Security in JBoss

Securing Applications

Filtering clients by source IP addresses

Requiring authentication and authorization

Data transport integrity and confidentiality (SSL)

We will explore each one of these in turn

Filtering Clients by Source

Limit access to web applications by client IP or hostname

Configured through Tomcat Valves

Different levels: <Engine> (global), <Host> (per virtual host), <Context> (per web application)

<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.*,127.*" />

<Valve className="org.apache.catalina.valves.RemoteHostValve" deny="" />

Configured through a Servlet Filter

Simple implementation is provided by JBoss but servlet filters are Java EE AS-independent

To limit client access through Tomcat, add a desired <Valve> in <Engine> or <Host> elements within ${jboss.server.home.url}/deploy/jbossweb.sar/server.xml file

Limiting per web application can be still done through Tomcat by creating a <Context> file ${jboss.server.home.url}/deploy/<app>.war/WEB-INF/context.xml:


<Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="192.168.*.*" />


Inclined to build a profession as JBOSS Developer?

Then here is the blog post on JBOSS Training Program

To limit client access in a application-server-neutral way, configure a servlet filter in WEB-INF/web.xml file as follows:

  • <web-app ...>
  • ...
  • <filter>
  • <filter-name>RemoteHostFilter</filter-name>
  • <filter-class>org.jboss.remotehostfilter.RemoteHostFilter</filter-class>
  • <init-param>
  • <param-name>allow</param-name>
  • <param-value>192.168.*,127.*</param-value>
  • </init-param>
  • </filter>
  • <filter-mapping>
  • <filter-name>RemoteHostFilter</filter-name>
  • <url-pattern>/*</url-pattern>
  • </filter-mapping>
  • ...


A simple implementation of this filter can be found at

For indepth understanding on JBoss click on: