J2EE Security

1
J2EE Security
2
Topics

• J2EE Security Goals
• JAAS and Application Server Security Setup
• Security Layers
• Web Applications
• Web Service Clients
• EJB Security
• EAR Security
• External EJB Clients

3
J2EE Security Goals

• Lessen burden on application developer
• Container can provide security infrastructure
• Deployer and system administrator define security
  policies
• Avoid hard-coding security policies in component
  implementations
• Portability among servers that use different
  security mechanisms

4
J2EE Roles and Security

• Application Assembler defines security roles for
  an application
• web.xml
• ejb-jar.xml
• Deployer maps principals (or groups of
  principles) in an operational environment to the
  security roles defined by the application
  assembler
• Component implementer may implement security
  policies in code (Avoid if possible)

5
Security Points
Security Infrastructure (App Server may use
JAAS to access)
Business Logic (Vendor A)
Web Tier (Servlets/JSP)
http/https
Rmi/
IIOP
Resource Tier
BASIC, Form, Mutual-SSL
EJBs
rmi/iiop
new InitialContext(props) JAAS
Business Logic (Vendor B)
OMG CSIv2 Level 0 SSL/TLS Security Info in
IOR Security Context in IIOP Message
EJBs
6
Security Infrastructure
7
Security Points
Security Infrastructure (App Server may use
JAAS to access)
Business Logic (Vendor A)
Web Tier (Servlets/JSP)
http/https
Rmi/
IIOP
Resource Tier
BASIC, Form, Mutual-SSL
EJBs
rmi/iiop
new InitialContext(props) JAAS
Business Logic (Vendor B)
OMG CSIv2 Level 0 SSL/TLS Security Info in
IOR Security Context in IIOP Message
EJBs
8
Security Infrastructure

• J2EE specs dictate little concerning actual
  security implementation.
• Many implementations possible
• X.509 Certificates/LDAP/etc.
• Kerberos
• Application server is responsible for adapting
  the security infrastructure in the deployment
  environment to the J2EE applications needs
• Every App server does this differently

9
Weblogic Security Infrastructure

• Server
• Users and Groups configured using console or
  Mbeans
• Defines Service Provider Interface so various
  security implementations can be overridden
• Authentication
• Identity Assertion
• Authorization
• Auditing
• Adjudication
• Role Mapping
• KeyStore
• Credential Mapper

10
WL Security Infrastructure (Cont)

• Contains an embedded LDAP adapter
• Usage similar to old File Realm provider used for
  a default security implementation
• Adapters to most commercial LDAP servers also
• Can define advanced policies for access to
  resources
• times of day, from where, etc.

11
Adding Groups using Console
12
Adding a User from the Console
13
Assigning User to a Group
14
Adding Users/Groups with MBeans
runtime.properties WLS_ADMIN_USERSjim,dan WLS_ADM
IN_GROUPWLSAdminRole corej2ee.bash tools
addUserGroups mysite.propertiesC\cygwin\home\jcs
taff\mysite.properties Buildfile
C\cygwin\home\jcstaff\proj\corej2ee\deploy\bin\an
tfiles\tools.xml _addGroup_ executing
addGroup group WLSAdminRole added _noPassword_ n
o -DuserPasswordltpasswordgt supplied, using
default
15
Adding Users/Groups with MBeans
_addUser_ executing addUser user jim/password
added _noPassword_ no -DuserPasswordltpasswordgt
supplied, using default _addUser_ executing
addUser user dan/password added _addGroupMember_
executing addGroupMember added jim to group
WLSAdminRole _addGroupMember_ executing
addGroupMember added dan to group WLSAdminRole
16
WL Security Setup Summary

• Realms have configured implementations for each
  required security component
• Possible to write custom security implementations
• Default implementation utilizes embedded LDAP
  server, user names/passwords, and certificates
• Realm used is selected in web.xml deployment
  descriptor

17
JBoss Security Infrastructure

• Uses JAAS heavily
• Quick JAAS Overview
• Example Using a Database Login Module
• Keeps users/roles in database tables
• Can develop login modules for any desired
  security implementation
• LDAP and property file implementations provided
  in JBoss distribution

