JAAS Overview and Security Configuration Jboss

Conceptual stuff on JAAS I do not write, and most of the main contents of the official information from the Sun "java_security2". Jboss configuration on the security of the basic content of information from Jboss, so this part of the information is completely posted, please do not take offense, because of advanced applications in the introduction must be introduced before the content of this field.

Java Authentication and Authorization Service (JAAS)
JAAS (Java Authentication and Authorization Service) can be provided in the Java platform user authentication. In the Java platform, and its function is unique.
Java security design of all the core functions are procedures to protect end users from the impact of the developer, as end-user to use the developers of the process, have local resources to meet their access requirements, which requires to ensure that users not affected by the program. On the other hand, JAAS allows developers to provide identification based on user credentials (credential) to allow (or deny) users access to programs.
JAAS can be http://java.sun.com/products/jaas/ download. It consists of two parts: Java class library, which defines the service interface (JAAS inherent), and the other part of the platform-specific module, whose role is to implement authorization (JAAS module). In addition, access module sample, resulting in JNDI directory service, Windows NT login service, and Solaris login based on the identification of services.
JAAS itself, including documentation and a lib directory, only one jar file (jaas.jar). You can install this jar file to $ JREHOME / lib / ext, the user can also specify it on the class path to the directory. JAAS module's lib directory to include another jar file (jaasmod.jar), similar to its approach and jaas.jar.

Jboss Security Configuration
J2EE Defines the security constraint specified application Zhong mechanism but did not give the server how to achieve and Peizhi certification and access control mechanisms (Translator's Note: Shouquan)'s. JBoss uses JAAS to provide authentication technologies can be integrated into different manner, supply use with the authentication and authorization. Meanwhile, JBoss also provides a standard set of modules which is based on files, databases, LDAP security mechanisms. Among them, the most simple file-based approach. Users can use existing authentication module, or can develop more suitable for their needs authentication module.
Jboss security domain information is stored in the login-config.xml file, which contains many security domain definitions. Each security domain specified number of JAAS3 login module for authentication using the security domain. When the user needs to use security in the application, the need JBoss specific deployment descriptor jboss.xml or jboss-web.xml to specify the security domain name to be used. This section will quickly lead the user to analyze how to protect with the JBoss JMX console and Web publishing of the console application.
Through the JBoss JMX console is basically able to control all aspects of the server, it is important to protect the console, at least need a password to protect it. Otherwise, any remote user will be able to completely control the user of the JBoss server. To achieve this goal, this article will add to the security domain JMX console application. Through the server / default / deploy / jmx-console.war / WEB-INF / directory to find the JMX console to be modified document, jboss-web.xml. The jboss-web.xml in the security-domain of the comments removed, as follows.
<security-domain> java: / jaas / jmx-console </ security-domain>
</ Jboss-web>
This will set the Web application security domain to be used, but has not yet established Web application security strategy that should be used. What is the URL to be protected, the appropriate access role is what? To configure the content, users need to be found in the same directory as web.xml file, and then remove the security-constraint of the comments. Among them, the security constraints required the user must have JBossAdmin landing the role.
<! -
A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console.
<web-resource-name> HtmlAdaptor </ web-resource-name>
An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</ Description>
<url-pattern> / * </ url-pattern>
<http-method> GET </ http-method>
<http-method> POST </ http-method>
</ Web-resource-collection>
<role-name> JBossAdmin </ role-name>
</ Auth-constraint>
</ Security-constraint>
Very nice, but the user name and password from? Yes, they are from the jmx-console security domain. Through the conf / login-config.xml file to see.
<application-policy name="jmx-console">
<Login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">
</ Module-option>
<module-option name="rolesProperties">
</ Module-option>
</ Login-module>
</ Authentication>
</ Application-policy>
The configuration uses a simple file based security policy. Among them, the landing JMX console application user name and password are stored in jmx-console-users.properties in, and to "username = password" given in the form. To add a user to JBossAdmin role, the need to "username = rolename" given in the form of user and role mapping is given in the jmx-console-roles.properties file. Existing documents to create a admin user, the password is admin. Users may delete the user, or to change their passwords, making more secure JMX console application.
When the updated web.xml time, JBoss will re-deploy JMX console application. Users can check the JBoss server console save the changes made on web.xml. If the user correctly configured each of these tasks, and re-deploy the JMX console application, then when it next visit, JBoss will ask the user to provide user name and password.
JBoss JMX console application is not the only provided Web-based management interface. JBoss also provides other management applications that Web console (see Appendix A). Although the Web console is based on the Java Applet given in the form, but the corresponding Web application, or can be similar to the JMX console in order to protect it. One, Web Console application in the default / deploy / management / web-console.war. Note that this application with the JMX controller differ, because the JMX controller application is launched directory form. Therefore, edit web-console.war WAR file some more effort.

