll want to copy this block into the login-config used by the servlet container at: $PS_HOME/server/default/conf/login-config.xml


<application-policy name="portal">
	<authentication>
		<login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="required">
			<module-option name="unauthenticatedIdentity">guest</module-option>
			<module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
			<module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
			<module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
			<module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
			<module-option name="additionalRole">Authenticated</module-option>
			<module-option name="password-stacking">useFirstPass</module-option>
		</login-module>
	</authentication>
</application-policy>


Step 2: Secure your AJAX Servlet Web Application

This step is standard for securing web applications; just add the appropriate security settings to the web.xml deployed with your AJAX servlet WAR.

For example, these settings may look like:


<security-constraint>
	<web-resource-collection>
		<web-resource-name>Security</web-resource-name>
		<url-pattern>/*</url-pattern>
	</web-resource-collection>
	<auth-constraint>
		<role-name>Authenticated</role-name>
	</auth-constraint>
</security-constraint>
<login-config>
	<auth-method>BASIC</auth-method>
	<realm-name>JBoss Portal</realm-name>
</login-config>
<security-role>
	<role-name>Authenticated</role-name>
</security-role>


Step 3: Configure your Servlet Web App to use the Portal Security Policy

At this point, we need to tell the servlet web app which JAAS security-domain to use, ie: the one we added in step 1. To do this, JBoss has a proprietary extension to the servlet spec that uses a file: jboss-web.xml in the same location as your web.xml. Add in the following:


<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 4.2//EN"
    "http://www.jboss.org/j2ee/dtd/jboss-web_4_2.dtd">
<jboss-web>
	<security-domain>java:jaas/portal</security-domain>
</jboss-web>

At this point, your servlet web application should be secured and using the same security-domain as the Portal. There’s only one small problem: when you first log in you’ll notice (if you used BASIC as your auth-method as in my example), you’ll get prompted to login from your AJAX calls in addition to logging in to the portal. This is because the Portal and your AJAX servlet application are separate web applications deployed to the application server, and do not inherently trust eachother’s authenticated sessions.

 


Step 4: Enable Single Sign On between the Portal and your Servlet Web App

Luckily, JBoss uses Tomcat under the covers as the servlet container, and Tomcat has a nice, out-of-the-box feature for enabling single-sign-on (SSO) between web apps. To do so, you simply need to enable the SSO valve in Tomcat’s server configuration at: $PS_HOME/server/default/deploy/jboss-web.deployer/server.xml

See the Portal reference guide for more information on enabling SSO in Tomcat.

 

Conclusion

So that does it. Your AJAX servlets are now secured using the same security-domain as your Portal install and are configured for SSO.

Hopefully you found this technique helpful; if you have any comments, questions, or improvements please comment.

 

From Andy Pemberton's blog

AJAX JBoss Web application

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • DevOps for Developers: Continuous Integration, GitHub Actions, and Sonar Cloud
  • How To Choose the Right Streaming Database
  • Solving the Kubernetes Security Puzzle
  • A Gentle Introduction to Kubernetes

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: