Download Securing Java EE 5.0 Applications with Apache Geronimo

Document related concepts
no text concepts found
Transcript
Securing Java EE 5.0
Applications with Apache
Geronimo
Vamsavardhana Reddy Chillakuru
a.k.a. Vamsi
[email protected]
[email protected]
Who am I?
• Member of Apache Geronimo PMC
• Involved with ASF since 2005
• Over 11 years experience in software
development
• Advisory Software Engineer at IBM
• Employed with IBM India since 1996
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
2
Geronimo in the making 
That’s my son Susanth helping me with Geronimo 
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
3
Agenda
•
•
•
•
•
•
•
•
Introduction to Geronimo
Security implementation
Security Realms – Properties File
Securing Applications
Security Realms
Advanced Features
Summary
Q&A
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
4
Agenda
•
•
•
•
•
•
•
•
Introduction to Geronimo
Security implementation
Security Realms – Properties File
Securing Applications
Security Realms
Advanced Features
Summary
Q&A
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
5
Introduction to Geronimo
• J2EE/Java EE Application Server from
Apache Software Foundation
• Brings together the best-of-breed
technologies from open source to support
J2EE/Java EE
• Small foot print/Highly customizable
• Ease of use is – foremost guiding principle
• V2.1 Java EE 5 Certified – Feb/2008
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
6
Geronimo History and
Progress
August
2003
Oct
2005
Jan June Sep
2006 2006 2006
09-Apr-2008
Jun Aug Oct Feb In Plan
2007 2007 2007 2008
Securing Java EE 5.0 Applications
with Geronimo
7
Geronimo Architecture
• GBeans are the building blocks
– E.g. Containers, Connectors, Servlets…
• Geronimo Kernel
– A container for GBeans
– Based on Inversion-of-Control/Dependency Injection
– Provides Life Cycle management for GBeans
• Loosely coupled system
– Start/stop/remove components on the fly
– Integrate new components on the fly
• Plugins
– Directory Server, Roller and many other
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
8
Geronimo Architecture
*Ref: http://www.ibm.com/developerworks/library/os-ag-deploy/
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
9
What it contains?
•
•
•
•
•
•
•
•
•
•
Apache Tomcat
Jetty (Mort Bay)
Apache Derby
Apache OpenEJB
Apache ActiveMQ
Apache OpenJPA
Apache Axis
Apache Axis2
Apache CXF
Apache Yoko
09-Apr-2008
• Apache Commons
• Apache jUDDI
• Apache Log4J
• HOWL
• TRANQL
• Castor
• WADI
• CGLIB
And many more…
Securing Java EE 5.0 Applications
with Geronimo
10
What’s new in 2.1?
• Servers assembled out of plugins
• Custom server assemblies
– Assemble a server feature
•
•
•
•
Flexible admin console
Monitoring Console
GShell
WADI Clustering Support for Tomcat
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
11
How to get involved?
• Geronimo project web site
– http://geronimo.apache.org/
• Mailing lists
– [email protected][email protected]
• Wiki
– http://cwiki.apache.org/geronimo/
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
12
Geronimo Installation
• http://geronimo.apache.org/downloads.html
• Geronimo Tomcat or Geronimo Jetty
distributions
• Extract the archive to any directory
– On windows, use a short directory name
(for e.g. C:\ or C:\g) to avoid long-path
problems.
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
13
Geronimo Startup/Shutdown
• Requires Sun J2SE 5.0 JDK/JRE
• Environment variables
– JAVA_HOME/JRE_HOME
– GERONIMO_OPTS
– JAVA_OPTS
• Run the server
– <g_home>/bin/geronimo start
– <g_home>/bin/geronimo jpda run
• Stop the server
– Control+C in server console
– <g_home>/bin/shutdown
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
14
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
15
Administration Console
•
•
•
•
Web-based, Convenient, user-friendly
Based on Apache Pluto (JSR-168)
Access at http://localhost:8080/console
Portlets for administration
– Web Server, JMS Server, JMS Resources, DB Manager,
Database Pools
– Application portlets – Deploy New, Web App WARs, Plan
Creator etc..
