JAAS Overview and Security Configuration Jboss

Conceptual stuff on JAAS I do not write, and most of the main contents of the official information from the Sun "java_security2". Jboss configuration on the security of the basic content of information from Jboss, so this part of the information is completely posted, please do not take offense, because of advanced applications in the introduction must be introduced before the content of this field.

Java Authentication and Authorization Service (JAAS)
JAAS (Java Authentication and Authorization Service) can be provided in the Java platform user authentication. In the Java platform, and its function is unique.
Java security design of all the core functions are procedures to protect end users from the impact of the developer, as end-user to use the developers of the process, have local resources to meet their access requirements, which requires to ensure that users not affected by the program. On the other hand, JAAS allows developers to provide identification based on user credentials (credential) to allow (or deny) users access to programs.
JAAS can be http://java.sun.com/products/jaas/ download. It consists of two parts: Java class library, which defines the service interface (JAAS inherent), and the other part of the platform-specific module, whose role is to implement authorization (JAAS module). In addition, access module sample, resulting in JNDI directory service, Windows NT login service, and Solaris login based on the identification of services.
JAAS itself, including documentation and a lib directory, only one jar file (jaas.jar). You can install this jar file to $ JREHOME / lib / ext, the user can also specify it on the class path to the directory. JAAS module's lib directory to include another jar file (jaasmod.jar), similar to its approach and jaas.jar.

Jboss Security Configuration
J2EE Defines the security constraint specified application Zhong mechanism but did not give the server how to achieve and Peizhi certification and access control mechanisms (Translator's Note: Shouquan)'s. JBoss uses JAAS to provide authentication technologies can be integrated into different manner, supply use with the authentication and authorization. Meanwhile, JBoss also provides a standard set of modules which is based on files, databases, LDAP security mechanisms. Among them, the most simple file-based approach. Users can use existing authentication module, or can develop more suitable for their needs authentication module.
Jboss security domain information is stored in the login-config.xml file, which contains many security domain definitions. Each security domain specified number of JAAS3 login module for authentication using the security domain. When the user needs to use security in the application, the need JBoss specific deployment descriptor jboss.xml or jboss-web.xml to specify the security domain name to be used. This section will quickly lead the user to analyze how to protect with the JBoss JMX console and Web publishing of the console application.
Through the JBoss JMX console is basically able to control all aspects of the server, it is important to protect the console, at least need a password to protect it. Otherwise, any remote user will be able to completely control the user of the JBoss server. To achieve this goal, this article will add to the security domain JMX console application. Through the server / default / deploy / jmx-console.war / WEB-INF / directory to find the JMX console to be modified document, jboss-web.xml. The jboss-web.xml in the security-domain of the comments removed, as follows.
<security-domain> java: / jaas / jmx-console </ security-domain>
</ Jboss-web>
This will set the Web application security domain to be used, but has not yet established Web application security strategy that should be used. What is the URL to be protected, the appropriate access role is what? To configure the content, users need to be found in the same directory as web.xml file, and then remove the security-constraint of the comments. Among them, the security constraints required the user must have JBossAdmin landing the role.
<! -
A security constraint that restricts access to the HTML JMX console
to users with the role JBossAdmin. Edit the roles to what you want and
uncomment the WEB-INF/jboss-web.xml/security-domain element to enable
secured access to the HTML JMX console.
<web-resource-name> HtmlAdaptor </ web-resource-name>
An example security config that only allows users with the
role JBossAdmin to access the HTML JMX console web application
</ Description>
<url-pattern> / * </ url-pattern>
<http-method> GET </ http-method>
<http-method> POST </ http-method>
</ Web-resource-collection>
<role-name> JBossAdmin </ role-name>
</ Auth-constraint>
</ Security-constraint>
Very nice, but the user name and password from? Yes, they are from the jmx-console security domain. Through the conf / login-config.xml file to see.
<application-policy name="jmx-console">
<Login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="usersProperties">
</ Module-option>
<module-option name="rolesProperties">
</ Module-option>
</ Login-module>
</ Authentication>
</ Application-policy>
The configuration uses a simple file based security policy. Among them, the landing JMX console application user name and password are stored in jmx-console-users.properties in, and to "username = password" given in the form. To add a user to JBossAdmin role, the need to "username = rolename" given in the form of user and role mapping is given in the jmx-console-roles.properties file. Existing documents to create a admin user, the password is admin. Users may delete the user, or to change their passwords, making more secure JMX console application.
When the updated web.xml time, JBoss will re-deploy JMX console application. Users can check the JBoss server console save the changes made on web.xml. If the user correctly configured each of these tasks, and re-deploy the JMX console application, then when it next visit, JBoss will ask the user to provide user name and password.
JBoss JMX console application is not the only provided Web-based management interface. JBoss also provides other management applications that Web console (see Appendix A). Although the Web console is based on the Java Applet given in the form, but the corresponding Web application, or can be similar to the JMX console in order to protect it. One, Web Console application in the default / deploy / management / web-console.war. Note that this application with the JMX controller differ, because the JMX controller application is launched directory form. Therefore, edit web-console.war WAR file some more effort.