18
Java Authorization and Authentication Service

• JAAS

19
JAAS

• Two purposes
• Authentication Determine WHO is executing the
  code
• Authorization Verify user has permission to
  access the resource
• Part of J2SDK, v 1.4
• Support mandated by J2EE specification
• Weblogic uses JAAS for authentication. A
  proprietary mechanism is used to implement an
  extendable app server security infrastructure
• JBoss uses JAAS for authentication and a
  pluggable application server security
  infrastructure JBossSX

20
JAAS Components
2. Check configuration for Client login module
1. LoginContext lc new LoginContext(Client",
new MyCallbackHandler())
Configuration
Login context
5. lc.login()
4. initialize
Configuration implementation maps the login
context name to a login module implementation
3. new Subject()
6. login
Client
Subject
Client Login Module
8. Populate with principal
Callback Handler
7. Ask for information e.g. password
Note commit() details omitted
21
JBoss JAAS Configuration

• Server (Users/Passwords in Database)
• Define Oracle Data Source (OracleDS)
• deploy/oracle-service.xml
• Copy classes12.jar to lib
• Create/Populate user database tables
• Update login-config.xml

22
Server deploy/oracle-service.xml
.. ltattribute name"JndiName"gtOracleDSlt/a
ttributegt ltattribute name"ManagedConnection
FactoryProperties"gt ltpropertiesgt
ltconfig-property name"ConnectionURL"
type"java.lang.String"gt jdbcoraclethin_at_linux1
1521coredblt/config-propertygt
ltconfig-property name"DriverClass"
type"java.lang.String"gt oracle.jdbc.driver.Oracl
eDriverlt/config-propertygt
ltconfig-property name"UserName"
type"java.lang.String"gtcorelt/confi-propertygt
ltconfig-property name"Password"
type"java.lang.String"gtcorepasswordlt/config-prope
rtygt lt/propertiesgt
lt/attributegt ..
23
Server Database Tables (Principal)
CREATE TABLE principal_Principal ( id
VARCHAR2(32) NOT NULL, password
VARCHAR2(128), principalType CHAR(1),
firstName VARCHAR2(128), lastName
VARCHAR2(128) ) CREATE TABLE principal_Principal
Group ( principalId VARCHAR2(32) NOT NULL,
groupId VARCHAR2(32) NOT NULL,
roleName VARCHAR2(32) )
24
Add Some Users (principal_data.ddl)
INSERT INTO principal_Principal VALUES ('DAN',
'DAN', '1', 'Dan', 'Weimer') INSERT INTO
principal_Principal VALUES ('JIM', 'JIM', '1',
'Jim', 'Stafford') INSERT INTO
principal_Principal VALUES ('GROUP1', 'XXX', '2',
'G', '1') INSERT INTO principal_PrincipalGroup
VALUES ('DAN', 'GROUP1', 'ADMIN') INSERT INTO
principal_PrincipalGroup VALUES ('DAN', 'GROUP1',
'USERS') INSERT INTO principal_PrincipalGroup
VALUES ('JIM', 'GROUP1', 'USERS')
25
Server conf/login-config.xml
ltapplication-policy name"coreDB"gt
ltauthenticationgt ltlogin-module
code"org.jboss.security.auth.spi.DatabaseServerLo
ginModule flag"required"gt
ltmodule-option name"dsJndiName"gtjava/OracleDSlt/m
odule-optiongt ltmodule-option
name"unauthenticatedIdentity"gtguestlt/module-optio
ngt ltmodule-option name"principalsQue
ry"gtselect password from principal_Principal
where id?lt/module-optiongt
ltmodule-option name"rolesQuery"gtselect roleName,
'Roles' from principal_PrincipalGroup where
principalId?lt/module-optiongt
lt/login-modulegt lt/authenticationgt
lt/application-policygt
26
DtD for login-config.xml
27
JBoss Security Setup (Cont.)

