lunedì 6 febbraio 2012

Security with jaas

Security is a big issue about enterprise web applications and involves many aspects like authentication, authorization and security of communication. Implementing by your own all these aspects is not a good idea so i choose to use the security tools offered by jboss that are based on jaas (Java Authentication and Authorization Security).

Every time that a resource receive a request this is forwarded to a security domain that has the purpose to check every security aspects.

From now on I will explain how configure the three main aspects cited before: authentication, authorization and communication security.

Authentication:


In my application I chose to use a form base authentication method:

first of all we need to create a form in our html/jsp page like the following:

<form action='j_security_check' name="loginForm" method="POST">
     <input type="text" name="j_username" id="username"/>
     <input type="password" name="j_password" id="password"/>
     <input type="submit" value="Login" name="Login">
</form>


Note that the action of the form must be 'j_security_check', the name of the username input 'j_username' and the name of the password input 'j_password'.


Then we need to define a security domain in jboss, in order to do it we have to edit the file login-config.xml, that we find in the conf folder of the jboss distribution, and add the following xml definition: 


1 <application-policy name="realm_name">
2   <authentication>
3     <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
4          <module-option name="unauthenticatedIdentity">AnonymousUser</module-option>
5          <module-option name="dsJndiName">java:/MySqlDS</module-option>
6          <module-option name="principalsQuery">SELECT password FROM User WHERE username=? </module-option>
7          <module-option name="rolesQuery">SELECT name, 'Roles' FROM Role, User  WHERE Role.id=User.role_id_ext              AND User.username=?</module-option>
8          <module-option name="hashAlgorithm">SHA-1</module-option>
9          <module-option name="hashEncoding">hex</module-option>
10    </login-module>
11  </authentication>
12 </application-policy>


The first row set the name of the security domain, while the third is used to specified that the verification of data inserted in the form are checked using data retrieved from a database.
In the row number 4 we set the name of the principal in the case of an unauthenticated user.
The row number 5 set the jndi name of the datasource of the database from wich we retrieve the data containing the users and the roles.
Rows number 6 and 7 represents the query used to retrive the password and the role from the database given the password and the username.
The rows 8 and 9 instead are used only if we use some encryption for the passwords.

ATTENTION: in the query for extract the roles the second field is used as group id, but even if we have no group id field in our table we have to specified and call it 'Roles', if you don't use exactly Roles, jaas will not be able to identify the role of the user so it fails in the authorization security!




After that we need to specify in our application that we use the security domain that we have previously specified, this is done in the jboss.xml file. So it should be like the following:


<?xml version="1.0" encoding="UTF-8"?>
<jboss>
     <security-domain flushOnSessionInvalidation="true"> realm_name </security-domain>
     <unauthenticated-principal>AnonymousUser</unauthenticated-principal>
</jboss>



NOTE: realm_name is the name of the security domain specified before in the login-config.xml in jboss.


Now in the web.xml file of our application we need to specified the login_config that indicates: the method used to authenticate the users, the security domain to use,  the login page and the error page to be forwarded in case of wrong credentials.



<login-config>
   <auth-method>FORM</auth-method>
   <realm-name>realm_name</realm-name>
   <form-login-config>
      <form-login-page>/login.html</form-login-page>
      <form-error-page>/loginFailed.html</form-error-page>
   </form-login-config>
</login-config>


Authorization:


In our case authorization is specified in the web application, so in the web.xml file we add the following code:



<security-constraint>
   <display-name>reader</display-name>
   <web-resource-collection>
        <web-resource-name>reader actions</web-resource-name>
        <description />
        <url-pattern>/restricted.html</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>HEAD</http-method>
        <http-method>PUT</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
        <http-method>DELETE</http-method>
   </web-resource-collection>
   <auth-constraint>
      <role-name>reader</role-name>
   </auth-constraint>
   <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
</security-constraint> 


Whit this code we indicates the resource that the role can access, in this case the restricted.html page, the allowed methods, obviously the role associated to these constraints. With the <transport-guarantee> tag instead specified how  works the communication between the client and the server, in our case we set it ti CONFIDENTIAL, that means that the data exchanged must be encrypted.
Other option to use could be NONE, if no guarantee is needed, and INTEGRAL if we want ensure that nobody modify the data in transit in the channel.

Then the last thing that we need to do is to define the roles present in our application, an example of role definition is the following:

<security-role>
   <description>Administrator role.</description>
   <role-name>administrator</role-name>
</security-role>


COMMUNICATION SECURITY

Now I will explain how to use SSL in jboss, the thing to do to enable HTTPS are the following:
  • obtain a certificate for the server
  • insert this in the keystore of the server
  • define a connector for https
  • link the connector to the keystore
To obtain the certificate we can use keytool, so that we generate a self-signed certificate, to do that we need to execute the following code:

       keytool -genkey -alias myserver -keyalg RSA -validity 1500 -keystore server.keystore


and answer to the questions that will appear.
So now we get the keystore that must be place in the conf folder in jboss.

Then we need to create a connector for https and link it to the keystore, to do that we need to edit the file server.xml in jboss and add the connector definition in which we specified the keystore created before:

 <!--SSL/TLS Connector configuration using the admin devl guide keystore-->
      <Connector protocol="HTTP/1.1" SSLEnabled="true" 
           port="8443" address="${jboss.bind.address}"
           scheme="https" secure="true" clientAuth="false" 
           keystoreFile="${jboss.server.home.dir}/conf/myserver.keystore"
           keystorePass="myserver" sslProtocol = "TLS" />


LOGGING:

A suggestion that I can give you is to enable the logging in jboss-logging.xml for the security part:
in jboss 6.1 the file is located in the deploy folder, edit the file and add these definiton:


   <logger category="org.jboss.security">
      <level name="TRACE"/>
   </logger>

   <logger category="org.jboss.web.tomcat.security">
      <level name="TRACE"/>
   </logger>
      
   <logger category="org.apache.catalina">
      <level name="TRACE"/>
   </logger>

The log is stored in the log folder of jboss server and is named server.log


Pubblicato da alle
Etichette:

Nessun commento:

Posta un commento

Iscriviti a: Commenti sul post (Atom)