This document describes how to
- Configure Jackrabbit security through JAAS on Jboss.
Feel free to make changes to this document. A seperate document for basic setup is located under JackrabbitOnJBoss
This document is based on Jackrabbit-1.1, and can be used with either the JCA approach above, or the .WAR server approach.
Files that will be modified:
- JBOSS Files
- Alternatively, jboss mbean dynamicloginconfig approach.
- Jackrabbit Files
Configuring Security Authentication Policy
The security authentication policy will tie jackrabbit and the jboss security systems together. The default security policy is called Jackrabbit, but can be changed if necessary (especially if you already have an existing domain configured in jboss login-config.xml that you would like to re-use).
The security policy is repository-wide, regardless of workspace(s). If you need different security/authentication, you will need different repositories (i.e. new repository.xml for each repository). However, if you can use the same authentication but have different authorization requirements, you can use the same repository with a custom AccessManager.
<!-- remove this loginmodule to only use the login-config.xml configured modules.
<param name="anonymousId" value="anonymous"/>
<!-- your security modules for Ldap, Ad, Database, role.properties, etc here -->
Caution: name attribute of application-policy tag in login module definition could be whatever you want, until it matches appName of Security tag in repository.xml.
Configuring Authorization/Jackrabbit AccessManager
Custom access manager when using Jboss for security is referenced at SimpleJbossAccessManager
JBoss Mbean Dynamic Login Config option
This is for deployment of the authentication login modules outside of the login-config.xml. The reasoning is usually company-policy-oriented and/or preference. This is a jboss-specific option not related to Jackrabbit -- all jackrabbit configuration related to login-config.xml will now go into the jackrabbit-login-config.xml below.
Create a $JBOSS_HOME/server/<default>/deploy/jackrabbitsecurity.sar directory (yes, name the directory with .sar at the end).
<attribute name="AuthConfig">jackrabbit-login-config.xml</attribute> <depends optional-attribute-name="LoginConfigService">jboss.security:service=XMLLoginConfig</depends> <depends optional-attribute-name="SecurityManagerService">jboss.security:service=JaasSecurityManager</depends>
Place what would be your normal login-config.xml configuration here.
In addition, if you have custom login module libraries only used for this security authentication configuration, those can also be placed here.