Security in JBoss
Securing Applications
Filtering clients by source IP addresses
Requiring authentication and authorization
Data transport integrity and confidentiality (SSL)
We will explore each one of these in turn
Filtering Clients by Source Limit access to web applications by client IP or hostname Configured through Tomcat Valves Different levels: <Engine> (global), <Host> (per virtual host), <Context> (per web application) <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.*,127.*" /> <Valve className="org.apache.catalina.valves.RemoteHostValve" deny="spamhost.com" />
Configured through a Servlet Filter
Simple implementation is provided by JBoss but servlet filters are Java EE AS-independent
To limit client access through Tomcat, add a desired <Valve> in <Engine> or <Host> elements within ${jboss.server.home.url}/deploy/jbossweb.sar/server.xml file
Limiting per web application can be still done through Tomcat by creating a <Context> file ${jboss.server.home.url}/deploy/<app>.war/WEB-INF/context.xml:
<Context><Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.*.*" />
</Context>
To limit client access in a application-server-neutral way, configure a servlet filter in WEB-INF/web.xml file as follows:
<web-app ...>...
<filter>
<filter-name>RemoteHostFilter</filter-name>
<filter-class>org.jboss.remotehostfilter.RemoteHostFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>192.168.*,127.*</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>RemoteHostFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
...
</web-app>
A simple implementation of this filter can be found at http://community.jboss.org/wiki/LimitAccessToCertainClients
For indepth understanding on JBoss click on: