Integrate security infrastructures with JBossSX
Tutorial Details:
Integrate security infrastructures with JBossSX
Integrate security infrastructures with JBossSX
By: By Scott Stark
JBossSX uses JAAS to integrate application servers and security infrastructures
key aspect of the Java 2 Platform, Enterprise Edition (J2EE) component models is a simple declarative security model. The Enterprise JavaBean (EJB) 2.0 and Servlet 2.2 specifications support a role-based declarative security model that externalizes security from application logic and decouples the application security roles from the deployment environment's security implementation. At the application level, the ejb-jar.xml and web.xml deployment descriptors define security. Although this model allows for an independent, simple specification of the application server's security requirements, mapping the application-defined security onto the deployment environment security's infrastructure is an application-server-specific activity.
Thus, configuring a J2EE application's security requires proprietary application server APIs or tools. One such tool is the Java Authentication and Authorization Service (JAAS). In this article, I describe how the JBoss security extension, JBossSX, uses the standard JAAS to integrate with the deployment environment's security infrastructure. By configuring the JAAS login modules bundled with JBoss, you can complete the integration without custom programming. If the bundled login modules don't work with your security infrastructure, you can simply write a custom login module that does; I'll show you how in this article.
The key topics that I cover here include:
The J2EE declarative security model
The key JAAS classes
Details of how the JBossSX security manager uses JAAS in its implementation of the J2EE declarative security model
Details of how you can write a custom JAAS login module for JBoss
I also include a secure enterprise application example that demonstrates the declarative security model and the configuration of JAAS login modules to integrate the deployment environment's security.
J2EE declarative security overview
The first step to securing a J2EE application is to specify the application security requirements via the standard J2EE deployment descriptors. You secure access to EJBs and Web components in an enterprise application by using the ejb-jar.xml and web.xml deployment descriptors. Figures 1 and 2 illustrate the security-related elements in the EJB 2.0 and Servlet 2.2 deployment descriptors, respectively.
Figure 1. The EJB 2.0 deployment descriptor security elements
Click on thumbnail to view full-size image.
Together, these security elements define the bean author and application assembler's view of an enterprise application's security requirements.
Figure 2. The Servlet 2.2 deployment descriptor security elements
Click on thumbnail to view full-size image.
So that you'll have sufficient background for the example presented later in this article, I'll first review the security elements pictured in Figures 1 and 2.
Enterprise beans security references
As you can see in Figure 1, enterprise beans may declare one or more security-role-ref elements. An EJB can access the caller principal and ask if the caller belongs to a role by name. The caller principal is obtained from the EJBContext.getCallerPrincipal() method as a java.security.Principal instance. Using the EJBContext.isCallerInRole(String) method, an EJB checks if a caller is in a role that has been declared with a security-role-ref element. The role-name element value must link to a security role in the assembly-descriptor section of ejb-jar.xml through the role-link element. You typically use isCallerInRole() to perform a security check that cannot be defined using method permissions. See section 21.2.5 of the EJB 2.0 Specification PFD2 for more details on accessing the caller's security context.
Enterprise beans security identity
Figure 1 also shows that enterprise beans can optionally declare a security-identity element. New to EJB 2.0 is the ability to specify what identity an EJB should use when it invokes methods on other EJBs. The application assembler uses the security-identity element to indicate that the current caller's identity should be propagated by using a use-caller-identity element as security-identity 's value. Alternatively, the application assembler can use the run-as element with the security-identity 's value as role-name to specify that EJB calls are performed with the security role given by the role-name value. Note that this does not change the caller's identity as seen by EJBContext.getCallerPrincipal() . Rather, the caller's security roles are set to the single role specified by the run-as/role-name element value. You can use a run-as identity to keep external clients from accessing internal EJBs. To do that, assign the internal EJB method permissions that restrict access to a role never assigned to an external client, and use the restricted role as the run-as/role-name element value for EJBs that use the internal EJB.
Assembly descriptor security roles
The security role referenced by either security-role-ref or security-identity elements needs to map to one of the application's declared roles. An application assembler defines logical security roles by adding security-role elements to the assembly-descriptor element. In JBoss, a security-role is only used to map an EJB security-role-ref/role-name to the logical role to which the EJB role name refers. The user's assigned roles are a dynamic function of the application's security manager, as you will see when I discuss the JBossSX implementation. JBoss does not require defined security-role s to identify method permissions. Therefore, you should specify a security-role element for every role used in the method-permission element for portability across application servers and for deployment descriptor maintenance.
Assembly descriptor method permissions
An application assembler can set the roles that are allowed to invoke an EJB's home and component interface methods through method-permission elements. Each method-permission element contains one or more role-name elements that define the logical roles allowed access to one or more EJB methods as identified by method elements. With EJB 2.0, you can now specify the unchecked element instead of the role-name element to declare that an authenticated user can access one or more methods. In addition, you can declare that no one should have access to a method with the exclude-list element. For method syntax, see section 21.3.2 of the EJB 2.0 Specification PFD2 .