• Login Module utilized by the server is configured
  in the jboss proprietary deployment descriptor
  for J2EE components
• Servlet and EJB examples shown later

28
Web Application Security
29
Security Points
Security Infrastructure (App Server may use
JAAS to access)
Business Logic (Vendor A)
Web Tier (Servlets/JSP)
http/https
Rmi/
IIOP
Resource Tier
BASIC, Form, Mutual-SSL
EJBs
rmi/iiop
new InitialContext(props) JAAS
Business Logic (Vendor B)
OMG CSIv2 Level 0 SSL/TLS Security Info in
IOR Security Context in IIOP Message
EJBs
30
Web Tier Security

• Authentication
• BASIC
• Form
• Client X.509 Certificate
• Confidentiality and Message Integrity
• Can require communication to take place over SSL
  with lttransport-guaranteegt element

31
Web Tier Security Configuration (web.xml)
Name a set of pages to protect
ltsecurity-constraintgt ltweb-resource-collect
iongt ltweb-resource-namegtAdmin
Pageslt/web-resource-namegt
lturl-patterngt/admin/lt/url-patterngt
lt/web-resource-collectiongt
ltauth-constraintgt ltdescriptiongtPages for
admin onlylt/descriptiongt
ltrole-namegtadminlt/role-namegt
lt/auth-constraintgt ltuser-data-constraintgt
lttransport-guaranteegtNONElt/transport-guarantee
gt lt/user-data-constraintgt
lt/security-constraintgt
State what roles can access these pages
Do requests for these pages need to be made over
SSL? Not in this example
32
Security Configuration (Cont)
ltsecurity-constraintgt ltweb-resource-collecti
ongt ltweb-resource-namegtAdmin SSL
Pageslt/web-resource-collectiongt
lturl-patterngt/adminssl/lt/url-patterngt
lt/web-resource-collectiongt
ltauth-constraintgt ltdescriptiongtPages for
admin over ssl onlylt/descriptiongt
ltrole-namegtadminlt/role-namegt
lt/auth-constraintgt ltuser-data-constraintgt
lttransport-guaranteegtCONFIDENTIALlt/transport-g
uaranteegt lt/user-data-constraintgt
lt/security-constraintgt
Have to use SSL to access these pages
33
Security Configuration (Cont) (web.xml)
Use HTTP BASIC to collect users name and password
ltlogin-configgt ltauth-methodgtBASIClt/auth-metho
dgt ltrealmgtmyrealmlt/realmgt lt/login-configgt
ltsecurity-rolegt ltrole-namegtadminlt/role-namegt
lt/security-rolegt lt/web-appgt
Have to list all security roles
mentioned previously
34
Setting up Security (weblogic.xml)
lt!DOCTYPE weblogic-web-app PUBLIC "-//BEA
Systems, Inc.//DTD Web Application 7.0//EN
"http//www.bea.com/servers/wls700/dtd/weblogic700
-web-jar.dtd"gt ltweblogic-web-appgt
ltdescriptiongtWebLogic Descriptorlt/descriptiongt
ltsecurity-role-assignmentgt
ltrole-namegtadminlt/role-namegt
ltprincipal-namegtWLSAdminRolelt/principal-namegt
lt/security-role-assignmentgt ltiweblogic-web-appgt
Have to map logical J2EE roles to a group
configured in Weblogic
35
Setting up Security (jboss-web.xml)
lt?xml version"1.0" encoding"UTF-8"?gt lt!DOCTYPE
jboss-web PUBLIC "-//JBoss//DTD Web
Application 2.3//EN" "http//www.jboss.org/j2e
e/dtds/jboss-web_3_0.dtd"gt ltjboss-webgt
ltsecurity-domaingtjava/jaas/coreDBlt/security-domai
ngt lt/jboss-webgt
Matches an application-policy in login-config.xml
36
Web Demo App

• No constraints on the 1st link
• Second link requires login by user in the admin
  role
• Third link will fail because link is not SSL
• Fourth link uses SSL link. If user is not
  already authenticated, challenge box will appear

37
FORM-based authentication

• Allows custom application form to be used to
  collect user credentials
• Can look better than browser pop-up box

