ch13s78.html

详细介绍了jboss3.0的配置等

username2=role1
...</pre>with one entry per line. If a user has multiple roles they are specified using a
comma separated list. You can also specify groups of roles using a syntax like:<pre class="programlisting">username1.GroupName1=role1[,role2,...]
username2.GroupName2=role1
...</pre>When no GroupName is specified a group name of 'Roles' is implied.</p></div><div class="section"><a name="d0e10940"></a><div class="titlepage"><div><h5 class="title"><a name="d0e10940"></a>The LoginModule Configuration File</h5></div></div><p>By default JAAS uses a LoginModule configuration file to describe which
LoginModule instances need to be executed during a login. The default
config for the JBoss server is ${jboss_home)/conf/default/auth.conf.
The syntax is:<pre class="synopsis">name {
        login_module_class_name (required|optional|...)
        [options]
        ;
};</pre>See the JAAS documentation for the complete syntax description. An
example auth.conf file with two configurations is given below in <a href="ch13s78.html#server.auth.conf" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch13s78.html#server.auth.conf" title="Figure 13.10. The JBoss Server JAAS Login Config File&#xA;					($jboss_home/conf/default/auth.conf)">Figure 13.10</a>.</p><div class="figure"><p><a name="server.auth.conf"></a><b>Figure 13.10. The JBoss Server JAAS Login Config File
					($jboss_home/conf/default/auth.conf)</b></p><pre class="programlisting">example1 {
// A properties file LoginModule that supports CallerPrincipal mapping
    org.jboss.security.auth.spi.UsersRolesLoginModule required
    ;
};

example2 {
/* A JDBC based LoginModule
LoginModule options:
dsJndiName: The name of the DataSource of the database containing the Principals, Roles tables
principalsQuery: The prepared statement query equivalent to:
    "select Password from Principals where PrincipalID=?"
rolesQuery: The prepared statement query equivalent to:
    "select Role, RoleGroup from Roles where PrincipalID=?"
*/
    org.jboss.security.auth.spi.DatabaseServerLoginModule required
    dsJndiName="java:/DefaultDS"
    principalsQuery="select Password from Principals where PrincipalID=?"
    rolesQuery="select Role, RoleGroup from Roles where PrincipalID=?"
    ;
};</pre></div><p>This indicates that the UsersRolesLoginModule we want to use is setup for
the configuration named 'example1'. This name also matches name of the
security domain portion of the JNDI name java:/jaas/example1 used as the
security-domain element in the sample jboss.xml file shown in <a href="ch13s78.html#jboss.xml.sample" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch13s78.html#jboss.xml.sample" title="Figure 13.8. jboss.xml">Figure 13.8</a>.
The correlation between the security-domain element value and the login config file
entry determines which LoginModules executed by the JaasSecurityManager to perform
authentication and authorization. When a user attempts to execute methods on EJBs
secured under the java:/jaas/example1 security domain, the user will be authenticated
against the UsersRolesLoginModule since this the the LoginModule configured under the
example1 name in the server auth.conf file.</p><p>There is also a client side version of the auth.conf that is used by the client
connecting to JBoss. It is located in ${jboss_home}/client/auth.conf and the default version contents
are given in <a href="ch13s78.html#client.auth.conf" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch13s78.html#client.auth.conf" title="Figure 13.11. The JBoss Client JAAS Login Config File&#xA;						($jboss_home/client/auth.conf)">Figure 13.11</a>. The key entry here is the 'other' entry that contains
the 'org.jboss.security.ClientLoginModule  required;' setting.
            <div class="figure"><p><a name="client.auth.conf"></a><b>Figure 13.11. The JBoss Client JAAS Login Config File
						($jboss_home/client/auth.conf)</b></p><pre class="programlisting">srp {
    // Example client auth.conf for using the SRPLoginModule
    org.jboss.srp.jaas.SRPLoginModule required
        password-stacking="useFirstPass"
        principalClassName="org.jboss.security.SimplePrincipal"
        srpServerJndiName="SRPServerInterface"
        debug=true
        ;

    // jBoss LoginModule
    org.jboss.security.ClientLoginModule  required
        password-stacking="useFirstPass"
        ;

    // Put your login modules that need jBoss here
};

other {
    // Put your login modules that work without jBoss here

    // jBoss LoginModule
    org.jboss.security.ClientLoginModule  required;