An example EJB deployment descriptor
The following ejb-jar.xml descriptor illustrates the use of EJB security elements and is the descriptor used in the article example:
SecurityTests
A trivial stateless session echo bean
PublicSession
org.jboss.docs.jaas.howto.SessionHome
org.jboss.docs.jaas.howto.Session
org.jboss.docs.jaas.howto.StatelessSessionBean
Stateless
Container
ejb/PrivateSession
Session
org.jboss.docs.jaas.howto.SessionHome
org.jboss.docs.jaas.howto.Session
PrivateSession
InternalUser
A trivial stateful session echo bean
PrivateSession
org.jboss.docs.jaas.howto.SessionHome
org.jboss.docs.jaas.howto.Session
org.jboss.docs.jaas.howto.StatefulSessionBean
Stateful
Container
Coder
Echo
InternalUser
Echo
PublicSession
*
InternalUser
PrivateSession
*
Coder
PublicSession
create
PublicSession
remove
PublicSession
noop
Methods that cannot be used in this
deployment
PublicSession
restricted
Web application security constraints
In a Web application, security is defined by the roles allowed access to content; a URL pattern identifies the protected content. For example, the web.xml descriptor fragment below indicates that any URL lying under the Web application's /restricted path requires an AuthorizedUser role:
...
Secure Content
/restricted/*
AuthorizedUser
...
The role required to access restricted content
AuthorizedUser
The
Read
Tutorial at: Click here to view the tutorial
Rate Tutorial: Integrate security infrastructures with JBossSX
View Tutorial: Integrate security infrastructures with JBossSX
Related
Tutorials:
 Integrating Databases
Integrating Databases
|
The state of Java middleware, Part II: Enterprise JavaBeans - JavaWorld - April
1999
The state of Java middleware, Part II: Enterprise JavaBeans - JavaWorld - April
1999
|
JMS: An infrastructure for
XML-based business-to-business communication - JavaWorld February
2000
JMS: An infrastructure for
XML-based business-to-business communication - JavaWorld February
2000
|
Java security evolution
and concepts, Part 1: Security nuts and bolts - JavaWorld April
2000
Java security evolution
and concepts, Part 1: Security nuts and bolts - JavaWorld April
2000
|
Integrate security infrastructures with JBossSX
Integrate security infrastructures with JBossSX
|
Java security evolution
and concepts, Part 2
Java security evolution
and concepts, Part 2
|
Use Web services
to integrate Web applications with
EISs
Use Web services
to integrate Web applications with
EISs
|
Customized EJB
security in JBoss
Customized EJB
security in JBoss
|
All that JAAS
All that JAAS
|
Should you go
with JMS?
Should you go
with JMS?
|
Develop state-of-the-art mobile
games
Develop state-of-the-art mobile
games
|
J2EE Connector Architecture
J2EE Connector Architecture
Introduction
If you\'ve ever had to integrate legacy data, data sources, or functionality with a new application, you\'ve no doubt faced a number of challenges: for instance, figuring out how to connect to legacy systems, m
|
Java and Security, Part 1
Java and Security
WebLogic provides a comprehensive suite of security services that can be used to protect all aspects of a domain and its deployments. These security services affect all aspects of your domain: from the lowest level provided by the Jav
|
Java Testing and Design
Java Testing and Java Test and Design is the companion to any book on Java software development practices, techniques, and testing. Software developers, QA analysts and IT managers working in large corporate IT groups, software development companies, and
|
Put JSF to work
Build a real-world Web application with JavaServer Faces, the Spring Framework, and Hibernate
Summary
Building a real-world Web application using JavaServer Faces is not a trivial task. This article shows you how to integrate JSF, the Spring Framewor
|
J2EE security: Container versus custom
Choose the appropriate type of security for your application
Summary
This article covers the factors to consider when choosing between custom J2Esecurity and E standard security, also known as container security. It briefly covers how each type of secu
|
Application Integration: Sun Java System Access Manager 2004Q2 and JDBC Authentication Module
Today, most user authentication solutions for Web applications are ad hoc and are based on proprietary schema definitions in relational databases. So, if you have multiple Web applications, you may have a separate user database for each of your applicatio
|
Solaris OS and Linux for Servers Running x86 or AMD Opteron Processors (pdf)
This white paper from Seal Rock Research compares the Solaris OS and the Linux platform for x86 or AMD Opteron servers. Author David Burns explores the differences in performance and scalability, security, stability, application availability, technical su
|
Using Identity Management to Achieve Security and Compliance: White Paper (pdf)
As described in this white paper, identity management can play a significant role in enabling organizations to meet demands for security and compliance.
|
Integrating Java Open Single Sign-On in Pluto
This article shows how to integrate Java Open Single Sign-On in Apache\'s Pluto portlet container.
|
|
|
|