38
Web.xml
Changed BASIC to FORM
ltlogin-configgt ltauth-methodgtFORMlt/auth-metho
dgt ltrealm-namegtmyrealmlt/realm-namegt
ltform-login-configgt ltform-login-pagegt/login
.htmllt/form-login-pagegt ltform-error-pagegt/e
rror.htmllt/form-error-pagegt
lt/form-login-configgt lt/login-configgt
Our pages that look more like our application
39
Login.html
ltform action"j_security_check" method"POST"gt
lttable border"0" width"30" cellspacing"3"
cellpadding"2"gt lttrgtlttdgtltbgtUser
Namelt/bgtlt/tdgtlttdgt ltinput
type"text" size"20" name"j_username"gt
lt/tdgtlt/trgt lttrgtlttdgtltbgtPasswordlt/bgtlt/td
gtlttdgt ltinput type"password"
size"10" name"j_password"gt
lt/tdgtlt/trgt lttrgtlttdgtltpgtltinput
type"submit" value"Login"gtlt/tdgtlt/trgt
lt/tablegt lt/formgt
40
Custom Challenge Box
41
Programmatic Security
42
Servlet with Programmatic Security
public class SecureServlet extends HttpServlet
public void doGet(HttpServletRequest
request, HttpServletResponse
response) throws
IOException, ServletException PrintWriter
pwresponse.getWriter() pw.println("ltHTMLgtltH
EADgtltTITLEgtHelloWorldlt/TITLEgtlt/HEADgtltBODYgt")
if(request.isUserInRole("applicationAdmin"))
pw.println("You are an admin user")
else pw.println("You are not an
admin user") pw.println("lt/BODYgtlt/HTML
gt")
43
Web.xml
ltservletgt ltservlet-namegtsecurelt/servlet-name
gt ltservlet-classgtcorej2ee.examples.web.Secure
Servletlt/servlet-classgt ltsecurity-role-refgt
ltdescriptiongtservlet checks for this role
programmaticallylt/descriptiongt
ltrole-namegtapplicationAdminlt/role-namegt
ltrole-linkgtadminlt/role-linkgt
lt/security-role-refgt lt/servletgt
ltsecurity-rolegt ltrole-namegtadminlt/role-namegt
lt/security-rolegt
We did an isUserInRole for this role in our code
App Server please map this to the overall admin
logical role defined for the application
44
Web Services Security
45
Web Services Security (Cont)

• Web Services for J2EE still being defined
• JSR 109 (http//www-3.ibm.com/software/solutions/w
  ebservices/pdf/websvcs-0_3-pd.pdf)
• HTTP Basic Auth and Symmetric SSL
• Access to JAX-RPC web service endpoints is based
  upon the servlet/JSP security model
• Still immature
• No Support for credential propagation within a
  SOAP message i.e. no message-level security
  provisions

46
EJB Security
47
Security Points
Security Infrastructure (App Server may use
JAAS to access)
Business Logic (Vendor A)
Web Tier (Servlets/JSP)
http/https
Rmi/
IIOP
Resource Tier
BASIC, Form, Mutual-SSL
EJBs
rmi/iiop
new InitialContext(props) JAAS
Business Logic (Vendor B)
OMG CSIv2 Level 0 SSL/TLS Security Info in
IOR Security Context in IIOP Message
EJBs
48
EJB Security

• Authentication
• validates the identity of the user
• implemented through username/password logins, ID
  Cards, security certificates, etc.
• Technique used not covered by EJB Specification
• Authorization/Access Control
• controls what a user can and cannot do within the
  system
• Secure Communications
• ensuring the privacy of a communications
• implemented through private communication
  (infrequently) channels or (more commonly)
  encryption
• not covered by EJB Specification

49
Authentication

• EJB external clients
• Specify principal and password properties when
  creating JNDI initial context (deprecated and
  proprietary)
• JAAS with a client-login module
• Web Clients
• Authenticated with FORM, Basic, or certificates

50
Authentication

• EJB Spec requires that every client access be
  associated with a security identity
• user or role
• getCallerPrincipal always returns a valid
  principal
• User logs into EJB System and authenticated
  through an implementation-specific method
• EJB Server passes security identity along with
  method invocation
• EJB objects or EJB homes check access

51
Authorization

• Authorization required to invoke bean methods
• Declarative
• Configure container to perform security checks
• Controlled by deployment descriptor
• Programmatic
• Programmer assumes responsibility for security
  checks

52
Authorization

• Security Identity represented as
  javax.security.Principal
• ejb-jar.xml contains tags that declare the roles
  that can invoke certain methods at runtime
• role are mapped to real-world users/groups in
  server-specific deployment descriptor(s)
  (weblogic-ejb-jar.xml)

53
Authorization role/method specification

• ejb-jar.xml
• ltsecurity-rolegt
• ltdescriptiongtlt/descriptiongt
• ltrole-namegtAdminlt/role-namegt
• lt/security-rolegt
• ltmethod-permissiongt
• ltrole-namegtAdminlt/role-namegt
• ltmethodgt
• ltejb-namegtRegistrarEJBlt/ejb-namegt
• ltmethod-namegtaddPersonlt/method-namegt
• lt/methodgt
• lt/method-permissiongt

