Apache Jackrabbit : JackrabbitOnJbossSecurity

This document describes how to

  • Configure Jackrabbit security through JAAS on Jboss.

Feel free to make changes to this document. A seperate document for basic setup is located under JackrabbitOnJBoss

This document is based on Jackrabbit-1.1, and can be used with either the JCA approach above, or the .WAR server approach.

Files that will be modified:

  • JBOSS Files
    • $JBOSS_HOME/server/<default>/conf/login-config.xml
    • Alternatively, jboss mbean dynamicloginconfig approach.
  • Jackrabbit Files
    • repository.xml

Configuring Security Authentication Policy

The security authentication policy will tie jackrabbit and the jboss security systems together. The default security policy is called Jackrabbit, but can be changed if necessary (especially if you already have an existing domain configured in jboss login-config.xml that you would like to re-use).

The security policy is repository-wide, regardless of workspace(s). If you need different security/authentication, you will need different repositories (i.e. new repository.xml for each repository). However, if you can use the same authentication but have different authorization requirements, you can use the same repository with a custom AccessManager.


<Security appName="Jackrabbit">
access manager:
class: FQN of class implementing the AccessManager interface

<AccessManager class="org.apache.jackrabbit.core.security.SimpleAccessManager">
<!-- <param name="config" value="${rep.home}/access.xml"/> -->

<!-- remove this loginmodule to only use the login-config.xml configured modules.
_ <LoginModule class="org.apache.jackrabbit.core.security.SimpleLoginModule">_
_ <param name="anonymousId" value="anonymous"/>_
_ </LoginModule>_ -->


<application-policy name="Jackrabbit">
<!-- your security modules for Ldap, Ad, Database, role.properties, etc here -->


Caution: name attribute of application-policy tag in login module definition could be whatever you want, until it matches appName of Security tag in repository.xml.

Configuring Authorization/Jackrabbit AccessManager


Custom access manager when using Jboss for security is referenced at SimpleJbossAccessManager

JBoss Mbean Dynamic Login Config option

This is for deployment of the authentication login modules outside of the login-config.xml. The reasoning is usually company-policy-oriented and/or preference. This is a jboss-specific option not related to Jackrabbit – all jackrabbit configuration related to login-config.xml will now go into the jackrabbit-login-config.xml below.

See http://wiki.jboss.org/wiki/DynamicLoginConfig .

  • Create a $JBOSS_HOME/server/<default>/deploy/jackrabbitsecurity.sar directory (yes, name the directory with .sar at the end).
  • jackrabbitsecurity.rar/META-INF/jboss-service.xml

<mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="org.apache.jackrabbit:service=DynamicLoginConfig">
<attribute name="AuthConfig">jackrabbit-login-config.xml</attribute>
<depends optional-attribute-name="LoginConfigService">jboss.security:service=XMLLoginConfig</depends>
<depends optional-attribute-name="SecurityManagerService">jboss.security:service=JaasSecurityManager</depends>

  • jackrabbitsecurity.sar/jackrabbit-login-config.xml

Place what would be your normal login-config.xml configuration here.

In addition, if you have custom login module libraries only used for this security authentication configuration, those can also be placed here.