How to authenticate users by their role declarative?

Question

How can Seam be configured to use different security-constraints for different web-resource-collections?

In web.xml I included a sections like

<security-constraint>
    <web-resource-collection>
        <web-resource-name>AdminPages</web-resource-name>
        <url-pattern>/secure/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

<security-role>
    <role-name>admin</role-name>
</security-role>

If I omit the configuration above (web.xml). The user is authenticated (only password) using JAAS. I would prefer not write code for Authenticatin, I really only need to check that the user has the required role (admin).

In Seam this doesn't work like expected. I receive HTTP-Errorcode 403 while trying to access the pages in /secure/*

I configured in components.xml This works when web.xml is not changed.

<security:identity jaas-config-name="admins" />

And jboss-web.xml

<jboss-web>
    <security-domain>java:/jaas/admins</security-domain>
</jboss-web>

The question is where do I configure the role.

Answer 1

You have to set up a new security domain on JBoss.

For instance:

<policy>
    <application-policy name="testUsersRoles">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                          flag="required">
                <module-option name="usersProperties">usersb64.properties</module-option>
                <module-option name="hashAlgorithm">MD5</module-option>
                <module-option name="hashEncoding">base64</module-option>
                <module-option name="unauthenticatedIdentity">nobody</module-option>
            </login-module>
        </authentication>
    </application-policy>
</policy>

(at the conf/login-config.xml file of your JBoss instance).

You have more information here: Security on JBoss

UPDATE:

About the "use different security-constraints for different web-resource-collections" part of your question, you can set it adding a different "security-constraint" for every group of resources to control:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>AdminPages</web-resource-name>
        <url-pattern>/secure/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>


<security-constraint>
    <web-resource-collection>
        <web-resource-name>CommonUserPages</web-resource-name>
        <url-pattern>/common/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
        <role-name>commonUser</role-name>
    </auth-constraint>
</security-constraint>

<security-role>
    <role-name>admin</role-name>
    <role-name>commonUser</role-name>
</security-role>

Please, note that both roles will be extracted by the asociated LoginModule at login time. So when your LoginModule authenticates an user, it retrieves the set of roles which this user belongs to.