📄 ch13s78.html

📁 详细介绍了jboss3.0的配置等
💻 HTML
📖 第 1 页 / 共 5 页
字号:
12 3 4 5 下一页
<html><head>
      <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
   <title>JAAS Based Security in JBoss</title><link rel="stylesheet" href="styles.css" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/styles.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets Vimages/callouts/"><link rel="home" href="index.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/index.html" title="JBoss 3.0 Documentation"><link rel="up" href="ch13.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch13.html" title="Chapter 13. HOWTO"><link rel="previous" href="ch13s72.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch13s72.html" title="Deployment on JBoss"><link rel="next" href="ch13s98.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch13s98.html" title="Using JavaMail in JBoss"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table border="0" cellpadding="0" cellspacing="0" height="65"><tr height="65"><td rowspan="2"><img src="jboss.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/jboss.gif" border="0"></td><td rowspan="2" background="gbar.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/gbar.gif" width="100%" align="right" valign="top"><a href="index.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/index.html"><img src="doc.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/doc.gif" border="0"></a><a href="ch13.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch13.html"><img src="toc.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/toc.gif" border="0"></a><a href="ch13s72.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch13s72.html"><img src="prev.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/prev.gif" border="0"></a><a href="ch13s98.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch13s98.html"><img src="next.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/next.gif" border="0"></a></td></tr><tr></tr></table><div class="section"><a name="howtojaas"></a><div class="titlepage"><div><h2 class="title" style="clear: both"><a name="howtojaas"></a>JAAS Based Security in JBoss</h2></div><div><h2 class="subtitle">Custom Security in JBoss Using the JBossSX Framework</h2></div></div><p>Author:<span class="author">Scott Stark</span>
		<tt>&lt;<a href="mailto:Scott_Stark@displayscape.com">Scott_Stark@displayscape.com</a>&gt;</tt>
	</p><p>
		<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="d0e10751"></a>Note</h3><p>This document applies to JBoss release 2.2.2 and later. If your
using an earlier version of JBoss upgrade to the 2.2.2 version.</p></div>
	</p><div class="section"><a name="Introduction"></a><div class="titlepage"><div><h3 class="title"><a name="Introduction"></a>Introduction</h3></div></div><p>This document describes the setting up secured access to JBoss hosted EJBs
and web applications for the standard declarative J2EE security model. It should
be sufficient to allow you to configure a simple security setup for testing and
also give you a good start to being able to integrate your own custom security
infrastructure into JBoss. For a more detailed description of the JBossSX
framework see the JBossSX chapter.</p><div class="itemizedlist"><ul><li><p><a name="d0e10762"></a>
					<a href="ch13s78.html#jaas1" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch13s78.html#jaas1" title="Security Model Overview">Security Model Overview</a>
				</p></li><li><p><a name="d0e10768"></a>
					<a href="ch13s78.html#jaas2" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch13s78.html#jaas2" title="How to Associate Security With the Container SecurityInterceptor">How to Associate Security With the Component Containers</a>
				</p></li><li><p><a name="d0e10774"></a>
					<a href="ch13s78.html#jaas3" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch13s78.html#jaas3" title="Using JaasSecurityManager">Using JaasSecurityManager</a>
				</p></li><li><p><a name="d0e10780"></a>
					<a href="ch13s78.html#jaas4" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch13s78.html#jaas4" title="The Beans and Servlet">The Beans and Servlet</a>
				</p></li><li><p><a name="d0e10786"></a>
					<a href="ch13s78.html#jaas5" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch13s78.html#jaas5" title="Deploying a Secured J2EE Ear">Deploying a Secure J2EE EAR</a>
				</p></li></ul></div></div><div class="section"><a name="jaas1"></a><div class="titlepage"><div><h3 class="title"><a name="jaas1"></a>Security Model Overview</h3></div></div><p>The security model in JBoss is based on the server container architecture's
pluggable method interceptors and the fact that the container factory always
inserts the security interceptor (org.jboss.ejb.plugins.SecurityInterceptor).
The SecurityInterceptor delegates the tasks of principal authentication
and principal role mapping to two different security interfaces:
org.jboss.security.EJBSecurityManager and org.jboss.security.RealmMapping.
JBoss includes a number of sample implementations of both interfaces which
can be found in the org.jboss.security.plugins.samples package.</p><p>The default security implementation that comes pre-configured consists of a JMX service
bean and a JAAS based implementation of both interfaces. The JMX bean is
org.jboss.security.plugins.JaasSecurityManagerService and the security
interfaces implementation is org.jboss.security.plugins.JaasSecurityManager.
