Home/ Questions/Q 3320588
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T22:57:40+00:00

How can Seam be configured to use different security-constraints for different web-resource-collections? In web.xml

  • 0

How can Seam be configured to use different security-constraints for different web-resource-collections?

In web.xml I included a sections like 

<security-constraint>
    <web-resource-collection>
        <web-resource-name>AdminPages</web-resource-name>
        <url-pattern>/secure/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

<security-role>
    <role-name>admin</role-name>
</security-role>

If I omit the configuration above (web.xml). The user is authenticated (only password) using JAAS. I would prefer not write code for Authenticatin, I really only need to check that the user has the required role (admin).

In Seam this doesn’t work like expected. I receive HTTP-Errorcode 403 while trying to access the pages in /secure/*

I configured in components.xml This works when web.xml is not changed.

<security:identity jaas-config-name="admins" />

And jboss-web.xml

<jboss-web>
    <security-domain>java:/jaas/admins</security-domain>
</jboss-web>

The question is where do I configure the role.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You have to set up a new security domain on JBoss.

    For instance: 

    <policy>
    <application-policy name="testUsersRoles">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                          flag="required">
                <module-option name="usersProperties">usersb64.properties</module-option>
                <module-option name="hashAlgorithm">MD5</module-option>
                <module-option name="hashEncoding">base64</module-option>
                <module-option name="unauthenticatedIdentity">nobody</module-option>
            </login-module>
        </authentication>
    </application-policy>
</policy>

    (at the conf/login-config.xml file of your JBoss instance).

    You have more information here: Security on JBoss

    UPDATE:

    About the “use different security-constraints for different web-resource-collections” part of your question, you can set it adding a different “security-constraint” for every group of resources to control:

    <security-constraint>
    <web-resource-collection>
        <web-resource-name>AdminPages</web-resource-name>
        <url-pattern>/secure/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>


<security-constraint>
    <web-resource-collection>
        <web-resource-name>CommonUserPages</web-resource-name>
        <url-pattern>/common/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
        <role-name>commonUser</role-name>
    </auth-constraint>
</security-constraint>

<security-role>
    <role-name>admin</role-name>
    <role-name>commonUser</role-name>
</security-role>

    Please, note that both roles will be extracted by the asociated LoginModule at login time. So when your LoginModule authenticates an user, it retrieves the set of roles which this user belongs to.

    • 0