Security with jaas

Security is a big issue about enterprise web applications and involves many aspects like authentication, authorization and security of communication. Implementing by your own all these aspects is not a good idea so i choose to use the security tools offered by jboss that are based on jaas (Java Authentication and Authorization Security).

Every time that a resource receive a request this is forwarded to a security domain that has the purpose to check every security aspects.

From now on I will explain how configure the three main aspects cited before: authentication, authorization and communication security.

Authentication:


In my application I chose to use a form base authentication method:

first of all we need to create a form in our html/jsp page like the following:

<form action='j_security_check' name="loginForm" method="POST">
     <input type="text" name="j_username" id="username"/>
     <input type="password" name="j_password" id="password"/>
     <input type="submit" value="Login" name="Login">
</form>


Note that the action of the form must be 'j_security_check', the name of the username input 'j_username' and the name of the password input 'j_password'.


Then we need to define a security domain in jboss, in order to do it we have to edit the file login-config.xml, that we find in the conf folder of the jboss distribution, and add the following xml definition: 


1 <application-policy name="realm_name">
2   <authentication>
3     <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
4          <module-option name="unauthenticatedIdentity">AnonymousUser</module-option>
5          <module-option name="dsJndiName">java:/MySqlDS</module-option>
6          <module-option name="principalsQuery">SELECT password FROM User WHERE username=? </module-option>
7          <module-option name="rolesQuery">SELECT name, 'Roles' FROM Role, User  WHERE Role.id=User.role_id_ext              AND User.username=?</module-option>
8          <module-option name="hashAlgorithm">SHA-1</module-option>
9          <module-option name="hashEncoding">hex</module-option>
10    </login-module>
11  </authentication>
12 </application-policy>


The first row set the name of the security domain, while the third is used to specified that the verification of data inserted in the form are checked using data retrieved from a database.
In the row number 4 we set the name of the principal in the case of an unauthenticated user.
The row number 5 set the jndi name of the datasource of the database from wich we retrieve the data containing the users and the roles.
Rows number 6 and 7 represents the query used to retrive the password and the role from the database given the password and the username.
The rows 8 and 9 instead are used only if we use some encryption for the passwords.

ATTENTION: in the query for extract the roles the second field is used as group id, but even if we have no group id field in our table we have to specified and call it 'Roles', if you don't use exactly Roles, jaas will not be able to identify the role of the user so it fails in the authorization security!




After that we need to specify in our application that we use the security domain that we have previously specified, this is done in the jboss.xml file. So it should be like the following:

<?xml version="1.0" encoding="UTF-8"?>

<jboss>

     <security-domain flushOnSessionInvalidation="true"> realm_name </security-domain>

     <unauthenticated-principal>AnonymousUser</unauthenticated-principal>

</jboss>

NOTE: realm_name is the name of the security domain specified before in the login-config.xml in jboss.


Now in the web.xml file of our application we need to specified the login_config that indicates: the method used to authenticate the users, the security domain to use,  the login page and the error page to be forwarded in case of wrong credentials.

<login-config>

   <auth-method>FORM</auth-method>

   <realm-name>realm_name</realm-name>

   <form-login-config>

      <form-login-page>/login.html</form-login-page>

      <form-error-page>/loginFailed.html</form-error-page>

   </form-login-config>

</login-config>

Authorization:


In our case authorization is specified in the web application, so in the web.xml file we add the following code:

<security-constraint>

   <display-name>reader</display-name>

   <web-resource-collection>

        <web-resource-name>reader actions</web-resource-name>

        <description />

        <url-pattern>/restricted.html</url-pattern>

        <http-method>GET</http-method>

        <http-method>POST</http-method>

        <http-method>HEAD</http-method>

        <http-method>PUT</http-method>

        <http-method>OPTIONS</http-method>

        <http-method>TRACE</http-method>

        <http-method>DELETE</http-method>

   </web-resource-collection>

   <auth-constraint>

      <role-name>reader</role-name>

   </auth-constraint>

   <user-data-constraint>

       <transport-guarantee>CONFIDENTIAL</transport-guarantee>

   </user-data-constraint>

</security-constraint> 

Whit this code we indicates the resource that the role can access, in this case the restricted.html page, the allowed methods, obviously the role associated to these constraints. With the <transport-guarantee> tag instead specified how  works the communication between the client and the server, in our case we set it ti CONFIDENTIAL, that means that the data exchanged must be encrypted.

Other option to use could be NONE, if no guarantee is needed, and INTEGRAL if we want ensure that nobody modify the data in transit in the channel.