This document will focus on setting up the JaasSecurityManager via the
JaasSecurityManagerService for a trivial stateless session bean. Once you can
perform the steps documented to secure the example bean, you should be able
to introduce your own production ready security using this example as a
template.</p></div><div class="section"><a name="jaas2"></a><div class="titlepage"><div><h3 class="title"><a name="jaas2"></a>How to Associate Security With the Container SecurityInterceptor</h3></div></div><p>Ok, so you know that every EJB container in JBoss includes a SecurityInterceptor
that delegates its security checks to a security manager implementation.
How do you choose which implementations a given container uses?
You specify this information via the jboss deployment descriptor.</p><div class="section"><a name="d0e10805"></a><div class="titlepage"><div><h4 class="title"><a name="d0e10805"></a>The JBoss Deployment Descriptor(jboss.xml and standardjboss.xml)</h4></div></div><p>The JBoss deployment descriptor is the JBoss application specific deployment
configuration file. It describes implementation behavior that is outside of the
EJB spec ejb-jar.xml deployment descriptor. The standardjboss.xml version of the
file is located in ${jboss_home}/conf/conf_name where ${jboss_home} is the
directory into which you have installed the JBoss distribution and conf_name is
the specific runtime configuration that you specify to the run.sh or
run.bat script when starting the server. The default value for conf_name is
"default". The standardjboss.xml specifies the global configuration default
values. You can also specific ejb-jar or j2ee-ear specific jboss.xml descriptors
that override specific or all configuration properties as appropriate for
your application. There are a quite a few configurable properties that can be
set in the file, but all are optional. For all of the possible configuration
elements and their details see the jboss.dtd. We are only concerned with the
three security specific elements: </p><div class="itemizedlist"><ul><li><p><a name="d0e10811"></a>security-domain</p></li><li><p><a name="d0e10814"></a>role-mapping-manager</p></li><li><p><a name="d0e10817"></a>authentication-module</p></li></ul></div><div class="section"><a name="d0e10820"></a><div class="titlepage"><div><h5 class="title"><a name="d0e10820"></a>security-domain</h5></div></div><p>The security-domain element specifies an implementation of both the
org.jboss.security.RealmMapping and org.jboss.security.EJBSecurityManager
interfaces to use for all J2EE deployment units in the ear or ejb-jar.
The value is specified as the JNDI name where the object is located.
Hence, the security-domain is like a JMS TopicConnectionFactory in
that it is accessed via a JNDI name whose setup is a managed process.</p></div><div class="section"><a name="d0e10825"></a><div class="titlepage"><div><h5 class="title"><a name="d0e10825"></a>role-mapping-manager</h5></div></div><p>The role-mapping-manager element specifies the implementation of the
org.jboss.security.RealmMapping interface that is to be used by the container
SecurityInterceptor. The value is specified as the JNDI name where the object is
located.  As far as the container configuration is concerned, an implementation
of org.jboss.security.RealmMapping exists in the JBoss server JNDI namespace
and role-mapping-manager element provides the location.</p></div><div class="section"><a name="d0e10830"></a><div class="titlepage"><div><h5 class="title"><a name="d0e10830"></a>authentication-module</h5></div></div><p>The authentication-module element specifies the implementation of the
org.jboss.security.EJBSecurityManager interface that is to be used by the
container SecurityInterceptor. The value is specified as the JNDI name to where
the object is located, just like the role-mapping-manager.</p></div><div class="section"><a name="d0e10835"></a><div class="titlepage"><div><h5 class="title"><a name="d0e10835"></a>Sample jboss.xml</h5></div></div><p>A sample jboss.xml descriptor is: </p><div class="figure"><p><a name="jboss.xml.sample"></a><b>Figure 13.8. jboss.xml</b></p><pre class="programlisting">&lt;?xml version="1.0"?&gt;
&lt;jboss&gt;
    &lt;!-- All bean containers use this security manager by default --&gt;
    &lt;security-domain&gt;java:/jaas/example1&lt;/security-domain&gt; <a name="jboss.sample.sd"></a><img src="1.png" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/1.png" alt="1" border="0">
    &lt;container-configurations&gt;
        &lt;!-- Override the role mapping function from that of the
        security-domain setting for stateless session beans --&gt;
        &lt;container-configuration&gt;
            &lt;!-- Use the standardjboss.xml container-name so we only have
            to specify the elements we want to override --&gt;
            &lt;container-name&gt;Standard Stateless SessionBean&lt;/container-name&gt;
            &lt;role-mapping-manager&gt;java:/jaas/session-roles&lt;/role-mapping-manager&gt;<a name="jboss.sample.rmm"></a><img src="2.png" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/2.png" alt="2" border="0">
        &lt;/container-configuration&gt;
    &lt;/container-configurations&gt;

&lt;/jboss&gt;
</pre></div><div class="calloutlist"><a name="d0e10849"></a><table border="0" summary="Callout list"><tr><td width="5%" valign="top" align="left"><a name="d0e10850"></a><a href="#jboss.sample.sd"><img src="1.png" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/1.png" alt="1" border="0"></a> </td><td valign="top" align="left"><p>Establishes a global security manager via the<tt>security-domain</tt> element. </p></td></tr><tr><td width="5%" valign="top" align="left"><a name="d0e10856"></a><a href="#jboss.sample.rmm"><img src="2.png" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/2.png" alt="2" border="0"></a> </td><td valign="top" align="left"><p>Overrides the global security manager role mapping function for
stateless session beans.</p></td></tr></table></div><p>Here we are assigning a global security manager for all beans to the
the object located at java:/jaas/example1 and we are setting a different
role mapping manager for the &#8220;Standard Stateless SessionBean&#8221; container.
