ch09s09.html

详细介绍了jboss3.0的配置等

						SecurityProxy implementation that delegates the method invocations to the
						object. The org.jboss.security.SubjectSecurityProxy is an example
						implementation used by the JaasSecurityManager class.</p></td></tr></table></div></div></div></div><div class="section"><a name="d0e6299"></a><div class="titlepage"><div><h3 class="title"><a name="d0e6299"></a>JaasSecurityManagerService MBean</h3></div></div><p>The JaasSecurityManagerService is a JMX MBean that handles the configuration of security. This includes the security manager implementation, the security proxy factory and the authentication cache policy.</p><div class="variablelist"><p><b>org.jboss.security.plugins.JaasSecurityManagerService Attributes</b></p><dl><dt><a name="d0e6307"></a><span class="term">SecurityManagerClassName</span></dt><dd><p><a name="d0e6310"></a>This is the name of the class that implements the EJBSecurityMgr and RealmMapping interfaces that will be created on demand to fulfill the authentication and role mapping roles for SecurityInterceptors in a given security domain. If this attribute is not specified it defaults to the org.jboss.security.plugins.JaasSecurityManager.</p></dd><dt><a name="d0e6313"></a><span class="term">SecurityProxyFactoryClassName</span></dt><dd><p><a name="d0e6316"></a>This is the name of the class that implements the SecurityProxyFactory interface which is used to obtain the SecurityProxy interface used by the SecurityInterceptor for the delegation of custom security checks. If this attribute is not set it defaults to org.jboss.security.SubjectSecurityProxyFactory.</p></dd><dt><a name="d0e6319"></a><span class="term">AuthenticationCacheJndiName</span></dt><dd><p><a name="d0e6322"></a>This is the JNDI name of the org.jboss.util.CachePolicy instance that is to be used for caching of authentication information. The cache is made available to the security manager class if it implements a <tt>setCachePolicy(CachePolicy)</tt> method. </p></dd></dl></div><div class="example"><p><a name="d0e6328"></a><b>Example 9.4. Example JaasSecurityManagerService MBean jboss.jcml Entry</b></p><pre class="programlisting">
&lt;mbean code="org.jboss.security.plugins.JaasSecurityManagerService" name="Security:name=JaasSecurityManager"&gt;
    &lt;attribute name="SecurityManagerClassName"&gt;
        org.jboss.security.plugins.JaasSecurityManager
    &lt;/attribute&gt;
    &lt;attribute name=&acirc;&#8364;&#339;SecurityProxyFactoryClassName"&gt;
        org.jboss.security.SubjectSecurityProxyFactory
    &lt;/attribute&gt;
    &lt;attribute name=&acirc;&#8364;&#339;AuthenticationCacheJndiName"&gt;
        srp/SRPAuthenticationCache
    &lt;/attribute&gt;
&lt;/mbean&gt;