Then the last thing that we need to do is to define the roles present in our application, an example of role definition is the following:

<security-role>

   <description>Administrator role.</description>

   <role-name>administrator</role-name>

</security-role>

COMMUNICATION SECURITY

Now I will explain how to use SSL in jboss, the thing to do to enable HTTPS are the following:

• obtain a certificate for the server
• insert this in the keystore of the server
• define a connector for https
• link the connector to the keystore

To obtain the certificate we can use keytool, so that we generate a self-signed certificate, to do that we need to execute the following code:

       keytool -genkey -alias myserver -keyalg RSA -validity 1500 -keystore server.keystore

and answer to the questions that will appear.

So now we get the keystore that must be place in the conf folder in jboss.

Then we need to create a connector for https and link it to the keystore, to do that we need to edit the file server.xml in jboss and add the connector definition in which we specified the keystore created before:

 <!--SSL/TLS Connector configuration using the admin devl guide keystore-->

      <Connector protocol="HTTP/1.1" SSLEnabled="true" 

           port="8443" address="${jboss.bind.address}"

           scheme="https" secure="true" clientAuth="false" 

           keystoreFile="${jboss.server.home.dir}/conf/myserver.keystore"

           keystorePass="myserver" sslProtocol = "TLS" />

LOGGING:

A suggestion that I can give you is to enable the logging in jboss-logging.xml for the security part:

in jboss 6.1 the file is located in the deploy folder, edit the file and add these definiton:

   <logger category="org.jboss.security">

      <level name="TRACE"/>

   </logger>

   <logger category="org.jboss.web.tomcat.security">

      <level name="TRACE"/>

   </logger>

      

   <logger category="org.apache.catalina">

      <level name="TRACE"/>

   </logger>

The log is stored in the log folder of jboss server and is named server.log

Using external jars in GWT

In order to use external jars in GWT we need to make them available  to the GWT compiler as modules. This because if we simply add the jars to the class path only the java compiler complains about them while the GWT compiler not.

So the steps to do to solve this problem are the following:

1. Create a gwt.xml file in the Java project / jar file that we want to use.
2. Include the library inheriting the module created at the step before.
3. Include in the jar the source files.

Example: if we have the package it.unitn.example.utils and we want ot inform the GWT compiler about the classes that it includes we need to create in the package  it.unitn.example the file utils.gwt.xml, containing the following code:

<module>
  <inherits name='com.google.gwt.user.User'/>
  <source path="utils"></source>
</module>

Then if we want to use this module in a GWT project we only need to inherits it as for the other modules:

package it.unitn.example.application.client;

import com.google.gwt.core.client.EntryPoint;
import com.google.gwt.user.client.ui.Label;
import com.google.gwt.user.client.ui.RootPanel;

import it.unitn.example.utils.ExUtilClass;

public class ModulTest implements EntryPoint {

 @Override
 public void onModuleLoad() {
  ExUtilClass utilClass = new ExUtilClass();
  // doing something with utilClass
 }

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE module PUBLIC "-//Google Inc.//DTD Google Web Toolkit 1.6.4//EN" "http://google-web-toolkit.googlecode.com/svn/tags/1.6.4/distro-source/core/src/gwt-module.dtd">
<module rename-to='it.unitn.example.application'>
  <!-- Inherit the core Web Toolkit stuff.                        -->
  <inherits name='com.google.gwt.user.User'/>

  <inherits name='com.google.gwt.user.theme.standard.Standard'/>
  <inherits name='it.unitn.example.utils'/>
  <!-- Other module inherits                                      -->

  <!-- Specify the app entry point class.                         -->
  <entry-point class='it.unitn.example.application.client.AppExample'/></module>

GWT & EXT-GXT

To implement the web tier i will use the GWT library that allow us to crete rich internet application using javascript and XML, all starting from java code.
A good and well explained tutorial can be found at the home page of the Google Web Toolkit.

In this picture we can see how GWT works:

In few word the only thing that we need to implement are the two interfaces:

MyService: containing the methods that we want to implement, and
MyServiceAsync: containing the methods that can be called from the client-side

Obviously we only need to implement the class that implements the MyService interface since the asynchronous one, as we can see in the picture, is automatically generated by the library.
But here you can read more about it.

I will use also the gxt-ext library to implement the user interface part, since it allows to generate a lot of widgets. At this page there are a lot of examples that show the power of this library.