This means that any stateless session beans bundled in the
ear or jar will use the RealmMapper located at java:/jaas/session-roles rather
the the security-domain element setting.
We will see the reason for choosing JNDI names of the form java:/jaas/XXX
over the next couple of sections.</p></div></div><div class="section"><a name="d0e10865"></a><div class="titlepage"><div><h4 class="title"><a name="d0e10865"></a>The JBoss Web Deployment Descriptor(jboss-web.xml)</h4></div></div><p>The jboss-web.xml deployment descriptor is the JBoss application
specific deployment used to set the security manager and JNDI bindings for web applications.
Like the jboss.xml it uses a security-domain element to declare the JNDI name of the
security manager that will perform authentication and authorization of users attempting
to access secured content. An example jboss-web.xml descriptor that uses the same
security manager used to secure EJBs is given in <a href="ch13s78.html#jboss-web.xml.sample" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch13s78.html#jboss-web.xml.sample" title="Figure 13.9. jboss.xml">Figure 13.9</a>.
            </p><div class="figure"><p><a name="jboss-web.xml.sample"></a><b>Figure 13.9. jboss.xml</b></p><pre class="programlisting">&lt;?xml version="1.0"?&gt;
&lt;jboss-web&gt;
    &lt;!-- All secured web content uses this security manager --&gt;
    &lt;security-domain&gt;java:/jaas/example1&lt;/security-domain&gt;
&lt;/jboss-web&gt;
</pre></div></div><div class="section"><a name="d0e10877"></a><div class="titlepage"><div><h4 class="title"><a name="d0e10877"></a>Setting Up the Security Manager Implementation in JNDI</h4></div></div><p>So we have setup the container configuration security elements to specify the
JNDI names where the desired RealmMapping and EJBSecurityManager implementations
are to be obtained from. Now the question is how to bind implementations into the
JBoss server JNDI namespace. The answer is to create a JMX mbean that creates and
binds the desired implementations at server startup. The
JaasSecurityManagerService is an mbean that has been written that we will use to
perform the required setup.</p><p>To configure the JaasSecurityManagerService, open the
${jboss_home}/conf/default/jboss.jcml file and look for an entry like:</p><pre class="programlisting">
  &lt;!-- JAAS security manager and realm mapping --&gt;
  &lt;mbean code="org.jboss.security.plugins.JaasSecurityManagerService" name="Security:name=JaasSecurityManager"&gt;
    &lt;attribute name="SecurityManagerClassName"&gt;org.jboss.security.plugins.JaasSecurityManager&lt;/attribute&gt;
    &lt;attribute name="SecurityProxyFactoryClassName"&gt;org.jboss.security.SubjectSecurityProxyFactory&lt;/attribute&gt;
  &lt;/mbean&gt;
</pre><p>If it is commented out or does not exist, uncomment or add the entry. The
JaasSecurityManagerService service creates a reference to a JNDI Context at
java:/jaas that lazily binds instances of org.jboss.security.plugins.JaasSecurityManager
under java:/jaas as they are requested via JNDI. The details of how this happens are
not important(if they are to you, look at the code). All we care about is that with the
JaasSecurityManagerService setup, any lookup on the JBoss server JNDI InitialContext
using a name of the form java:/jaas/xyz results in an object of type
org.jboss.security.plugins.JaasSecurityManager that has the name xyz. Translated to code,
this means:</p><pre class="programlisting">InitialContext ctx = new InitialContext();
JaasSecurityManager jsm1 = (JaasSecurityManager) ctx.lookup("java:/jaas/xyz");
String securityDomain = jsm1.getSecurityDomain();
// securityDomain == "xyz"</pre><p>where <tt>jsm1</tt> is an instance of JaasSecurityManager that was created
using the name "xyz".
