Enabling Java EE Security in OpenShift Application

By default few of the security features are turned off in OpenShift JBoss 7.1 cartridge.

If you want to use the Java EE security features first you need to define your security roles and constraints in your deployment descriptor, e.g. web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app>
    // ...

    <security-role>
        <role-name>admin</role-name>
    </security-role>

    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/admin/login.xhtml</form-login-page>
            <form-error-page>/admin/login.xhtml?error=1</form-error-page>
        </form-login-config>
    </login-config>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Modify questions section</web-resource-name>
            <url-pattern>/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>
</web-app>

(I’ve omitted the logging form source code as it’s not the main point here.)

If you’ve downloaded your local JBoss archive the default standalone.xml has already preconfigured security module, so you don’t need to care about it.

However, in OpenShift some of the security features are disabled and you need to enable them explicitly.

In the above case you’d need to fiddle with your $YOUR_OPENSHIFT_REPO/.openshift/config/standalone.xml file and configure your security module similar to this:

<subsystem xmlns="urn:jboss:domain:security:1.1">
    <security-domains>

        <!-- other security domains defined here -->

        <security-domain name="other" cache-type="default">
           <authentication>
                <login-module code="RealmUsersRoles" flag="required">
                    <module-option name="usersProperties" 
                        value="${jboss.server.config.dir}/application-users.properties"/>
                    <module-option name="rolesProperties" 
                        value="${jboss.server.config.dir}/application-roles.properties"/>
                    <module-option name="realm" value="ApplicationRealm"/>
                    <module-option name="password-stacking" value="useFirstPass"/>
                </login-module>
            </authentication>
        </security-domain>

The most important options are the usersProperties and rolesProperties. They point to the properties files generated by the JBoss (or manually crafted). Remember to use the server-relative path to define their location!

We still lack appropriate users and their roles entries in those usersProperties and rolesProperties files. If you SSH to your OpenShift application instance, you’ll notice that there is no add-user.sh script in $JBOSS_HOME/bin.

The easiest solution I could find was to invoke $JBOSS_HOME/bin/add-user.sh from your local JBoss AS 7 instance, and copy the content of updated $JBOSS_HOME/standalone/configuration/application-users.properties and $JBOSS_HOME/standalone/configuration/application-roles.properties to the respective files on your OpenShift box.

Note: The realm name becomes a part of the user’s hash in application-users.properties, so remember to use the correct value in your case. In the end – don’t forget to restart your JBoss cartridge.

Many thanks to bdecoste who answered a lot of my OpenShift questions.