DTO and DTOTransformer

Regarding the DTO pattern I suggest to create for each DTO an utility class containing the methods to convert the DTO to the correspondent entity and  inverse, from the entity to the DTO. These classes will be very useful in the implementation of the DAOs.

An example of a converter is shown here:

public ObjEntity dtoToEntity(ObjDto dto) {  

      if (entity == null)

            return null;

      } else {

           ObjEntity to = new ObjEntity();

          to.setField1(dto.getField1());

          to.setField2(dto.getField2());

          to.setField3(dto.getField3());

         

          return to;

     }

}

public ObjDto entityToDto(ObjEntity entity) {  

      if (entity == null)

            return null;

      } else {

           ObjDto to = new ObjDto();

          to.setField1(entity.getField1());

          to.setField2(entity.getField2());

          to.setField3(entity.getField3());

         

          return to;

     }

}

DAO and Factory Design Patterns

As already said in the previous post the purpose of the DAO patter is to decouple the persistence logic from the business logic. So that future changes to the persistence tier will not affect the business tier, therefore changing the persistence device will not affect the business logic.


From now on I explain how to use the Factory pattern to implement the DAO pattern:

• a good idea is to start creating an interface containing the methods that we want implement in our daos, like the following one:   

•          public interface GenericDAO {
•                 public void save(Object object) throws DAOException;
•                 public void update(Object object) throws DAOException;
•                 public void remove(Object object) throws DAOException;
•                 public Object findByPrimaryKey(Object pk) throws DAOException;
•                 public Collection findAll() throws DAOException;
•         }

• and if we want we can extend the java.lang.Exception to implement our specific exception (DAOException) 

•    public class DAOException extends Exception {
•           public DAOException(String message) {
•              super(message);    
•           }
•           public DAOException(Throwable e) {
•              super(e);    
•           }
•      }

Then we need to implement the core class which implements the factory and singleton patterns: in this manner we will use  use always only one instance of our DAO (singleton pattern); while the factory pattern returns an interface, in this case the GenericDAO, that at run time will be a real class that implements that interface. Then we create a properties file which will be sued by the DAOFactory to discover the real implementations for DAOs that will be requested at run time by the application.

public class DAOFactory { 
 
    private static DAOFactory factory = null; 
    private Properties props = null; 
 
    private DAOFactory() {
        try {
            props = new Properties();
            props.load(DAOFactory.class.getResourceAsStream("daos.properties"));
        } catch (IOException e) {
            e.printStackTrace();
        }
    } 
 
    public static DAOFactory getInstance() {
        if (factory == null) {
            factory = new DAOFactory();
        }
        return factory;
    } 
 
    public GenericDAO getDAO(String name) {
        GenericDAO dao = null;
        try {
            dao = (GenericDAO) Class.forName(props.getProperty(name))
                .newInstance();
        } catch (InstantiationException e) {
            e.printStackTrace();
        } catch (IllegalAccessException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
        }
        return dao;
    }
}   

Structure of the project

Here there is a picture of the architecture of the project that I will implement. 

Mainly the structure is divided into three tiers:

A persistence tier to manage the persistence of the data objects, a business tier, that contains all the logic used in the application  and the web tier where there are the html pages and the servlets that access to the business logic implemented in the EJB using the Business Delegate pattern.

So from this picture can be understand also the design patterns that I will adopt to develop the application. In particular I will use:

• DAO pattern: has the purpose to separate the business logic from the logic to access the data.
• DTO pattern: reduce the network overhead transmitting an entire entity in one call instead of transmitting  each field of the entity.
• Session Facade pattern: expose an interface of the business logic, hiding the implementation  details and the complexity of the business tier. 
• Service locator pattern: hide the mechanisms of the lookup to the client.
• Business Delegate pattern: decouples business components from the clients.

Install JBossTools Eclipse plugin

JBossTools is a set of plugins for Eclipse IDE that supports JBoss and other technologies related to it like Hibernate, JSF, Seam...

There are three ways to install this plugin, as explained here, I chose to install it using the update site:

• First of all you have to select the right url basing on the version of eclipse you use. Here you can get the url of the stable version of the plugin.

• When you have identified the right url, right click to copy it. For Eclipse 3.6, the URL is ”http://download.jboss.org/jbosstools/updates/stable/helios/ ”
• In Eclipse IDE, open "Help" in the menu bar, then select "Install New Software..." . Then click the "add" button and paste the url of the plugin.

• The next step is to select the plugin that we are interested in, click next and follow the instructions. At the end of the installation we need to restart the IDE in order to complete the installation.