We are using this feature to bind a single instance of JaasSecurityManager for
use as both the RealmMapping and EJBSecurityManager implementations in the preceeding
jboss.xml descriptor. We can do this because JaasSecurityManager implements both
interfaces. Now we need to know how we can actually authenticate users and specify the
roles/identies they possess with a JaasSecurityManager.</p></div></div><div class="section"><a name="jaas3"></a><div class="titlepage"><div><h3 class="title"><a name="jaas3"></a>Using JaasSecurityManager</h3></div></div><p>As you would expect, the JaasSecurityManager uses JAAS (Java Authentication and
Authorization Service) to implement both the user authentication and role mapping
function of the RealmMapping and EJBSecurityManager interfaces. It does this by creating
a JAAS Subject using the javax.security.auth.login.LoginContext mechanism. When
the JaasSecurityManager needs to authenticate a user, it does a JAAS
login using the following programmatic steps:</p><pre class="programlisting">
Principal principal = ... passed in by SecurityInterceptor;<a name="jaas.principal"></a><img src="1.png" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/1.png" alt="1" border="0">
Object credential = ... passed in by SecurityInterceptor;<a name="jaas.credential"></a><img src="2.png" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/2.png" alt="2" border="0">
/* Access the security domain to which the security manager is bound. This is
the xyz component of java:/jaas/xyz name used when defining the security-domain
or role-mapping-manager config elements. */
String name = getSecurityDomain();
CallbackHandler handler = new org.jboss.security.plugins.SecurityAssociationHandler();
handler.setSecurityInfo(principal, credential);
LoginContext lc = new LoginContext(name, handler);
// Validate principal, credential using the LoginModules configured for 'name'
lc.login();
Subject subject = lc.getSubject();
Set subjectGroups = subject.getPrincipals(Group.class);
// Get the Group whose name is 'Roles'
Group roles = getGroup(subjectGroups, "Roles");

	</pre><div class="calloutlist"><a name="d0e10907"></a><table border="0" summary="Callout list"><tr><td width="5%" valign="top" align="left"><a name="d0e10908"></a><a href="#jaas.principal"><img src="1.png" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/1.png" alt="1" border="0"></a> </td><td valign="top" align="left"><p>A Principal is an identity object. Often it represents the username string,
but it can be an X509 cert, an http cookie, etc. This is ultimately passed to
the LoginModule chain and so the interpretation of what the Principal is
depends on the configured LoginModules for the security domain.</p></td></tr><tr><td width="5%" valign="top" align="left"><a name="d0e10911"></a><a href="#jaas.credential"><img src="2.png" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/2.png" alt="2" border="0"></a> </td><td valign="top" align="left"><p>The credential is the value the principal is attempting to use to
verify his identity. It could be a password string or one-way has
of the password, a session key or token, etc.
This is ultimately passed to the LoginModule chain
and so the interpretation of what the credential is depends on the
configured LoginModules for the security domain.</p></td></tr></table></div><p>If you are familiar JAAS, you'll see that the name that was used in the creation of
the JaasSecurityManager correlates with the LoginContext Configuration
name. The JAAS LoginContext object looks to a configuration object that is made up
of named sections that describe the LoginModules that need to be
executed in order to perform authentication. This abstraction allows the
authentication API to be independent of a particular implementation. The
authentication of users and the assignment of user roles comes down to
implementing a javax.security.auth.spi.LoginModule and creating login
configuration entry that correlates with the JaasSecurityManager name.
There exist a number of LoginModule implementations in the
org.jboss.security.auth.spi package. We are going to go over the use of the
simple UsersRolesLoginModule as well as the production read DatabaseServerLoginModule
to demonstrate how to configure LoginModules to work with the JaasSecurityManager.
You can choose from among the existing LoginModule implementations the one that
best integrates with your security environment, or implement you own and then
configure it using the same steps we will use.</p><div class="section"><a name="d0e10916"></a><div class="titlepage"><div><h4 class="title"><a name="d0e10916"></a>Using UsersRolesLoginModule</h4></div></div><p>The UsersRolesLoginModule class is a simple properties file based
implemention that uses two Java Properties(users.properties and roles.properities)
to perform authentication and role mapping respectively.</p><div class="section"><a name="d0e10921"></a><div class="titlepage"><div><h5 class="title"><a name="d0e10921"></a>users.properties</h5></div></div><p>The users.properties file is a java properties formatted file that specifies the
username to password mapping. Its format is:<pre class="programlisting">username1=password1
username2=password2
...</pre>with one entry per line. </p></div><div class="section"><a name="d0e10929"></a><div class="titlepage"><div><h5 class="title"><a name="d0e10929"></a>roles.properties</h5></div></div><p>The roles.properties file is a java properties formatted file that specifies
the username to role(s) mapping. Its format is:<pre class="programlisting">username1=role1[,role2,...]
12 3 4 5 下一页
💿 文件大小 1071 K
👤 上传用户 ludingpc
📂 所属分类 Java书籍
🏷️ 相关标签

#jboss #3.0 #详细介绍
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -