Security in JBoss

Securing Applications

Filtering clients by source IP addresses

Requiring authentication and authorization

Data transport integrity and confidentiality (SSL)

We will explore each one of these in turn

Filtering Clients by Source Limit access to web applications by client IP or hostname Configured through Tomcat Valves Different levels: <Engine> (global), <Host> (per virtual host), <Context> (per web application) <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.*,127.*" /> <Valve className="org.apache.catalina.valves.RemoteHostValve" deny="" />

Configured through a Servlet Filter

Simple implementation is provided by JBoss but servlet filters are Java EE AS-independent

To limit client access through Tomcat, add a desired <Valve> in <Engine> or <Host> elements within ${jboss.server.home.url}/deploy/jbossweb.sar/server.xml file

Limiting per web application can be still done through Tomcat by creating a <Context> file ${jboss.server.home.url}/deploy/<app>.war/WEB-INF/context.xml:


<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.*.*" />


To limit client access in a application-server-neutral way, configure a servlet filter in WEB-INF/web.xml file as follows:

<web-app ...>
















A simple implementation of this filter can be found at

For indepth understanding on JBoss click on: