Home/ Questions/Q 7914549
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-03T14:09:22+00:00

I know this question is not a good question because it’s open to a

  • 0

I know this question is not a good question because it’s open to a gazillion of answers but here it is:

I am new to Java EE 6 (on JBoss AS 7), I am coming from a Tomcat + spring world.
My first real web application is something like a simple crud with jsf jpa hibernate and ejb.
Now I need to secure a URL (/admin/*) with the most trivial login form.
I already have two tables (hibernate entities) named “User” (username, password, role_id and other data) and “Role” (code,name and little more).
I could make my own LoginController, session scoped which manage the login related issues but I don’t know how to say “hey, it’s only for /admin path!”
So…. I began reading about web.xml configuration: security constraints, jdbc realms, and so on. However, sorry, but I still can’t reach a good knowledge point, I am too addicted to tutorials and learning-by-doing.

Can you help me find an example project with a simple login form?
Or at least some tutorial or a few advice on how to bind my login form to my db tables? I don’t need 500 pages of accurate documentation. Just trying to make “standard” authentication work.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Ok. First of all authentication mechanism is not provided by Java EE standard. Only role-based authentication is a part of specification. So every application server must have its custom authentication mechanism, which enables us to use database, LDAP, etc to store user credentials.

    In case of JBoss it looks as follows.

    (1) You need to define security-constraint in your web.xml (there are tons of tutorials how to do this). It tells which URLs are need login. You need to define login-config element in order to choose how the user will log-in – using browser popup window or custom form.

    (2) You need to define on JBoss side security-domain in configuration/standalone.xml. See this example for instance.

    (3) You need to join (1) and (2). This is done in jboss-web.xml file withing WEB-INF of your application. It looks more or less

    <?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
          <security-domain>NAME-OF-DOMAIN-DEFINED-IN-STEP-2</security-domain>
          <context-root>ROOT-OF-YOUR-APP</context-root>
</jboss-web>

    I am not sure how it is in case of JBoss 7, but in previous versions you needed to add java:/jaas/ prefix, so security-domain content would be java:/jaas/NAME-OF-DOMAIN-DEFINED-IN-STEP-2.

    Besides, if you know Spring Framework you may consider usage of Spring Security, bypassing Java EE mechanisms.

    • 0