Only a user in the Admin role can invoke the
addPerson method on the Registrar EJB
54
Authorization role/principal mapping

• weblogic-ejb-jar.xml
• ltsecurity-role-assignmentgt
• ltrole-namegtAdminlt/role-namegt
• ltprincipal-namegtWLSAdminlt/principal-namegt
• lt/security-role-assignmentgt

We have configured a group named WLSAdmin
in Weblogic/Security Infrastructure. Map the
logical Admin role to this group
55
Authorization role/method specification

• ejb-jar.xml
• ltsecurity-rolegt
• ltdescriptiongtlt/descriptiongt
• ltrole-namegtReadOnlylt/role-namegt
• lt/security-rolegt
• ltmethod-permissiongt
• ltrole-namegtReadOnlylt/role-namegt
• ltmethodgt
• ltejb-namegtRegistrarEJBlt/ejb-namegt
• ltmethod-namegtgetPersonlt/method-namegt
• lt/methodgt
• lt/method-permissiongt

56
Unchecked (Cont)

• Security Permissions are not checked before
  method is invoked.
• Any authenticated client can invoke these methods
• Unchecked overrides any other assigned method
  permissions

57
Authorization Unchecked Methods

• ejb-jar.xml
• ltmethod-permissiongt
• ltunchecked/gt
• ltmethodgt
• ltejb-namegtRegistrarEJBlt/ejb-namegt
• ltmethod-namegtgetPersonlt/method-namegt
• lt/methodgt
• lt/method-permissiongt
• ltmethod-permissiongt
• ltrole-namegtAdminlt/role-name/gt
• ltmethodgt
• ltejb-namegtRegistrarEJBlt/ejb-namegt
• ltmethod-namegtlt/method-namegt
• lt/methodgt
• lt/method-permissiongt

Unchecked specification overrides wildcarded
specifications
58
Exclude List

• Methods that are not callable by a client

ltexclude-listgt ltmethodgt
ltejb-namegtSecureEJBlt/ejb-namegt
ltmethod-namegtspeakExcludedlt/method-namegt
lt/methodgt lt/exclude-listgt
59
Assembly Descriptor Layout

• Security Roles
• Method Permissions
• Container Transaction
• Exclude List

60
ltassembly-descriptorgt ltsecurity-rolegt
ltdescriptiongtAn Admin Userlt/descriptiongt
ltrole-namegtAdminlt/role-namegt
lt/security-rolegt .. ltmethod-permissiongt
ltrole-namegtApplicationlt/role-namegt
ltmethodgt ltejb-namegtSecureEJBlt/ejb-namegt
ltmethod-namegtspeaklt/method-namegt
lt/methodgt lt/method-permissiongt ..
61
ltcontainer-transactiongt ltmethodgt
ltejb-namegtSecureEJBlt/ejb-namegt
ltmethod-namegtlt/method-namegt lt/methodgt
lttrans-attributegtSupportslt/trans-attributegt
lt/container-transactiongt ltexclude-listgt
ltmethodgt ltejb-namegtSecureEJBlt/ejb-namegt
ltmethod-namegtspeakExcludedlt/method-namegt
lt/methodgt lt/exclude-listgt
lt/assembly-descriptorgt
62
Specifying Methods (ltmethod-namegt

• Can use an to signify all methods in the
  beans home and remote interfaces
• No other wildcards defined as of EJB 2.0
• Naming specific methods
• ltmethod-namegtspeaklt/method-namegt
• This is all speak methods taking in any arguments
• Naming a specific method when methods are
  overloaded
• Specify ltmethod-paramsgt

63
Specifying Methods (Cont)

• Methods in home and remote interfaces
• Can pick methods that are in a specific interface
  by using the ltmethod-intfgt element
• Best to keep method names different in your home
  and remote interfaces, though.

64
run-as

• Specifies identity for bean to use when accessing
  resources and methods of other beans
• not necessarily the same identity as caller
• ltsessiongt
• ltsecurity-identitygt
• ltrun-asgt
• ltrole-namegtAdminlt/role-namegt
• lt/run-asgt
• lt/security-identitygt
• lt/sessiongt
• ltsessiongt
• ltsecurity-identitygt
• ltuse-caller-identity/gt
• lt/security-identitygt
• lt/sessiongt

65
run-as (Cont)

• Message-Driven Beans and beans that implement the
  TimedObject interface must use run-as
• They have no client context !

