securing java ee 5.0 applications with apache geronimo
Post on 16-Jan-2016
40 Views
Preview:
DESCRIPTION
TRANSCRIPT
Securing Java EE 5.0 Applications with Apache
GeronimoVamsavardhana Reddy Chillakuru
a.k.a. Vamsivamsic007@apache.orgvamsic007@in.ibm.com
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
2
Who am I?
• Member of Apache Geronimo PMC
• Involved with ASF since 2005
• Over 11 years experience in software development
• Advisory Software Engineer at IBM
• Employed with IBM India since 1996
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
3
Geronimo in the making
That’s my son Susanth helping me with Geronimo
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
4
Agenda• Introduction to Geronimo• Security implementation• Security Realms – Properties File• Securing Applications• Security Realms• Advanced Features• Summary• Q & A
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
5
Agenda• Introduction to Geronimo• Security implementation• Security Realms – Properties File• Securing Applications• Security Realms• Advanced Features• Summary• Q & A
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
6
Introduction to Geronimo• J2EE/Java EE Application Server from
Apache Software Foundation• Brings together the best-of-breed
technologies from open source to support J2EE/Java EE
• Small foot print/Highly customizable• Ease of use is – foremost guiding principle• V2.1 Java EE 5 Certified – Feb/2008
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
7
Geronimo History and Progress
August2003
Apa
che G
eron
imo P
rojec
t for
med
V1.0
-M5 r
eleas
ed, J
2EE 1.
4 cer
tifica
tion
Oct2005
Jan2006
V1.0
Rele
ased
June2006
V1.1
Rele
ased
In Plan
V2.2
Rele
ase
Sep2006
V1.1
.1 Rele
ased
Jun2007
V2.0
-M6 r
eleas
ed, J
ava E
E 5 ce
rtifica
tion
Aug2007
V2.0
.1 Rele
ased
Oct2007
V2.0
.2 Rele
ased
Feb2008
V2.1
Rele
ased
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
8
Geronimo Architecture• GBeans are the building blocks
– E.g. Containers, Connectors, Servlets…
• Geronimo Kernel– A container for GBeans– Based on Inversion-of-Control/Dependency Injection – Provides Life Cycle management for GBeans
• Loosely coupled system– Start/stop/remove components on the fly– Integrate new components on the fly
• Plugins– Directory Server, Roller and many other
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
9
Geronimo Architecture
*Ref: http://www.ibm.com/developerworks/library/os-ag-deploy/
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
10
What it contains?• Apache Tomcat• Jetty (Mort Bay)• Apache Derby• Apache OpenEJB• Apache ActiveMQ• Apache OpenJPA• Apache Axis• Apache Axis2• Apache CXF• Apache Yoko
• Apache Commons• Apache jUDDI• Apache Log4J• HOWL• TRANQL• Castor• WADI• CGLIBAnd many more…
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
11
What’s new in 2.1?
• Servers assembled out of plugins
• Custom server assemblies– Assemble a server feature
• Flexible admin console
• Monitoring Console
• GShell
• WADI Clustering Support for Tomcat
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
12
How to get involved?
• Geronimo project web site– http://geronimo.apache.org/
• Mailing lists– user@geronimo.apache.org– dev@geronimo.apache.org
• Wiki– http://cwiki.apache.org/geronimo/
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
13
Geronimo Installation• http://geronimo.apache.org/downloads.html
• Geronimo Tomcat or Geronimo Jetty distributions
• Extract the archive to any directory– On windows, use a short directory name
(for e.g. C:\ or C:\g) to avoid long-path problems.
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
14
Geronimo Startup/Shutdown• Requires Sun J2SE 5.0 JDK/JRE• Environment variables
– JAVA_HOME/JRE_HOME– GERONIMO_OPTS– JAVA_OPTS
• Run the server– <g_home>/bin/geronimo start– <g_home>/bin/geronimo jpda run
• Stop the server– Control+C in server console– <g_home>/bin/shutdown
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
15
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
16
Administration Console• Web-based, Convenient, user-friendly• Based on Apache Pluto (JSR-168)• Access at http://localhost:8080/console• Portlets for administration
– Web Server, JMS Server, JMS Resources, DB Manager, Database Pools
– Application portlets – Deploy New, Web App WARs, Plan Creator etc..
– Security Realms, Keystores• Portlets for monitoring server status
– Information, Java System Info, Server Logs, Monitoring, etc.