    // Put your login modules that need jBoss here
};</pre></div>
					<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="d0e10969"></a>Note</h3><p>The configuration named 'other' is used by JAAS whenever it can't find
an entry matching the name passed to the LoginContext constructor.</p></div>
				</p></div></div></div><div class="section"><a name="jaas4"></a><div class="titlepage"><div><h3 class="title"><a name="jaas4"></a>The Beans and Servlet</h3></div></div><p>We have now touched on all of the JBoss security related elements we need to
configure to secure the deployment of EJBs and web applications.
Let's now put together two simple session beans and a servlet that we will secure to
demonstrate the use what we have gone over.</p><p>The following figures give the code listings for the the home, remote
and bean classes for the simple stateless and stateful session beans we
are going to secure, along with a simple client that accesses instances
of the session beans. Also shown is a simple servlet that accesses one
of the EJBs. The complete source code along with deployment descriptors and
an Ant build script is available <a href="javascript:if(confirm('http://www.jboss.org/doco_files/jaas-howto.zip  \n\nThis file was not retrieved by Teleport Pro, because it did not meet the project\'s file type specifications.  \n\nDo you want to open it from the server?'))window.location='http://www.jboss.org/doco_files/jaas-howto.zip'" tppabs="http://www.jboss.org/doco_files/jaas-howto.zip" target="_top">JAAS-Howto Files</a>.
        </p><div class="figure"><p><a name="Session.java"></a><b>Figure 13.12. The Session Beans Remote Interface</b></p><pre class="programlisting">import javax.ejb.*;
import java.rmi.*;

public interface Session extends EJBObject
{
    public String echo(String arg) throws RemoteException;
    public void noop() throws RemoteException;
}</pre></div><div class="figure"><p><a name="SessionHome.java"></a><b>Figure 13.13. The Session Beans Home Interface</b></p><pre class="programlisting">import javax.ejb.*;
import java.rmi.*;

public interface SessionHome extends EJBHome
{
    public Session create() throws RemoteException, CreateException;
}</pre></div><div class="figure"><p><a name="StatelessSessionBean.java"></a><b>Figure 13.14. The Stateless Session Bean</b></p><pre class="programlisting">import java.rmi.RemoteException;
import java.security.Principal;
import javax.ejb.*;

/**
@ejbHome: SessionHome
@ejbRemote: Session
*/
public class StatelessSessionBean implements SessionBean
{
    private SessionContext sessionContext;

    public void ejbCreate() throws CreateException
    {
        System.out.println("StatelessSessionBean.ejbCreate() called");
    }

    public void ejbActivate()
    {
        System.out.println("StatelessSessionBean.ejbActivate() called");
    }

    public void ejbPassivate()
    {
        System.out.println("StatelessSessionBean.ejbPassivate() called");
    }

    public void ejbRemove()
    {
        System.out.println("StatelessSessionBean.ejbRemove() called");
    }

    public void setSessionContext(SessionContext context)
    {
        sessionContext = context;
    }

    public String echo(String arg)
    {
        System.out.println("StatelessSessionBean.echo, arg="+arg);
        Principal p = sessionContext.getCallerPrincipal();
        System.out.println("StatelessSessionBean.echo, callerPrincipal="+p);
        return arg;
    }
    public void noop()
    {
        System.out.println("StatelessSessionBean.noop");
        Principal p = sessionContext.getCallerPrincipal();
        System.out.println("StatelessSessionBean.noop, callerPrincipal="+p);
    }
}</pre></div><div class="figure"><p><a name="StatefulSessionBean.java"></a><b>Figure 13.15. The Stateful Session Bean</b></p><pre class="programlisting">import java.rmi.RemoteException;
import java.security.Principal;
import javax.ejb.*;

/**
@ejbHome: SessionHome
@ejbRemote: Session
*/
public class StatefulSessionBean implements SessionBean
{
    private SessionContext sessionContext;

    public void ejbCreate() throws CreateException
    {
        System.out.println("StatefulSessionBean.ejbCreate() called");
    }

    public void ejbActivate() 
    {
        System.out.println("StatefulSessionBean.ejbActivate() called");
    }

    public void ejbPassivate() 
    {
        System.out.println("StatefulSessionBean.ejbPassivate() called");
    }

    public void ejbRemove() 
    {
        System.out.println("StatefulSessionBean.ejbRemove() called");
    }

    public void setSessionContext(SessionContext context) 
    {
        sessionContext = context;
    }