The Admin Console in JBoss AS 7 is no longer a WAR deployed alongside all the other applications. Therefore you can no longer just edit its web.xml if you want change how users are authorized to access the Admin Console. JBoss AS 7 supports three ways to authorize users for the Admin Console (or remoting): a .properties file, LDAP and a JAAS domain. In our case we already have a JAAS domain for the applicationn and we would like the reuse the same domain for the Admin Console but in addition require a specific role.
This is not supported out of the box but can be implemented with a rather small effort. We create a new domain that delegates to the existing domain and additionally checks for the required role. This can be done using a JAAS login module. The following blog post explains how to implement a login module that delegates to an other one. It requires only small changes to work in our case.
First in the #initialize method we read which role is required
Then in the #login method we check for the role
All that is left is configuring our new module, “acmeDomain” is the default domain for the application and “acmeAdminDomain” is the domain for the Admin Console that requires the role “ADMIN_CONSOLE”.
And finally make the Admin Console use it
That’s it, we’re quite happy with the result, especially since we now no longer need to modify the Admin Console to require a specific role.