• Don’t forget the Help view in the portlets
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
17
Agenda• Introduction to Geronimo• Security implementation• Security Realms – Properties File• Securing Applications• Security Realms• Advanced Features• Summary• Q & A
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
18
Introduction to JAAS• Java Authentication and Authorization
Service• Pluggable Authentication Modules• Subject and Principals• LoginModules composed into a
Configuration– Control-flags for execution control
• Each LoginModule with successful login adds zero or more Principals to the Subject
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
19
JACC
• Java Authorization Contract for Containers (JSR-115)
• Defines new Permission classes to satisfy the Java EE 5 authorization model
• Geronimo has JACC 1.1 implementation
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
20
What Geronimo provides?• Embedded Database – Apache Derby• LDAP Server – Apache Directory Server
• Can be installed as a plug-in
• JAAS Authentication LoginModules– PropertiesFileLoginModule– SQLLoginModule– LDAPLoginModule– CertificatePropertiesFileLoginModule
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
21
What Geronimo provides? (contd.)• JAAS LoginModules
– FileAuditLoginModule– RepeatedFailureLockoutLoginModule– GeronimoPasswordCredentialLoginModule– NamedUsernamePasswordCredentialLoginModule
• Principal classes– GeronimoUserPrincipal– GeronimoGroupPrincipal– LoginDomainPrincipal– RealmPrincipal
• CredentialStores– SimpleCredentialStoreImpl
• Security Realms portlet– Create, Edit and see Usage for a realm
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
22
Agenda• Introduction to Geronimo• Security implementation• Security Realms – Properties File• Securing Applications• Security Realms• Advanced Features• Summary• Q & A
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
23
Properties File Realm• Prerequisites
– None• Parameters
– usersURI = relative path of users properties file from <g_home>
– groupsURI = relative path of groups properties file from <g_home>
– digest = Message Digest algorithm (e.g. MD5, SHA1, etc.) used on the passwords
– encoding = Encoding to be used with digest (e.g, HEX, BASE64)
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
24
Sample my-users.properties
user1=password1
user2=password2
user3=pwd3
...
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
25
Sample my-groups.properties
group1=user1,user2
group2=user3,user4,user5
guest=john,mary
admin=someuser
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
26
Creating the Realm• Create the properties files
– Typically under var/security dir.
• Security Realms portlet– Specify realm name– Select type Properties File Realm
• Fill in the parameters• Option to test the realm• Option to generate deployment plan
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
27
LoginModuleConfiguration<xml-reference name="LoginModuleConfiguration"> <login-config
xmlns="http://geronimo.apache.org/xml/ns/loginconfig-2.0"> <login-module control-flag="REQUIRED" wrap-principals="false"> <login-domain-name>my-realm</login-domain-name> <login-module-
class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</login-module-class>
<option name="usersURI">var/security/my-users.properties</option>
<option name="groupsURI">var/security/my-groups.properties</option>
<option name="digest">MD5</option> <option name=“encoding”>HEX</option> </login-module> </login-config></xml-reference>
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
28
Realm GBean<gbean name="my-realm"
class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<attribute name="realmName"> my-realm </attribute> <reference name="ServerInfo"> <name>ServerInfo</name> </reference><!-- LoginModuleConfiguration goes here --></gbean>
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
29
Agenda• Introduction to Geronimo• Security implementation• Security Realms – Properties File• Securing Applications• Security Realms• Advanced Features• Summary• Q & A
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
30
Secure a Web Application
• web.xml– login-config
• auth-method
– security-role– security-constraint
• auth-constraint
– run-as• role-name
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
31
Secure a Web Application
• geronimo-web.xml– security-realm-name– role-mappings– credential-store-ref– run-as-subject – default-subject
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
32
Credential Store<gbean name="CredentialStore"
class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
<xml-attribute name="credentialStore"> <credential-store
xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0"> <realm name="my-realm"> <subject> <id>admin-run-as</id> <credential>
<type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type> <value>system</value>
</credential> <credential>
<type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type> <value>manager</value>
</credential> </subject> </realm> </credential-store> </xml-attribute></gbean>
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
33
Sample web.xml<web-app id="SimpleWebApp" version="2.5" ... > <display-name>SimpleWebApp</display-name> <servlet> . . . <run-as> <role-name>user</role-name> </run-as> </servlet> <login-config> <auth-method>BASIC</auth-method> <!-- For 'BASIC', realm-name will be shown in the prompt --
> <realm-name>my-realm</realm-name> </login-config>
<!-- Security roles used in the application --> <security-role><role-name>admin</role-name></security-role> <security-role><role-name>user</role-name></security-role>
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
34
Sample web.xml (contd.) <!-- Configure authorization for Admin pages -->
<security-constraint> <web-resource-collection> <web-resource-name>Admin</web-resource-
name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint></web-app>
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
35
Sample geronimo-web.xml<security-realm-name>my-realm</security-realm-name><security><credential-store-ref><name xmlns="http://geronimo.apache.org/xml/ns/deployment-
1.2">CredentialStore</name></credential-store-ref><default-subject> <realm>my-realm</realm> <id>admin-run-as</id></default-subject><role-mappings><role role-name="admin"> <!-- from web.xml --> <principal name="Admin"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
</role>
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
36
Sample geronimo-web.xml (contd.)
