58.8 Configuring the Login Module to Secure EJBs

You can configure the Login Module to secure EJBs.

This task involves both server-side and client-side configuration as documented in following sections.


These procedures are not used when Preparing Your Environment for JBoss 6.x Integration.

58.8.1 Configuring the Server to Secure EJBs

On the server side, you must add the security domain annotation to the EJB and add descriptors to jboss.xml. You also add a new entry to the JBoss server configuration file for the Login Module.

Securing EJBs, Web applications or a Web Service based on roles requires additional configuration in login-config.xml as follows:

<module-option name="rolesParam">OAM_GROUPS</module-option>

Here OAM_GROUPS is the response configured when "Creating a Custom Policy for JBoss Resource Protection".

You can use either the agent configured in previous steps or a new agent.


To use a new agent you must copy the ObAccessClient.xml from the /agent directory on the JBoss host to another directory.

  1. Copy ObAccessClient.xml as follows (one or the other):
    • From: $WLS_HOME/middleware/user_projects/domains/base_domain/output/agent_name.

    • To: A directory on the JBoss host.

  2. Add the @SecurityDomain("oamrealm") annotation to the EJB. For example, if the EJB class is DemoEJB the following should be added at the code level:
    import org.jboss.security.annotation.SecurityDomain;
    public class DemoEJB{ ... }

    The application-policy defined as the value of @SecurityDomain (in this example, oamrealm) should have the same value as that defined for the realmname property in oam_config.properties.

  3. Option: Add the following descriptor to the jboss.xml file to define the security domain.

    The application-policy name defined in this descriptor (myother) should have the same value as the realmname property defined in oam_config.properties.


    The name associated with the security domain annotation should be specified in the Login Module to be used, as described in Step 4. See Also: Configuring the JBoss Login Module to Use Access Manager Policies.

  4. JBoss Server Login Configuration: Add an entry for the Login Module class name, which must be part of the login mechanism:


    <application-policy name="oamrealm"> 
        <login-module code="oracle.security.am.agent.common.jaas.login.OAMLoginModule"
          <module-option name="loginType">tokenBased</module-option>
          <module-option name="configPath">D:/agentconfig</module-option>
          <module-option name="rolesParam">OAM_GROUPS</module-option>
          <module-option name="publicAuthnResourceName">/Authen/Basic</module-option>
          <module-option name="publicAuthzResourceName">/Authen/SSOToken</module-option>


    The name value in the application-policy element should match the realmname property value defined in oam_config.properties.

  5. Deploy the application.
  6. Start JBoss using the following command:
    JBoss_install_dir\bin\run –b 

    See Configuring JBoss Server to Access a Host Name (not localhost)

58.8.2 Configuring the Client Side for Login Module to Secure EJBs

You can create a client-login configuration file.

To configure:

  1. Copy ObAccessClient.xml as follows (one or the other):
    • New Agent: From $MW_HOME/middleware/user_projects/domains/base_domain/output/agent_name to a folder on the Agent host.

    • Existing Agent: From its location on the JBoss host to another directory on the Agent host.

  2. On the client host, create a client-login configuration text file as follows:
    oamauth {
       oracle.security.am.agent.common.jaas.login.OAMLoginModule required
       loginType="usernamePassword  "
  3. Add the following to your entry to configure the login module to propagate identity to the EJB Container:
    propagate {
       org.jboss.security.ClientLoginModule required
  4. Save the file.


    Perform Step 5 while invoking EJBs from a Rich Client to ensure that Access Manager performs authentication (using the Pure Java ASDK) and then propagates the credentials to the EJB Application Server.

  5. Rich Client: Add the following to the client code before invoking the EJB from the Client side:
    System.setProperty("java.security.auth.login.config", authFile);
    MyCallbackHandler handler = new MyCallbackHandler(<USERNAME>,<PASSWORD>);
    LoginContext lc = new LoginContext("oamauth", handler);
    //Fetch the private credentials of type String.class
    Set<String> set = lc.getSubject().getPrivateCredentials(String.class);
    //Set the SSO Token in callback handler along with the username
    handler = new MyCallbackHandler(<USERNAME>, set.iterator().next());
    LoginContext lc2 = new LoginContext("propagate", handler);