– Security Realms, Keystores
• Portlets for monitoring server status
– Information, Java System Info, Server Logs, Monitoring,
etc.
• Don’t forget the Help view in the portlets
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
16
Agenda
•
•
•
•
•
•
•
•
Introduction to Geronimo
Security implementation
Security Realms – Properties File
Securing Applications
Security Realms
Advanced Features
Summary
Q&A
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
17
Introduction to JAAS
• Java Authentication and Authorization
Service
• Pluggable Authentication Modules
• Subject and Principals
• LoginModules composed into a
Configuration
– Control-flags for execution control
• Each LoginModule with successful login
adds zero or more Principals to the Subject
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
18
JACC
• Java Authorization Contract for
Containers (JSR-115)
• Defines new Permission classes to
satisfy the Java EE 5 authorization
model
• Geronimo has JACC 1.1
implementation
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
19
What Geronimo provides?
• Embedded Database – Apache Derby
• LDAP Server – Apache Directory Server
• Can be installed as a plug-in
• JAAS Authentication LoginModules
–
–
–
–
PropertiesFileLoginModule
SQLLoginModule
LDAPLoginModule
CertificatePropertiesFileLoginModule
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
20
What Geronimo provides?
(contd.)
• JAAS LoginModules
–
–
–
–
FileAuditLoginModule
RepeatedFailureLockoutLoginModule
GeronimoPasswordCredentialLoginModule
NamedUsernamePasswordCredentialLoginModule
• Principal classes
–
–
–
–
GeronimoUserPrincipal
GeronimoGroupPrincipal
LoginDomainPrincipal
RealmPrincipal
• CredentialStores
– SimpleCredentialStoreImpl
• Security Realms portlet
– Create, Edit and see Usage for a realm
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
21
Agenda
•
•
•
•
•
•
•
•
Introduction to Geronimo
Security implementation
Security Realms – Properties File
Securing Applications
Security Realms
Advanced Features
Summary
Q&A
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
22
Properties File Realm
• Prerequisites
– None
• Parameters
– usersURI = relative path of users properties file
from <g_home>
– groupsURI = relative path of groups properties
file from <g_home>
– digest = Message Digest algorithm (e.g. MD5,
SHA1, etc.) used on the passwords
– encoding = Encoding to be used with digest
(e.g, HEX, BASE64)
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
23
Sample my-users.properties
user1=password1
user2=password2
user3=pwd3
...
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
24
Sample my-groups.properties
group1=user1,user2
group2=user3,user4,user5
guest=john,mary
admin=someuser
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
25
Creating the Realm
• Create the properties files
– Typically under var/security dir.