66
Weblogic principal

• Needed when ejb-jar.xml run-as property does not
  map to a single principal (e.g., a group
  specified)
• ltweblogic-enterprise-beangt
• ...
• ltrun-as-identity-principalgt
• dan
• lt/run-as-identity-principalgt

67
EJB Authorization

• Declarative
• Coarse-Grained security
• Container checks identity of caller and test
  against required role to invoke bean method
• Throw RemoteException if not authorized
• Programmatic
• Fine-Grained security
• getCallerPrincipal()
• isCallerInRole()

68
Programmatic Access Control

• Code can check security authorization of caller
• in addition to container checks. May want to do
  bean instance specific security checks
• Query EJBContext to determine identity of caller

69
Identity Deprecated
70
Programmatic Access Control
public class TellerBean public void
closeAccount(int accountID) throws
InvalidAccessException if(
getAccountType(accountID).equals(Special)
if( !ctx.isCallerInRole(managers))
throw new InvalidAccessException(Mgr
Access Required) //
Close the account. Tellers can close all but
special accounts ...
71
Security Declarations

• Bean provider must declare all security role
  names used in bean code
• ltsecurity-role-refgt
• isCallerInRole() used in the code
• Application Assembler
• logical security view of the application
• ltsecurity-rolegt
• method permissions for each security role

72
Linking Programmatic Security Roles

• ltenterprise-beansgt
• ltsessiongt
• ltejb-namegtTellerBeanltejb-namegt
• ltejb-classgtMyTellerBeanImpllt/ejb-classgt
• ltsecurity-role-refgt
• ltdescriptiongt special account maint.
  lt/descriptiongt
• ltrole-namegtmanagerslt/role-namegtlt!--
  used in EJB code --gt
• ltrole-linkgtsupervisorslt/role-linkgt
  lt!-- defined in ejb-jar.xml--gt
• lt/security-role-refgt
• ltsessiongt
• lt/enterprise-beansgt

We used managers in the code
Treat as supervisors
73
Linking Programmatic Security Roles

• ltassembly-descriptorgt
• ltsecurity-rolegt
• ltrole-namegtsupervisorslt/role-namegt
• lt/security-rolegt
• ...
• ltmethod-permissiongt
• ltrole-namegtsupervisorslt/role-namegt
• ltmethodgt
• ltejb-namegtTellerBeanlt/ejb-namegt
• ltmethod-namegtlt/mehtod-namegt
• lt/methodgt
• lt/method-permissiongt

74
EJB Security Summary

• Security is role-based in EJB
• Declarative and Programmatic
• Roles defined for
• bean developer
• application assembler
• deployer

75
EJB Security Examples

• secureDemoApp secureEJB
• Has various speak() methods that can be called
  by
• Someone in an Admin role
• Someone in an Application role
• (corej2ee.bash secureDemoApp addAppUser)
• An unchecked speak method
• An excluded speak method
• secureDemoClient
• corej2ee.bash secureDemoClient javaclient-nouser
• corej2ee.bash secureDemoClient javaclient-admin
• corej2ee.bash secureDemoClient javaclient-applicat
  ion

76
EAR Security
77
EAR Security

• application.xml contains a security-role element

ltsecurity-rolegt  ltdescriptiongtthe gold customer
rolelt/descriptiongt  ltrole-namegtgold_customerlt/rol
e-namegtlt/security-rolegtltsecurity-rolegt  ltdescri
ptiongtthe customer rolelt/descriptiongt  ltrole-name
gtcustomerlt/role-namegtlt/security-rolegt These
roles define security roles global to the
application. Not much else implemented in this
area
78
External Client Authentication
79
Security Points
Security Infrastructure (App Server may use
JAAS to access)
Business Logic (Vendor A)
Web Tier (Servlets/JSP)
http/https
Rmi/
IIOP
Resource Tier
BASIC, Form, Mutual-SSL
EJBs
rmi/iiop
new InitialContext(props) JAAS
Business Logic (Vendor B)
OMG CSIv2 Level 0 SSL/TLS Security Info in
IOR Security Context in IIOP Message
EJBs
80
End-User Authentication