Configure Jboss security domain typically used for Web and EJB tier, the standard J2EE security declarations need the help of web.xml and ejb-jar.xml deployment descriptor specified. However, to configure security to use JBoss, JBoss developers also need to provide proprietary deployment descriptor.
Through the JBoss specific deployment descriptor to complete the application security configuration. For the protection of Web applications, users need to be security-domain element is included in the jboss-web.xml in the.
<security-domain> java: / jaas / dukesbank </ security-domain>
</ Jboss-web>
If you need to achieve access control in the EJB layer, the user can also add the same file on jboss.xml security-domain element.
<security-domain> java: / jaas / dukesbank </ security-domain>
</ Enterprise-beans>
</ Jboss>
This would mean, JBoss JNDI name in the "java: / jaas / dukesbank" Duke Bank application is bound under the security manager instance. All the security domain configured in the java: / jaas context, so Duke Bank application actually uses the dukesbank security domain.
Users conf / login-config.xml file to configure it. However, if the visit Duke Bank application, not able to find dukesbank security domain. Once JBoss can not find the corresponding security domain, it will use the other domain. One, other domain specific configuration is as follows.
<application-policy name="other">
<Login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</ Authentication>
</ Application-policy>
Here, the landing module to authenticate using the local properties file application. JBoss certification by means of two files. First, provide the user name, password; second, to provide role. For example, as is the Duke Bank application users.properties.
# Users.properties file for use with the UsersRolesLoginModule
# Format is:
# Username = password
200 = j2ee
Properties file format is very simple. The line used in the form username = password. Therefore, the document defines the 200 users, the password is j2ee. This is the user access to the application of Duke bank account. If the user changed the password, you need to re-deploy Web applications.
Of course, the user name and password are not driven J2EE application security only factor. Deployment need to be user-specified role, the application will be based on user role information to determine whether the user has access to the target resource. Only the application of Duke bank customers have the right to access it, or by bankCustomer role. Here are the roles.properties file used to specify the role of 200 users.
# A roles.properties file for use with the UsersRolesLoginModule
# Format is
# Username = role1, role2, role3
200 = bankCustomer

Duke Bank application to make use of dukesbank security domain, instead of using the server's default security domain, the developer needs to define dukesbank security domain. Therefore, developers need to conf / login-config.xml file, add the following:
<application-policy name="dukesbank">
<Login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required" />
</ Authentication>
</ Application-policy>
Note that the need to restart JBoss, or modified login-config.xml does not take effect.

