680 likes | 828 Views
Securing Java EE 5.0 Applications with Apache Geronimo. Vamsavardhana Reddy Chillakuru a.k.a. Vamsi vamsic007@apache.org vamsic007@in.ibm.com. Who am I?. Member of Apache Geronimo PMC Involved with ASF since 2005 Over 11 years experience in software development
E N D
Securing Java EE 5.0 Applications with Apache Geronimo Vamsavardhana Reddy Chillakuru a.k.a. Vamsi vamsic007@apache.org vamsic007@in.ibm.com
Who am I? • Member of Apache Geronimo PMC • Involved with ASF since 2005 • Over 11 years experience in software development • Advisory Software Engineer at IBM • Employed with IBM India since 1996 Securing Java EE 5.0 Applications with Geronimo
Geronimo in the making That’s my son Susanth helping me with Geronimo Securing Java EE 5.0 Applications with Geronimo
Agenda • Introduction to Geronimo • Security implementation • Security Realms – Properties File • Securing Applications • Security Realms • Advanced Features • Summary • Q & A Securing Java EE 5.0 Applications with Geronimo
Agenda • Introduction to Geronimo • Security implementation • Security Realms – Properties File • Securing Applications • Security Realms • Advanced Features • Summary • Q & A Securing Java EE 5.0 Applications with Geronimo
Introduction to Geronimo • J2EE/Java EE Application Server from Apache Software Foundation • Brings together the best-of-breed technologies from open source to support J2EE/Java EE • Small foot print/Highly customizable • Ease of use is – foremost guiding principle • V2.1 Java EE 5 Certified – Feb/2008 Securing Java EE 5.0 Applications with Geronimo
Geronimo History and Progress • Apache Geronimo Project formed • V1.0-M5 released, J2EE 1.4 certification • V2.2 Release • V1.0 Released • V1.1 Released • V2.1 Released • V2.0-M6 released, Java EE 5 certification • V1.1.1 Released • V2.0.1 Released • V2.0.2 Released August2003 Oct2005 Jan2006 June2006 Sep 2006 Jun 2007 Aug 2007 Oct 2007 Feb 2008 In Plan Securing Java EE 5.0 Applications with Geronimo
Geronimo Architecture • GBeans are the building blocks • E.g. Containers, Connectors, Servlets… • Geronimo Kernel • A container for GBeans • Based on Inversion-of-Control/Dependency Injection • Provides Life Cycle management for GBeans • Loosely coupled system • Start/stop/remove components on the fly • Integrate new components on the fly • Plugins • Directory Server, Roller and many other Securing Java EE 5.0 Applications with Geronimo
Geronimo Architecture *Ref: http://www.ibm.com/developerworks/library/os-ag-deploy/ Securing Java EE 5.0 Applications with Geronimo
Apache Tomcat Jetty (Mort Bay) Apache Derby Apache OpenEJB Apache ActiveMQ Apache OpenJPA Apache Axis Apache Axis2 Apache CXF Apache Yoko Apache Commons Apache jUDDI Apache Log4J HOWL TRANQL Castor WADI CGLIB And many more… What it contains? Securing Java EE 5.0 Applications with Geronimo
What’s new in 2.1? • Servers assembled out of plugins • Custom server assemblies • Assemble a server feature • Flexible admin console • Monitoring Console • GShell • WADI Clustering Support for Tomcat Securing Java EE 5.0 Applications with Geronimo
How to get involved? • Geronimo project web site • http://geronimo.apache.org/ • Mailing lists • user@geronimo.apache.org • dev@geronimo.apache.org • Wiki • http://cwiki.apache.org/geronimo/ Securing Java EE 5.0 Applications with Geronimo
Geronimo Installation • http://geronimo.apache.org/downloads.html • Geronimo Tomcat or Geronimo Jetty distributions • Extract the archive to any directory • On windows, use a short directory name (for e.g. C:\ or C:\g) to avoid long-path problems. Securing Java EE 5.0 Applications with Geronimo
Geronimo Startup/Shutdown • Requires Sun J2SE 5.0 JDK/JRE • Environment variables • JAVA_HOME/JRE_HOME • GERONIMO_OPTS • JAVA_OPTS • Run the server • <g_home>/bin/geronimo start • <g_home>/bin/geronimo jpda run • Stop the server • Control+C in server console • <g_home>/bin/shutdown Securing Java EE 5.0 Applications with Geronimo
Administration Console • Web-based, Convenient, user-friendly • Based on Apache Pluto (JSR-168) • Access at http://localhost:8080/console • Portlets for administration • Web Server, JMS Server, JMS Resources, DB Manager, Database Pools • Application portlets – Deploy New, Web App WARs, Plan Creator etc.. • Security Realms, Keystores • Portlets for monitoring server status • Information, Java System Info, Server Logs, Monitoring, etc. • Don’t forget the Help view in the portlets Securing Java EE 5.0 Applications with Geronimo
Agenda • Introduction to Geronimo • Security implementation • Security Realms – Properties File • Securing Applications • Security Realms • Advanced Features • Summary • Q & A Securing Java EE 5.0 Applications with Geronimo
Introduction to JAAS • Java Authentication and Authorization Service • Pluggable Authentication Modules • Subject and Principals • LoginModules composed into a Configuration • Control-flags for execution control • Each LoginModule with successful login adds zero or more Principals to the Subject Securing Java EE 5.0 Applications with Geronimo