• Security Realms portlet
– Specify realm name
– Select type Properties File Realm
• Fill in the parameters
• Option to test the realm
• Option to generate deployment plan
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
26
LoginModuleConfiguration
<xml-reference name="LoginModuleConfiguration">
<login-config
xmlns="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
<login-module control-flag="REQUIRED" wrap-principals="false">
<login-domain-name>my-realm</login-domain-name>
<login-moduleclass>org.apache.geronimo.security.realm.providers.PropertiesFil
eLoginModule</login-module-class>
<option name="usersURI">var/security/myusers.properties</option>
<option name="groupsURI">var/security/mygroups.properties</option>
<option name="digest">MD5</option>
<option name=“encoding”>HEX</option>
</login-module>
</login-config>
</xml-reference>
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
27
Realm GBean
<gbean name="my-realm"
class="org.apache.geronimo.security.realm.GenericS
ecurityRealm" xsi:type="dep:gbeanType"
xmlns:dep="http://geronimo.apache.org/xml/ns/deplo
yment-1.2"
xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance">
<attribute name="realmName">
my-realm
</attribute>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
<!-- LoginModuleConfiguration goes here -->
</gbean>
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
28
Agenda
•
•
•
•
•
•
•
•
Introduction to Geronimo
Security implementation
Security Realms – Properties File
Securing Applications
Security Realms
Advanced Features
Summary
Q&A
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
29
Secure a Web Application
• web.xml
– login-config
• auth-method
– security-role
– security-constraint
• auth-constraint
– run-as
• role-name
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
30
Secure a Web Application
• geronimo-web.xml
– security-realm-name
– role-mappings
– credential-store-ref
– run-as-subject
– default-subject
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
31
Credential Store
<gbean name="CredentialStore"
class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreI
mpl">
<xml-attribute name="credentialStore">
<credential-store
xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
<realm name="my-realm">
<subject> <id>admin-run-as</id>
<credential>
<type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</ty
pe> <value>system</value>
</credential>
<credential>
<type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler
</type> <value>manager</value>
</credential>
</subject>
</realm>
</credential-store>
</xml-attribute>
</gbean>
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
32
Sample web.xml
<web-app id="SimpleWebApp" version="2.5" ... >
<display-name>SimpleWebApp</display-name>
<servlet>
. . .
<run-as>
<role-name>user</role-name>
</run-as>
</servlet>
<login-config>
<auth-method>BASIC</auth-method>
<!-- For 'BASIC', realm-name will be shown in the prompt ->
<realm-name>my-realm</realm-name>
</login-config>
<!-- Security roles used in the application -->
<security-role><role-name>admin</role-name></security-role>
<security-role><role-name>user</role-name></security-role>
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
33
Sample web.xml (contd.)
<!-- Configure authorization for Admin pages -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin</web-resourcename>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
</web-app>
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
34
Sample geronimo-web.xml
<security-realm-name>my-realm</security-realm-name>
<security>
<credential-store-ref>
<name xmlns="http://geronimo.apache.org/xml/ns/deployment1.2">CredentialStore</name>
</credential-store-ref>
<default-subject>
<realm>my-realm</realm>
<id>admin-run-as</id>
</default-subject>
<role-mappings>
<role role-name="admin"> <!-- from web.xml -->
<principal name="Admin"
class="org.apache.geronimo.security.realm.providers.Gero
nimoGroupPrincipal"/>
</role>
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
35
Sample geronimo-web.xml
(contd.)
<role role-name="user">
<run-as-subject>
<realm>my-realm</realm>
<id>user-run-as</id>
</run-as-subject>
<principal name="User"
class="org.apache.geronimo.security.realm.pro
viders.GeronimoGroupPrincipal"/>
<principal name="john"
class="org.apache.geronimo.security.realm.pro
viders.GeronimoUserPrincipal"/> </role>
</role-mappings>
</security>
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
36
Secure an EJB Application
ejb-jar.xml
• security-identity
– use-caller-identity
– run-as
• assembly-descriptor
– security-role
• role-name
– method-permission
• method
• role-name
• unchecked
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
37
Secure an EJB Application
openejb-jar.xml
• security
– role-mappings
– credential-store-ref
– run-as-subject
– default-subject
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
38
ejb-jar.xml
<ejb-jar>
<enterprise-beans>
<session>
<ejb-name>SecurityEJB</ejb-name>
<ejbclass>myejbs.SecurityEJBean</ejb-class>
...