Achieved using the RDBMS security practice, the user, role information is stored in the database are common. JBoss provides a call DatabaseServerLoginModule landing module, users only need to do a little configuration you can use it. Users need to provide the following:

分类:Java 时间:2010-09-18 人气:235
blog comments powered by Disqus


  • JAAS (Java Authentication and Authorization Service) using the beginning of the experience 2010-07-24

    This translation from: http://java.sun.com/developer/technicalArticles/Security/jaasv2/ Is an individual preference, I am very poor translation level. Use JAAS authentication (Authentication) Client object through a LoginContext interaction with JAAS

  • JAAS: Java security mechanism for flexible 2010-11-18

    Java Authentication Authorization Service (JAAS, Java Authentication and Authorization API) provides a flexible and scalable mechanism to ensure the client or server-side Java programs. Early Java security framework to emphasize that the source code

  • 以Windows服务方式运行Java程序 2014-11-12

    如题,怎样将Java程序变身为Windows服务,不要跟我说Win接口,我不熟. 一.将exe程序变为Win服务 即将java启动批处理命令编译为win程序,可通过 批处理潜行者V6.0或 quickbfc 3.6.1实现: 然后利用系统自带的sc命令将其创建为系统服务:(这里为了测试效果,我加上了交互式运行服务的参数) sc create test binPath= "C:\FFE.exe" type= own type= interact start= auto 注意,坑跌的win

  • The absolute uri: http://java.sun.com/jstl/core_rt cannot be resolved in error 2010-05-30

    Quote About The absolute uri: http://java.sun.com/jstl/core_rt cannot be resolved in either web.xml or the jar files deployed with this application to solve! HTTP Status 500 - --------------------------------------------------------------------------

  • tomcat6 可以 正常访问 tomcat67可以 访问有问题http://java.sun... 2013-09-17

    org.apache.jasper.JasperException: The absolute uri: http://java.sun.com/jsp/jstl/core cannot be resolved in either web.xml or the jar files deployed with this application at org.apache.jasper.compiler.DefaultErrorHandler.jspError(DefaultErrorHandler

  • java (Web) in a relative path, absolute path issue summary 2010-04-09

    1. Basic understanding of the concept Absolute path: absolute path is your home page file or directory on your hard disk real path, (URL and the physical path) example: C: \ xyz \ test.txt test.txt file represents the absolute path. http://www.sun.co

  • Chilkat.Module.for.Java 2010-04-23

    Chilkat.Module.for.Java.v9.0.7.x64-BEAN \ Chilkat.Module.for.Java.v9.0.7-BEAN \ Chilkat.Module.for.Perl.5.10.v9.0.7.x64-BEAN \ Chilkat.Module.for.Perl.5.10.v9.0.7-BEAN \ Chilkat.Module.for.Perl.5.8.v9.0.7.x64-BEAN \ Chilkat.Module.for.Perl.5.8.v9.0.7

  • In the JSP in This absolute uri http://java.sun.com/jsp/jstl/core cannot be resolved - the solution 2010-08-28

    About JSP in org.apache.jasper.JasperException: This absolute uri http://java.sun.com/jsp/jstl/core) cannot be resolved in either web.xml or the jar files deployed with this application According "master JSP - Web application development technology a

  • Java security evolution and concepts Part I: the basic elements of security 2010-10-12

    May 16, 2000 This series of articles will provide a general understanding of network security, and the developers need to master the Java programming language, a unique performance. Serialized in the follow-up, will discuss the design of Java platfor

  • Problems in jboss6: BossXBRuntimeException: {http://java.sun.c/j2ee} name not found as 2010-11-10

    Recently deployed with the old jboss6 application, problems encountered and resolved it, and now it records, to facilitate future search. First, the deployment of jsp2.0 jboss6 application problems: org.jboss.xb.binding.JBossXBRuntimeException: {http

iOS 开发

Android 开发

Python 开发



PHP 开发

Ruby 开发






Javascript 开发

.NET 开发



Copyright (C) codeweblog.com, All Rights Reserved.

CodeWeblog.com 版权所有 闽ICP备15018612号

processed in 0.034 (s). 13 q(s)