<role role-name="user"> <run-as-subject> <realm>my-realm</realm> <id>user-run-as</id> </run-as-subject> <principal name="User"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
<principal name="john" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"/> </role>
</role-mappings></security>
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
37
Secure an EJB Applicationejb-jar.xml• security-identity
– use-caller-identity– run-as
• assembly-descriptor– security-role
• role-name– method-permission
• method• role-name• unchecked
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
38
Secure an EJB Application
openejb-jar.xml
• security– role-mappings– credential-store-ref– run-as-subject – default-subject
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
39
ejb-jar.xml <ejb-jar> <enterprise-beans> <session> <ejb-name>SecurityEJB</ejb-name>
<ejb-class>myejbs.SecurityEJBean</ejb-class> ... <security-identity> <use-caller-identity/> </security-identity> </session> </enterprise-beans> </ejb-jar>
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
40
ejb-jar.xml (2) <assembly-descriptor> <security-role> <role-name>user</role-name> </security-role> <method-permission> <role-name>user</role-name> <method> <ejb-name>StockQuoteServiceBean</ejb-name> <method-name>getQuoteUser</method-name> </method> </method-permission> <method-permission> <unchecked/> <method> <ejb-name>StockQuoteServiceBean</ejb-name> <method-name>getQuote</method-name> </method> </method-permission></assembly-descriptor>
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
41
Secure an EAR Application• application.xml
– security-role
• geronimo-application.xml– security-realm-name for each web app– role-mappings– credential-store-ref– run-as-subject – default-subject
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
42
application.xml<application …>
<display-name>TutorialEntApp</display-name><module id="WebModule_1154872888098">
<web><web-uri>WebApp1.war</web-uri><context-root>WebApp1</context-root>
</web></module><security-role><role-name>administrator</role-name></security-role><security-role><role-name>guest-user</role-name></security-role>
</application>
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
43
geronimo-application.xml<application ...> <module> <web>WebApp1.war</web>
<web-app ...> <security-realm-name>sample-properties-file-realm</security-
realm-name></web-app>
</module>
<security> <role-mappings> <role role-name="administrator">
<principal name="admin" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
</role></role-mappings> </security></application>
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
44
Agenda• Introduction to Geronimo• Security implementation• Security Realms – Properties File• Securing Applications• Security Realms• Advanced Features• Summary• Q & A
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
45
Database (SQL) Realm• Prerequisites
– Database tables for user credentials and group mapping
• Parameters– userSelect SQL statement– groupSelect SQL statement– digest = Message Digest algorithm (e.g. MD5, SHA1,
etc.) used on the passwords– encoding = Encoding to be used with digest (e.g, HEX,
BASE64)
• For database connection either a Database pool or JDBC parameters can be used
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
46
Creating the Realm• DB Manager portlet
– Create DB– Execute SQL
• Database Pools portlet– DB Pool for Embedded Derby
• Security Realms portlet– Select type Database (SQL) Realm
• Either Database Pool or JDBC parameters needed.
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
47
SQL Realm: Points to note
• Qualify table name with schema name to avoid unexpected errors– Prefer AUTH.USERS_TABLE to
USERS_TABLE
• Use VARCHAR data type to avoid trailing spaces in the values retrieved from database.