				</pre></div><p>The JaasSecurityManagerService manages the association of security manager instances to container SecurityInterceptors by implementing the JNDI ObjectFactory interface and binding itself under java:/jaas in the JNDI namespace. This allows one to use a naming convention of the form java:/jaas/XYZ to access the security manager instance for the XYZ security domain. The security manager instance is created on the first lookup by creating an instance of the SecurityManagerClassName using a constructor that takes the name of the security domain. For example, consider the following container security configuration snippet:</p><div class="figure"><p><a name="sx.JaasSecurityManager.container.xmlet"></a><b>Figure 9.5. Example Container Security Configuration Snippet</b></p><pre class="programlisting">
&lt;jboss&gt;
    &lt;!-- Configure all containers to be secured under the "hades" security domain --&gt;
    &lt;security-domain&gt;java:/jaas/hades&lt;/security-domain&gt;
    ...
&lt;/jboss&gt;
</pre></div><p>Any lookup on the JBoss JNDI IntialContext of the name "java:/jaas/hades" will return a security manager instance that has been associated with the security domain named "hades". This security manager will implement the EJBSecurityMgr and RealmMapping security interfaces and will be of type SecurityManagerClassName.</p></div><div class="section"><a name="d0e6342"></a><div class="titlepage"><div><h3 class="title"><a name="d0e6342"></a>Inside the JaasSecurityManager</h3></div></div><p>As mentioned in the previous section, the JaasSecurityManager is the default choice for the security manager implementation class. It uses the Java Authentication and Authorization Service(JAAS) packages to implement its behavior. In particular, the behavior derives from the use of the login modules(javax.security.auth.spi.LoginModule) whose configuration entry name matches that of the security domain to which the JaasSecurityManager has been assigned. The login modules implement the principal authentication and role mapping behavior for the security domain. Hence, the JaasSecurityManager can be used across very different security domains simply by plugging in different login module configurations for the domains.</p><div class="section"><a name="d0e6347"></a><div class="titlepage"><div><h4 class="title"><a name="d0e6347"></a>The Authentication Process</h4></div></div><p>Consider a client that is invoking a method on an EJB that has been configured to use a JaasSecurityManager instance for security. <a href="ch09s09.html#sx.ClientAuthOverview" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch09s09.html#sx.ClientAuthOverview" title="Figure 9.6. EJB Access Authentication Process">Figure 9.6</a> gives a diagram of some the components involved in the access security check process.</p><div class="figure"><p><a name="sx.ClientAuthOverview"></a><b>Figure 9.6. EJB Access Authentication Process</b></p><div class="mediaobject"><img src="sx.ClientAuthOverview.jpg" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/sx.ClientAuthOverview.jpg"></div></div><div class="procedure"><p><a name="d0e6360"></a><b>Procedure 9.1. </b></p><ol type="1"><li><a name="d0e6361"></a><p>The client first has to perform a login to establish the principal and credentials that will be used for authentication purposes. This entails creating a LoginContext and passing the name of the configuration to use. In the above figure the configuration name is "beanDomain". This is a one time process that associates the login principal and credentials with all subsequent EJB method invocations. Note that the login process may not actually authenticate the user. It depends on the login module configuration. In <a href="ch09s09.html#sx.ClientAuthOverview" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch09s09.html#sx.ClientAuthOverview" title="Figure 9.6. EJB Access Authentication Process">Figure 9.6</a> the beanDomain client side configuration is using the ClientLoginModule(org.jboss.security.ClientLoginModule) and this module does not perform client side authentication. It simply binds the username and password to the JBoss EJB invocation layer for later authentication on the server.</p></li><li><a name="d0e6366"></a><p>The client at some later point obtains the home interface for an EJB and attempts to create a bean. This results in a home interface method invocation that is sent to the JBoss server. The invocation includes the method arguments passed by the client along with the user identity and credentials.</p></li><li><a name="d0e6369"></a><p>The first step of the security check is to authenticate the user invoking the call. As on the client side, this involves invoking the login modules that are configured for the security domain the EJB is secured under. In the figure the EJB security domain is also named "beanDomain". If the user is authenticated,  a JAAS Subject is created that contains the following in its PrincipalsSet:</p><div class="itemizedlist"><ul><li><p><a name="d0e6373"></a>A Principal that corresponds to the client identity</p></li><li><p><a name="d0e6376"></a>A Group named "Roles" that contains the role names from the application domain that the user has been assigned. The role names are represented by org.jboss.security.SimplePrincipal objects. This is a simple String based implementation of Principal. These roles are used to validate the roles assigned to methods in the ejb-jar.xml descriptor as well as the EJBContext isCallerInRole(String) method.</p></li><li><p><a name="d0e6379"></a>An optional Group named "CallerPrincipal" that contains a single Principal that corresponds to the identity of the caller in the application domain. This is the value returned by the EJBContext getCallerPrincipal() method.</p></li></ul></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="d0e6382"></a>Note</h3><p>This usage pattern of the Subject Principals set is the standard usage that JBossSX expects of server side login modules. To ensure proper conformance to this pattern any custom login module you write should subclass the JBossSX AbstractServerLoginModule class. See <a href="ch09s17.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch09s17.html" title="Custom LoginModules">the section called &#8220;Custom LoginModules&#8221;</a> for details.</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title"><a name="d0e6387"></a>Note</h3><p>Although the login configuration names used by the client and server in this example happen to be the same, there really is no requirement for this as the client and server login module configurations are two indepdendent configurations. They are associated with each other only by the values for the principal and credentials that the are exchanged. The server side login modules have to be able to understand and validate the principal and credentials that the client side login modules set.</p></div></li><li><a name="d0e6390"></a><p>The final step in the security check is the authorization phase which consists of the following steps.</p><ol type="a"><li><a name="d0e6394"></a><p>Obtain the names of the roles that are allowed to access the EJB method. This is obtained from the EJB container and consists of the ejb-jar.xml descriptor role-name elements of all method-permission elements containing the invoked method.</p></li><li><a name="d0e6397"></a><p>If no roles have been assigned then no access to the method is allowed. Otherwise, the JaasSecurityManager doesUserHaveRole(Princpal, Set) method is invoked to see if the caller principal has one of the role names assigned. This check is performed by iterating through the role names and checking to see if the "Roles" group contains a SimplePrincpal with the role name. Access is allowed if any role name is a member of the "Roles" group. Access is denied if the none of the role names are members of  the "Roles" group.</p></li><li><a name="d0e6400"></a><p>If the EJB was configured with a custom security proxy, the method invocation is delegated to it. If the security proxy wants to deny access to the caller it will throw a SecurityException. If no SecurityException is thrown access to the EJB method is allowed and the SecurityInterceptor passes the method invocation to the next container interceptor.</p></li></ol></li></ol></div></div></div><div class="section"><a name="sx.SecurityProxies"></a><div class="titlepage"><div><h3 class="title"><a name="sx.SecurityProxies"></a>Using Custom Security Proxies</h3></div></div><p>There are two ways to write a security proxy for handling custom security that is outside the scope of the EJB declarative security model. The first is to write an implementation of the org.jboss.security.SecurityProxy interface allong with an implementation of the org.jboss.security.SecurityProxyFactory interface and setup your factory class as the SecurityProxyFactoryClassName value for the JaasSecurityManagerService. The other approach is to simply write an object that implements one or more of the EJB home and/or remote interface methods and code your security checks in each method. This section goes over each approach and highlights the advanatges and disadvantages to each approach.</p></div></div><table border="0" cellpadding="0" cellspacing="0" height="65"><tr height="65"><td rowspan="2"><img src="gbar.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/gbar.gif" width="432" height="79"></td><td rowspan="2" background="gbar.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/gbar.gif" width="100%" align="right" valign="top"><a href="index.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/index.html"><img src="doc.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/doc.gif" border="0"></a><a href="ch09.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch09.html"><img src="toc.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/toc.gif" border="0"></a><a href="ch09s08.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch09s08.html"><img src="prev.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/prev.gif" border="0"></a><a href="ch09s15.html" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/ch09s15.html"><img src="next.gif" tppabs="http://www.huihoo.org/jboss/online_manual/3.0/next.gif" border="0"></a></td></tr><tr></tr></table></body></html>