<security-identity>
<use-caller-identity/>
</security-identity>
</session>
</enterprise-beans>
</ejb-jar>
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
39
ejb-jar.xml (2)
<assembly-descriptor>
<security-role>
<role-name>user</role-name>
</security-role>
<method-permission>
<role-name>user</role-name>
<method>
<ejb-name>StockQuoteServiceBean</ejb-name>
<method-name>getQuoteUser</method-name>
</method>
</method-permission>
<method-permission>
<unchecked/>
<method>
<ejb-name>StockQuoteServiceBean</ejb-name>
<method-name>getQuote</method-name>
</method>
</method-permission>
</assembly-descriptor>
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
40
Secure an EAR Application
• application.xml
– security-role
• geronimo-application.xml
– security-realm-name for each web app
– role-mappings
– credential-store-ref
– run-as-subject
– default-subject
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
41
application.xml
<application …>
<display-name>TutorialEntApp</display-name>
<module id="WebModule_1154872888098">
<web>
<web-uri>WebApp1.war</web-uri>
<context-root>WebApp1</context-root>
</web>
</module>
<security-role>
<role-name>administrator</role-name>
</security-role>
<security-role>
<role-name>guest-user</role-name>
</security-role>
</application>
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
42
geronimo-application.xml
<application ...>
<module>
<web>WebApp1.war</web>
<web-app ...>
<security-realm-name>sample-properties-file-realm</securityrealm-name>
</web-app>
</module>
<security>
<role-mappings>
<role role-name="administrator">
<principal name="admin"
class="org.apache.geronimo.security.realm.providers.GeronimoGrou
pPrincipal"/>
</role>
</role-mappings>
</security>
</application>
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
43
Agenda
•
•
•
•
•
•
•
•
Introduction to Geronimo
Security implementation
Security Realms – Properties File
Securing Applications
Security Realms
Advanced Features
Summary
Q&A
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
44
Database (SQL) Realm
• Prerequisites
– Database tables for user credentials and group mapping
• Parameters
– userSelect SQL statement
– groupSelect SQL statement
– digest = Message Digest algorithm (e.g. MD5, SHA1,
etc.) used on the passwords
– encoding = Encoding to be used with digest (e.g, HEX,
BASE64)
• For database connection either a Database pool
or JDBC parameters can be used
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
45
Creating the Realm
• DB Manager portlet
– Create DB
– Execute SQL
• Database Pools portlet
– DB Pool for Embedded Derby
• Security Realms portlet
– Select type Database (SQL) Realm
• Either Database Pool or JDBC parameters
needed.
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
46
SQL Realm: Points to note
• Qualify table name with schema
name to avoid unexpected errors
– Prefer AUTH.USERS_TABLE to
USERS_TABLE
• Use VARCHAR data type to avoid
trailing spaces in the values retrieved
from database.
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
47
LDAP Realm
• Prerequisites
– LDAP Server
• Apache Directory Server Can be installed as
a plug-in
• Use Plugins portlet
– http://geronimo.apache.org/plugins/geronimo-2.1
• Create using Security Realms portlet
– Select type LDAP Realm
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
48
LDAP Connection parameters
•
•
•
•
•
•
•
Initial Context Factory
Connection URL
Connect Username
Connect Password
Confirm Password
Connect Protocol
Authentication
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
49
LDAP Realm Parameters
•
•
•
•
•
•
•
•
User Base
User Search Matching
User Search Subtree
Role Base
Role Name
Role User Search String
Role Search Subtree
User Role Search String
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
50
Certificate Properties Realm
• Prerequisites
– Certificate for Server Authentication
– HTTPS port setup for Client Authentication
– Web Clients should have installed Certificates
issued by a CA configured as trusted in HTTPS
port setup
• Parameters
– usersURI = certificate to user mapping file
– groupsURI = group mapping file
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
51
Create Certificate Properties
Realm
• Keystores portlet to prepare keystores
• Web Servers portlet to add HTTPS
Connector
• CA Portlet to issue client certificates
• Security Realms portlet
– Select type Certificate Properties File
Realm
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
52
cert-users.properties
webclient01=CN=Web Client01,OU=Org Unit0,O=Org0,L=Loc0,ST=St0,C=IN
webclient02=CN=Web Client02,OU=Org Unit0,O=Org0,L=Loc0,ST=St0,C=IN
webclient11=CN=Web Client11,OU=Org Unit1,O=Org1,L=Loc1,ST=St1,C=US
webclient12=CN=Web Client12,OU=Org Unit1,O=Org1,L=Loc1,ST=St1,C=US
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
53
cert-groups.properties
admin=webclient01,webclient02
guest=webclient11,webclient12
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
54
Agenda
•
•
•
•
•
•
•
•
Introduction to Geronimo
Security implementation
Security Realms – Properties File
Securing Applications
Security Realms
Advanced Features
Summary
Q&A
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
55
Advanced Features
• Auditing
– Every login attempt will be recorded to
the specified file.