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
48
LDAP Realm
• Prerequisites– LDAP Server
• Apache Directory Server Can be installed as a plug-in
• Use Plugins portlet– http://geronimo.apache.org/plugins/geronimo-2.1
• Create using Security Realms portlet– Select type LDAP Realm
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
49
LDAP Connection parameters
• Initial Context Factory
• Connection URL
• Connect Username
• Connect Password
• Confirm Password
• Connect Protocol
• Authentication
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
50
LDAP Realm Parameters• User Base• User Search Matching• User Search Subtree • Role Base• Role Name• Role User Search String• Role Search Subtree• User Role Search String
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
51
Certificate Properties Realm• Prerequisites
– Certificate for Server Authentication– HTTPS port setup for Client Authentication– Web Clients should have installed Certificates
issued by a CA configured as trusted in HTTPS port setup
• Parameters– usersURI = certificate to user mapping file– groupsURI = group mapping file
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
52
Create Certificate Properties Realm
• Keystores portlet to prepare keystores
• Web Servers portlet to add HTTPS Connector
• CA Portlet to issue client certificates
• Security Realms portlet– Select type Certificate Properties File
Realm
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
53
cert-users.propertieswebclient01=CN=Web Client01,OU=Org Unit0,O=Org0,L=Loc0,ST=St0,C=IN
webclient02=CN=Web Client02,OU=Org Unit0,O=Org0,L=Loc0,ST=St0,C=IN
webclient11=CN=Web Client11,OU=Org Unit1,O=Org1,L=Loc1,ST=St1,C=US
webclient12=CN=Web Client12,OU=Org Unit1,O=Org1,L=Loc1,ST=St1,C=US
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
54
cert-groups.properties
admin=webclient01,webclient02
guest=webclient11,webclient12
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
55
Agenda• Introduction to Geronimo• Security implementation• Security Realms – Properties File• Securing Applications• Security Realms• Advanced Features• Summary• Q & A
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
56
Advanced Features
• Auditing– Every login attempt will be recorded to
the specified file.
• Lockout– A certain number of failed logins in a
particular time frame will cause a user's account to be locked for a certain period of time.
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
57
Advanced Features (contd.)• Store Password
– Store each user's password in a private credential in the Subject.
– GeronimoPasswordCredential
• Named Credential– Store each username and password in a
private credential in the Subject under a specified credential name.
– NamedUsernamePasswordCredential
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
58
Principal Wrapping
• Edit realm from Security Realms portlet– Support Advanced Mapping to Yes– LoginDomainPrincipal and
RealmPrincipal added to subject– login-domain-principal and realm-
principal used in role-mapping in addition to principal tag.
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
59
Recall LoginModuleConfiguration
<xml-reference name="LoginModuleConfiguration"> <login-config
xmlns="http://geronimo.apache.org/xml/ns/loginconfig-2.0"> <login-module control-flag="REQUIRED" wrap-principals="false"> <login-domain-name>my-realm</login-domain-name> <login-module-
class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</login-module-class>
<option name="usersURI">var/security/my-users.properties</option>
<option name="groupsURI">var/security/my-groups.properties</option>
<option name="digest">MD5</option> <option name=“encoding”>HEX</option> </login-module> </login-config></xml-reference>
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
60
Application Scoped Realm
• Security Realm GBean is part of application deployment plan
• Use the Security Realms portlet to generate realm plan and add GBean to application plan– May need to specify dependency on
j2ee-security config
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
61
Single Sign-On
• Login to one application maintains login across all applications on the server
• Create a SingleSignOn valve and connect to the valve chain in Tomcat config.– Edit config.xml (xml fragment shown
next)
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
62
Xml fragment for SSO<gbean name="AccessLogValve"> <reference name="NextValve"> <pattern> <name>SSOValve</name> </pattern>
</reference> </gbean><gbean gbeanInfo="org.apache.geronimo.tomcat.ValveGBean"
name="org.apache.geronimo.configs/tomcat6/2.1/car?ServiceModule=org.apache.geronimo.configs/tomcat6/2.1/car,j2eeType=GBean,name=SSOValve"> <attribute name="className">org.apache.catalina.authenticator.SingleSignOn</attribute>
</gbean>
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
63
Agenda• Introduction to Geronimo• Security implementation• Security Realms – Properties File• Securing Applications• Security Realms• Advanced Features• Summary• Q & A
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
64
Summary
• Introduction to Geronimo
• Security Implementation
• Security Realms portlet
• Security Realms
• Securing WAR, EJB, JAR
• Advanced Features
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
65
Agenda• Introduction to Geronimo• Geronimo Administration Console• Security implementation• Security Realms – Properties File• Securing Applications• Security Realms• Advanced Features• Application Scoped Realm• Q & A
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
66
Q & A
Securing Java EE 5.0 Applications with Geronimo
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
67
Resources• http://geronimo.apache.org• http://cwiki.apache.org/geronimo/• Geronimo Mailing lists
– user@geronimo.apache.org– dev@geronimo.apache.org
• IBM developerWorks– http://www.ibm.com/developerworks/
opensource/top-projects/geronimo.html
09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo
68
Thank you
top related