Chapter 8. Security on JBoss

• J2EE Declarative Security Overview

• An Introduction to JAAS

• The JBoss Security Model

• The JBossSX Architecture

• The Secure Remote Password (SRP) Protocol

• Running JBoss with a Java 2 Security Manager

• Using SSL with JBoss Using JSSE

• Configuring JBoss for Use Behind a Firewall

• Securing the JBoss Server

Security is a fundamental part of any enterprise application. You need to be able to restrict who is allowed to access your applications and control what operations application users may perform. The J2EE specifications define a simple role-based security model for EJBs and web components. The JBoss component framework that handles security is the JBossSX extension framework. The JBossSX security extension provides support for both the role-based declarative J2EE security model and integration of custom security via a security proxy layer. The default implementation of the declarative security model is based on Java Authentication and Authorization Service (JAAS) login modules and subjects. The security proxy layer allows custom security that cannot be described using the declarative model to be added to an EJB in a way that is independent of the EJB business object. Before getting into the JBoss security implementation details, we will review EJB and servlet specification security models, as well as JAAS, to establish the foundation for these details.