• JAAS (typically)
• InitialContext with user name/password
• Proprietary and Deprecated

81
Using JNDI Properties (WL/Deprecated)
import javax.naming.InitialContext import
javax.naming.Context import java.util.Properties
... String userName ... String password
... Properties properties new
Properties() properties.put(Context.SECURITY_PRIN
CIPAL, userName) properties.put(Context.SECURITY_
CREDENTIALS, password) Context jndi new
InitialContext(properties)
82
Weblogic Client using JAAS
83
JBoss Client Authentication

• Deferred for now uses JAAS

84
JBoss Client Application Notes
The ClientLoginModule is an implementation of
LoginModule for use by JBoss clients for the
establishment of the caller identity and
credentials. This simply sets the
org.jboss.security.SecurityAssociation.principal
to the value of the NameCallback filled in by the
CallbackHandler, and the org.jboss.security.Securi
tyAssociation.credential to the value of the
PasswordCallback filled in by the
CallbackHandler. This is the only supported
mechanism for a client to establish the current
thread's caller. Both stand-alone client
applications and server environments, acting as
JBoss EJB clients where the security environment
has not been configured to use JBossSX
transparently, need to use the ClientLoginModule
85
JAAS Client Login Module
ltpolicygt ltapplication-policy name
"client-login"gt ltauthenticationgt
ltlogin-module code "org.jboss.security.ClientLog
inModule" flag "required"gt
lt/login-modulegt lt/authenticationgt
lt/application-policygt
86
Accessing J2EE Resources
87
Security Points
Security Infrastructure (App Server may use
JAAS to access)
Business Logic (Vendor A)
Web Tier (Servlets/JSP)
http/https
Rmi/
IIOP
Resource Tier
BASIC, Form, Mutual-SSL
EJBs
rmi/iiop
new InitialContext(props) JAAS
Business Logic (Vendor B)
OMG CSIv2 Level 0 SSL/TLS Security Info in
IOR Security Context in IIOP Message
EJBs
88
Resource Manager Factories

• Creates connections to a resource manager
• Factory method is specific to resource type
• Configured in JNDI and made available relative to
  javacomp/env to container components
• Examples
• Data Sources
• JMS Connection Factories
• Java Mail Connection Factories
• URL Connection Factories
• JCA Resources

89
Acquiring a Data Source Connection
public void someMethod() try
dao_ new AccountDAO()
InitialContext jndi new InitialContext()
ds_ (DataSource)jndi.lookup("javacomp/env/j
dbc/mydb") conn_ds_.getConnection()
catch (Exception ex)
throw new EJBException(ex)
Component (EJB) code
ltreference-descriptorgt ltresource-descriptio
ngt ltres-ref-namegtjdbc/mydblt/res-ref-namegt
ltjndi-namegtcorej2ee/jdbc/corej2eeTxDSlt/j
ndi-namegt lt/resource-descriptiongt
lt/reference-descriptorgt
weblogic-ejb-jar.xml
ltresource-refgt ltres-ref-namegtjdbc/m
ydblt/res-ref-namegt ltres-typegtjavax.sql.D
ataSourcelt/res-typegt ltres-authgtContainer
lt/res-authgt lt/resource-refgt
ejb-jar.xml
90
Resource Shareability

• Connections to a resource are shareable across
  components in the same transaction context
• Default
• Optimizes connection usage and transactions
• Usually the desired option
• Can be marked Unshareable in deployment
  descriptor with ltres-sharing-scopegt

91
Associating a principal with resource manager
access

• Deployer
• Can set up principal-mapping or resource manager
  sign-on information
• Component code uses no-argument factory method to
  obtain connection e.g. ds_.getConnection()
• Component
• Signs on in bean code
• ds_.getConnection(user, password)
• ltres-authgt tag specifies Container or
  Application

92
Principals and Resources (Cont)

• It is expected that a J2EE application server
  will provide a mechanism to propagate the
  principal invoking the EJB through to the
  resource automatically
• Details not specified

93
Notes

• Misc. JBoss Issues
• Problem with Struts 1-1b2. Need to download a new
  struts-validator.jar
• http//jboss.org/forums/thread.jsp?forum50thread
  25378
• jsp.directive page import syntax difficulties
• getOutputStream() multiple calls
• Not entirely working yet