• Lockout
– A certain number of failed logins in a
particular time frame will cause a user's
account to be locked for a certain period
of time.
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
56
Advanced Features (contd.)
• Store Password
– Store each user's password in a private
credential in the Subject.
– GeronimoPasswordCredential
• Named Credential
– Store each username and password in a
private credential in the Subject under a
specified credential name.
– NamedUsernamePasswordCredential
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
57
Principal Wrapping
• Edit realm from Security Realms
portlet
– Support Advanced Mapping to Yes
– LoginDomainPrincipal and
RealmPrincipal added to subject
– login-domain-principal and realmprincipal used in role-mapping in
addition to principal tag.
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
58
Recall
LoginModuleConfiguration
<xml-reference name="LoginModuleConfiguration">
<login-config
xmlns="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
<login-module control-flag="REQUIRED" wrap-principals="false">
<login-domain-name>my-realm</login-domain-name>
<login-moduleclass>org.apache.geronimo.security.realm.providers.PropertiesFil
eLoginModule</login-module-class>
<option name="usersURI">var/security/myusers.properties</option>
<option name="groupsURI">var/security/mygroups.properties</option>
<option name="digest">MD5</option>
<option name=“encoding”>HEX</option>
</login-module>
</login-config>
</xml-reference>
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
59
Application Scoped Realm
• Security Realm GBean is part of
application deployment plan
• Use the Security Realms portlet to
generate realm plan and add GBean
to application plan
– May need to specify dependency on
j2ee-security config
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
60
Single Sign-On
• Login to one application maintains
login across all applications on the
server
• Create a SingleSignOn valve and
connect to the valve chain in Tomcat
config.
– Edit config.xml (xml fragment shown
next)
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
61
Xml fragment for SSO
<gbean name="AccessLogValve">
<reference name="NextValve">
<pattern> <name>SSOValve</name> </pattern>
</reference>
</gbean>
<gbean gbeanInfo="org.apache.geronimo.tomcat.ValveGBean"
name="org.apache.geronimo.configs/tomcat6/2.1/car?S
erviceModule=org.apache.geronimo.configs/tomcat6/2.1/car,j
2eeType=GBean,name=SSOValve">
<attribute
name="className">org.apache.catalina.authenticator.Si
ngleSignOn</attribute>
</gbean>
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
62
Agenda
•
•
•
•
•
•
•
•
Introduction to Geronimo
Security implementation
Security Realms – Properties File
Securing Applications
Security Realms
Advanced Features
Summary
Q&A
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
63
Summary
•
•
•
•
•
•
Introduction to Geronimo
Security Implementation
Security Realms portlet
Security Realms
Securing WAR, EJB, JAR
Advanced Features
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
64
Agenda
•
•
•
•
•
•
•
•
•
Introduction to Geronimo
Geronimo Administration Console
Security implementation
Security Realms – Properties File
Securing Applications
Security Realms
Advanced Features
Application Scoped Realm
Q&A
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
65
Securing Java EE 5.0
Applications with Geronimo
Q&A
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
66
Resources
• http://geronimo.apache.org
• http://cwiki.apache.org/geronimo/
• Geronimo Mailing lists
– [email protected][email protected]
• IBM developerWorks
– http://www.ibm.com/developerworks/ope
nsource/top-projects/geronimo.html
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
67
Thank you
09-Apr-2008
Securing Java EE 5.0 Applications
with Geronimo
68