JACC • Java Authorization Contract for Containers (JSR-115) • Defines new Permission classes to satisfy the Java EE 5 authorization model • Geronimo has JACC 1.1 implementation Securing Java EE 5.0 Applications with Geronimo
What Geronimo provides? • Embedded Database – Apache Derby • LDAP Server – Apache Directory Server • Can be installed as a plug-in • JAAS Authentication LoginModules • PropertiesFileLoginModule • SQLLoginModule • LDAPLoginModule • CertificatePropertiesFileLoginModule Securing Java EE 5.0 Applications with Geronimo
What Geronimo provides? (contd.) • JAAS LoginModules • FileAuditLoginModule • RepeatedFailureLockoutLoginModule • GeronimoPasswordCredentialLoginModule • NamedUsernamePasswordCredentialLoginModule • Principal classes • GeronimoUserPrincipal • GeronimoGroupPrincipal • LoginDomainPrincipal • RealmPrincipal • CredentialStores • SimpleCredentialStoreImpl • Security Realms portlet • Create, Edit and see Usage for a realm Securing Java EE 5.0 Applications with Geronimo
Agenda • Introduction to Geronimo • Security implementation • Security Realms – Properties File • Securing Applications • Security Realms • Advanced Features • Summary • Q & A Securing Java EE 5.0 Applications with Geronimo
Properties File Realm • Prerequisites • None • Parameters • usersURI = relative path of users properties file from <g_home> • groupsURI = relative path of groups properties file from <g_home> • digest = Message Digest algorithm (e.g. MD5, SHA1, etc.) used on the passwords • encoding = Encoding to be used with digest (e.g, HEX, BASE64) Securing Java EE 5.0 Applications with Geronimo
Sample my-users.properties user1=password1 user2=password2 user3=pwd3 ... Securing Java EE 5.0 Applications with Geronimo
Sample my-groups.properties group1=user1,user2 group2=user3,user4,user5 guest=john,mary admin=someuser Securing Java EE 5.0 Applications with Geronimo
Creating the Realm • Create the properties files • Typically under var/security dir. • Security Realms portlet • Specify realm name • Select type Properties File Realm • Fill in the parameters • Option to test the realm • Option to generate deployment plan Securing Java EE 5.0 Applications with Geronimo
LoginModuleConfiguration <xml-reference name="LoginModuleConfiguration"> <login-config xmlns="http://geronimo.apache.org/xml/ns/loginconfig-2.0"> <login-module control-flag="REQUIRED" wrap-principals="false"> <login-domain-name>my-realm</login-domain-name> <login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</login-module-class> <option name="usersURI">var/security/my-users.properties</option> <option name="groupsURI">var/security/my-groups.properties</option> <option name="digest">MD5</option> <option name=“encoding”>HEX</option> </login-module> </login-config> </xml-reference> Securing Java EE 5.0 Applications with Geronimo
Realm GBean <gbean name="my-realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <attribute name="realmName"> my-realm </attribute> <reference name="ServerInfo"> <name>ServerInfo</name> </reference> <!-- LoginModuleConfiguration goes here --> </gbean> Securing Java EE 5.0 Applications with Geronimo
Agenda • Introduction to Geronimo • Security implementation • Security Realms – Properties File • Securing Applications • Security Realms • Advanced Features • Summary • Q & A Securing Java EE 5.0 Applications with Geronimo
Secure a Web Application • web.xml • login-config • auth-method • security-role • security-constraint • auth-constraint • run-as • role-name Securing Java EE 5.0 Applications with Geronimo
Secure a Web Application • geronimo-web.xml • security-realm-name • role-mappings • credential-store-ref • run-as-subject • default-subject Securing Java EE 5.0 Applications with Geronimo
Credential Store <gbean name="CredentialStore" class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl"> <xml-attribute name="credentialStore"> <credential-store xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0"> <realm name="my-realm"> <subject> <id>admin-run-as</id> <credential> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type> <value>system</value> </credential> <credential> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type> <value>manager</value> </credential> </subject> </realm> </credential-store> </xml-attribute> </gbean> Securing Java EE 5.0 Applications with Geronimo
Sample web.xml <web-app id="SimpleWebApp" version="2.5" ... > <display-name>SimpleWebApp</display-name> <servlet> . . . <run-as> <role-name>user</role-name> </run-as> </servlet> <login-config> <auth-method>BASIC</auth-method> <!-- For 'BASIC', realm-name will be shown in the prompt --> <realm-name>my-realm</realm-name> </login-config> <!-- Security roles used in the application --> <security-role><role-name>admin</role-name></security-role> <security-role><role-name>user</role-name></security-role> Securing Java EE 5.0 Applications with Geronimo
Sample web.xml (contd.) <!-- Configure authorization for Admin pages --> <security-constraint> <web-resource-collection> <web-resource-name>Admin</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> </web-app> Securing Java EE 5.0 Applications with Geronimo
