How to define a security role in JBoss 4.2.3.

Document ID : KB000050901
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

For CA Identity Manager releases R12 CR13 onwards/R12.5 SP6 onwards, logging.jsp and ping.jsp are no longer by default. As specified in the readme.txt file located under <IMTOOLS>/samples/admin, it is now required to manually deploy the jsp files and then configure a security role within JBoss in order to protect these pages. This How-to document is to be used as a supplement to the original readme.txt file. Steps 1 and 2 are copied from original readme.txt file for convenience purposes only. This document only adds information when we get to step 3.

Solution:

Before following the below steps make sure the JBoss server is stopped.

  1. Copy the logging.jsp and ping.jsp files from:

    C:\Program Files\CA\Identity Manager\IAM Suite\IdentityManager\tools\samples\Admin\user_console.war
    To:
    C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\user_console.war

    Copy the ping.jsp file from:

    C:\Program Files\CA\Identity Manager\IAM Suite\IdentityManager\tools\samples\Admin\user_console.war\app
    To:
    C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\user_console.war\app

    Copy the ping.jsp file from:

    C:\Program Files\CA\Identity Manager\IAM Suite\IdentityManager\tools\samples\Admin\user_console.war\ui
    To:
    C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\user_console.war\ui

  2. Add following section after last taglib tag in the file user_console.war\WEB-INF\web.xml under IAM application EAR location in order to secure the admin toolkit:
            <security-constraint>        <web-resource-collection>          <web-resource-name>IAMSecureAdminTooles</web-resource-name>          <description>Security constraint for IAM Admin Tools</description>          <url-pattern>/ping.jsp</url-pattern>          <url-pattern>/logging.jsp</url-pattern>          <url-pattern>/app/adapterBLTHTest.jsp</url-pattern>          <url-pattern>/app/objectTest.jsp</url-pattern>          <url-pattern>/app/ping.jsp</url-pattern>          <url-pattern>/app/pluginTest.jsp</url-pattern>          <url-pattern>/ui/ping.jsp</url-pattern>          <http-method>POST</http-method>          <http-method>GET</http-method>        </web-resource-collection>        <auth-constraint>            <description>only let the admin users use secured admin tools</description>            <role-name>IAMAdmin</role-name>        </auth-constraint>        <user-data-constraint>          <description>SSL not required</description>          <transport-guarantee>NONE</transport-guarantee>        </user-data-constraint>    </security-constraint>    <login-config>        <auth-method>BASIC</auth-method>        <realm-name>IAM Realm</realm-name>    </login-config>    <security-role>      <description>The IAM Secure Admin Role</description>      <role-name>IAMAdmin</role-name>    </security-role>
  3. Create security role IAMAdmin and assign at least one admin user to it using application server specific documentation. Below is an example for steps for creating the required security role and assigning admin users to it:

  4. It is assumed step 1 has been performed, and the relevant code was added to C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\user_console.war\WEB-INF\web.xml

    Create a new file named jboss-web.xml under

    C:\jboss-4.2.3.GA\server\default\deploy\IdentityMinder.ear\user_console.war\WEB-INF and add the following content:
    <jboss-web>       <context-root></context-root>       <security-domain>java:/jaas/tools</security-domain></jboss-web>
    Note: tools is the name for an application policy name that will be created in the next step.

  5. Edit C:\jboss-4.2.3.GA\server\default\conf\login-config.xml by adding the following lines:
           <!-- start of tools configuration CR13 -->         <application-policy name="tools">           <authentication>           <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">             <module-option name="hashAlgorithm">MD5</module-option>             <module-option name="hashEncoding">base64</module-option>             <module-option name="usersProperties">tools-users.properties</module-option>             <module-option name="rolesProperties">tools-roles.properties</module-option>          </login-module>          </authentication>        </application-policy>       <!-- end of tools configuration CR13 -->
  6. Open command prompt to C:\jboss-4.2.3.GA\server\default\lib and run following command:

    java -cp jbosssx.jar org.jboss.security.Base64Encoder your_password md5

    replace your_password with the password value you would like to encrypt.

  7. Create a file named tools-users.properties under C:\jboss-4.2.3.GA\server\default\conf - each line in this file should contain a username and a password in the following format:

    username=password

    Add the following line to the newly created file:
    imuser=<Password_Generated_In_Previous_Step>

  8. Create a file named tools-roles.properties under C:\jboss-4.2.3.GA\server\default\conf - each line in this file should contain a username and a role in the following format:

    username=rolename

    Add the following line to the newly created file:
    imuser=IAMAdmin

  9. Open command prompt to C:\jboss-4.2.3.GA\bin and run compile_jsp.bat (or compile_jsp.sh on unix/linux)

  10. Start JBoss, and browse to http://<JBOSS_FQDN:PORT>/idm/logging.jsp - you are prompted to enter credentials - use imuser for username and the password created for accessing logging.jsp.

These credentials are valid to all sample jsp files deployed in step 1.