Configure Jboss security domain typically used for Web and EJB tier, the standard J2EE security declarations need the help of web.xml and ejb-jar.xml deployment descriptor specified. However, to configure security to use JBoss, JBoss developers also need to provide proprietary deployment descriptor.
Through the JBoss specific deployment descriptor to complete the application security configuration. For the protection of Web applications, users need to be security-domain element is included in the jboss-web.xml in the.
<security-domain> java: / jaas / dukesbank </ security-domain>
</ Jboss-web>
If you need to achieve access control in the EJB layer, the user can also add the same file on jboss.xml security-domain element.
<security-domain> java: / jaas / dukesbank </ security-domain>
</ Enterprise-beans>
</ Jboss>
This would mean, JBoss JNDI name in the "java: / jaas / dukesbank" Duke Bank application is bound under the security manager instance. All the security domain configured in the java: / jaas context, so Duke Bank application actually uses the dukesbank security domain.
Users conf / login-config.xml file to configure it. However, if the visit Duke Bank application, not able to find dukesbank security domain. Once JBoss can not find the corresponding security domain, it will use the other domain. One, other domain specific configuration is as follows.
<application-policy name="other">
<Login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</ Authentication>
</ Application-policy>
Here, the landing module to authenticate using the local properties file application. JBoss certification by means of two files. First, provide the user name, password; second, to provide role. For example, as is the Duke Bank application users.properties.
# Users.properties file for use with the UsersRolesLoginModule
# Format is:
# Username = password
200 = j2ee
Properties file format is very simple. The line used in the form username = password. Therefore, the document defines the 200 users, the password is j2ee. This is the user access to the application of Duke bank account. If the user changed the password, you need to re-deploy Web applications.
Of course, the user name and password are not driven J2EE application security only factor. Deployment need to be user-specified role, the application will be based on user role information to determine whether the user has access to the target resource. Only the application of Duke bank customers have the right to access it, or by bankCustomer role. Here are the roles.properties file used to specify the role of 200 users.
# A roles.properties file for use with the UsersRolesLoginModule
# Format is
# Username = role1, role2, role3
200 = bankCustomer

Duke Bank application to make use of dukesbank security domain, instead of using the server's default security domain, the developer needs to define dukesbank security domain. Therefore, developers need to conf / login-config.xml file, add the following:
<application-policy name="dukesbank">
<Login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</ Authentication>
</ Application-policy>
Note that the need to restart JBoss, or modified login-config.xml does not take effect.

Achieved using the RDBMS security practice, the user, role information is stored in the database are common. JBoss provides a call DatabaseServerLoginModule landing module, users only need to do a little configuration you can use it. Users need to provide the following:

分类:Java 时间:2010-09-18 人气:225
blog comments powered by Disqus


iOS 开发

Android 开发

Python 开发



PHP 开发

Ruby 开发






Javascript 开发

.NET 开发



Copyright (C) codeweblog.com, All Rights Reserved.

CodeWeblog.com 版权所有 黔ICP备15002463号-1

processed in 0.604 (s). 12 q(s)