Sample geronimo-web.xml <security-realm-name>my-realm</security-realm-name> <security> <credential-store-ref> <name xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">CredentialStore</name> </credential-store-ref> <default-subject> <realm>my-realm</realm> <id>admin-run-as</id> </default-subject> <role-mappings> <role role-name="admin"> <!-- from web.xml --> <principal name="Admin" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/> </role> Securing Java EE 5.0 Applications with Geronimo
Sample geronimo-web.xml (contd.) <role role-name="user"> <run-as-subject> <realm>my-realm</realm> <id>user-run-as</id> </run-as-subject> <principal name="User" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/> <principal name="john" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"/> </role> </role-mappings> </security> Securing Java EE 5.0 Applications with Geronimo
Secure an EJB Application ejb-jar.xml • security-identity • use-caller-identity • run-as • assembly-descriptor • security-role • role-name • method-permission • method • role-name • unchecked Securing Java EE 5.0 Applications with Geronimo
Secure an EJB Application openejb-jar.xml • security • role-mappings • credential-store-ref • run-as-subject • default-subject Securing Java EE 5.0 Applications with Geronimo
ejb-jar.xml <ejb-jar> <enterprise-beans> <session> <ejb-name>SecurityEJB</ejb-name> <ejb-class>myejbs.SecurityEJBean</ejb-class> ... <security-identity> <use-caller-identity/> </security-identity> </session> </enterprise-beans> </ejb-jar> Securing Java EE 5.0 Applications with Geronimo
ejb-jar.xml (2) <assembly-descriptor> <security-role> <role-name>user</role-name> </security-role> <method-permission> <role-name>user</role-name> <method> <ejb-name>StockQuoteServiceBean</ejb-name> <method-name>getQuoteUser</method-name> </method> </method-permission> <method-permission> <unchecked/> <method> <ejb-name>StockQuoteServiceBean</ejb-name> <method-name>getQuote</method-name> </method> </method-permission> </assembly-descriptor> Securing Java EE 5.0 Applications with Geronimo
Secure an EAR Application • application.xml • security-role • geronimo-application.xml • security-realm-name for each web app • role-mappings • credential-store-ref • run-as-subject • default-subject Securing Java EE 5.0 Applications with Geronimo
application.xml <application …> <display-name>TutorialEntApp</display-name> <module id="WebModule_1154872888098"> <web> <web-uri>WebApp1.war</web-uri> <context-root>WebApp1</context-root> </web> </module> <security-role> <role-name>administrator</role-name> </security-role> <security-role> <role-name>guest-user</role-name> </security-role> </application> Securing Java EE 5.0 Applications with Geronimo
geronimo-application.xml <application ...> <module> <web>WebApp1.war</web> <web-app ...> <security-realm-name>sample-properties-file-realm</security-realm-name> </web-app> </module> <security> <role-mappings> <role role-name="administrator"> <principal name="admin" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/> </role> </role-mappings> </security> </application> Securing Java EE 5.0 Applications with Geronimo
Agenda • Introduction to Geronimo • Security implementation • Security Realms – Properties File • Securing Applications • Security Realms • Advanced Features • Summary • Q & A Securing Java EE 5.0 Applications with Geronimo
Database (SQL) Realm • Prerequisites • Database tables for user credentials and group mapping • Parameters • userSelect SQL statement • groupSelect SQL statement • digest = Message Digest algorithm (e.g. MD5, SHA1, etc.) used on the passwords • encoding = Encoding to be used with digest (e.g, HEX, BASE64) • For database connection either a Database pool or JDBC parameters can be used Securing Java EE 5.0 Applications with Geronimo
Creating the Realm • DB Manager portlet • Create DB • Execute SQL • Database Pools portlet • DB Pool for Embedded Derby • Security Realms portlet • Select type Database (SQL) Realm • Either Database Pool or JDBC parameters needed. Securing Java EE 5.0 Applications with Geronimo
SQL Realm: Points to note • Qualify table name with schema name to avoid unexpected errors • Prefer AUTH.USERS_TABLE to USERS_TABLE • Use VARCHAR data type to avoid trailing spaces in the values retrieved from database. Securing Java EE 5.0 Applications with Geronimo
LDAP Realm • Prerequisites • LDAP Server • Apache Directory Server Can be installed as a plug-in • Use Plugins portlet • http://geronimo.apache.org/plugins/geronimo-2.1 • Create using Security Realms portlet • Select type LDAP Realm Securing Java EE 5.0 Applications with Geronimo
LDAP Connection parameters • Initial Context Factory • Connection URL • Connect Username • Connect Password • Confirm Password • Connect Protocol • Authentication Securing Java EE 5.0 Applications with Geronimo
LDAP Realm Parameters • User Base • User Search Matching • User Search Subtree • Role Base • Role Name • Role User Search String • Role Search Subtree • User Role Search String Securing Java EE 5.0 Applications with Geronimo