JAAS Configuration in an Enterprise Application

JAAS enable services to authenticate and enforce access controls (authorization) upon users. JAAS’s main goal is to separate the concerns of user authentication so that they may be managed independently. JAAS is well integrated into GlassFish and can more or less easily used from an Enterprise Application (i.e. Web Application or EJB Module) to ensure container security. GlassFish handels the interaction between the container and the “authentication and autorization”- providers like a customer database or a ldap-server.
More information can found here (wiki-page for students at hslu T&A), here (InfoQ – Java EE 6: Application Security Enhancements) and/or here (Java EE 6 Tutorial – Overview of Java EE Security).
In this post, I will to examine the different Deloyment Descriptor (DD) files in an “Enterprise Application”  which configure the Authentication and Authorization process. I don’t introduce how you can configure a Realm in GlassFish. For that, I recommand the following tutorials:

Deployment Descriptor Files for JAAS Configuration

To configure JAAS, they are different configuration files, which can to the same. For that, look the graphic below.

Web Application

In  a Web Application the web.xml and the sun-web.xml configure the JAAS.

web.xml
A DD-File to manage the security configuration between the (end)user and the Web Application. In Example
  • Login Module configuration (<login-config>)
    Which kind of login prompt is used to itenticate the user, i.e. a standard http-Login or a self created formbased page
  • Authenticate the users (<security-constraint>)
    Which user have access to specific web resources
  • Usage of TLS/SSL encryption of specific pages or subfolders (<user-data-constraint>)
  • Define the exists security roles in the Web Application (<security-role>). It is not a mapping, is the same as the annotation @DeclareRoles

Example File:

<xml version="1.0" encoding="UTF-8">
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" 
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<!--
Not Security related properties
-->
 <!-- Define a constraint to restrict access to /private/* -->
 <security-constraint>
  <web-resource-collection>
   <web-resource-name>Secure Pages</web-resource-name>
   <url-pattern>/faces/pages/secure/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
  <!-- Access to this will be TLS/SSL protected -->
   <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
 </security-constraint>
 <!-- Login Module to identicate the user -->
 <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>jdbc-realm</realm-name>
  <form-login-config>
   <form-login-page>/pages/login.xhtml</form-login-page>
   <form-error-page>/pages/loginerr.xhtml</form-error-page>
  </form-login-config>
 </login-config>
 <security-role>
  <role-name>secure</role-name>
 </security-role>
</web-app>
sun-web.xml
Role-mapping between physical resource (i.e. DB, ldap) and application roles as declare above (<security-role>, @Declare).

<security-role-mapping>
 <role-name>admin</role-name> <!-- Name inside the Web Applicatoin -->
 <group-name>Admins</group-name> <!-- in extern resources -->
</security-role-mapping>

EJB-Module

sun-ejb-jar.xml
  • Role-mapping between physical resource (i.e. DB, ldap) and application roles inside ejb-module, alike above.
  • declarativ security configuration
    Define, which Enterprise bean should secured by JAAS

    <enterprise-beans>
 <ejb>
  <ejb-name>MyBean</ejb-name> <!-- Bean Name -->
  <ior-security-config>
   <as-context>
    <auth-method>USERNAME_PASSWORD</auth-method>
    <realm>usrRealm</realm> <!-- if not desired the default one -->
    <required>true</required>
   </as-context>
  </ior-security-config>
 </ejb>
</enterprise-beans>

Enterprise Application

sun-application.xml
The settings in this file applies to all ejb-modules in the Enterprise Application
<sun-application>
 <security-role-mapping>
  <role-name>user</role-name>
  <group-name>Users</group-name>
 </security-role-mapping>
 <realm>jdbcRealm</realm>
</sun-application>

Summary

  • For an individually deployed EJB-module, you can set the same element in the sun-ejb-jar.xml as in the sun-application.xml file. If pass-by-reference is used at both the bean and application level, the bean level takes precedence
  • Make sure that you have <security-role-mapping> in a sun-*.xml deployment description file
  • Specify the realm that is to be used in the follow specified deployment descriptor: sun-application.xml (for EAR) or, web.xml (for WAR) or sun-ejb-jar.xml (for EJB JAR)
  • If modules within an application specify realms, these are ignored. If present, the realm defined in sun-application.xml is used, otherwise the domain’s default realm is used.

Looking back

2010 Herbstsemester – the Enterprise Application (ENAPP) module in particular – has been tuff. Some of the students in ENAPP suffered, others shine brilliant. The full range is available. The guest lecturers – Bela Ban who get the attention as a expert in the field of “High Availability”, Fabian tighten the labs for the Enterprise Security part and Marcel Baumann did an excellent job by talking and showing the students Programming skills. He was the highlight for this semester. The fact is true for all students, they’re all better now. They program better, they think more like programming. But still, the DdD (test driven development) is not there yet. But the students gets interested. Maybe pair programming is the answer in hard core  system programming or very related to solution focussed algorithm finding. But for Enterprise Application Programming there is no other way then DdD. There are far too many students loosing track when start looking for errors. Distributed debugging is another keyword. Not everything work just fine as locally on the beloved notebook. It should be seen as a Tool to program server side. You think server side, you program server side in mind. – Now, debugging happens also serverside, you need to understand the system, how things work together. – Then you know what’s going on, what’s happened right now inside the Software System.

It was great working with the students and the assistants this year. Their progress I noted was remarkable. Some still yelling, as always looking for the the mistakes in others pocket. Fortunately their the minority, otherwise it wouldn’t be fun anymore. So Thanks for that great effort of yours – Goos luck for the MEP. Thanks to Heinz Marti who did a hell of a job (in fact one of his first job ever from Education – or was it iCompany?). He wrote the samples, he debugged and fixed lots of erroneous student applications and he kept the students on track.

Bruno Joho

Synapse – a gnome-do killer

While gnome-do hasn’t updated over the last year, a couple of weeks ago synapse was released. Synapse is a lightweight, super-fast Application launcher for Linux.

It comes with a Zeitgeist integration which let you search for things like: the video i watched half an hour ago. This new method of finding things sounds very interesting to me.
I recently discussed about file management with my workmates, and we all agreed that we personally don’t care were files were located on our disks, the main clue is to find things quickly and without browsing and searching through hundreds of folders. We still want to have access and the full control over it (for special situations where you want to have a file at an exactly position) but for everything else we don’t really care.

Who could explain Synapse better than its developer mhr3:

“It well… searches stuff… If you ever used Gnome Do / Quicksilver / Gnome Launch Box, you’ll feel right at home with Synapse, if not, the only thing you need to do is run Synapse (or press Ctrl+Space to summon it), type what you’re looking for, and Synapse will present you a list of items that match your query.

Once you found the item you were looking for, you can perform an action on it (and these are defined by the plugins you’re using). If you don’t like the default action, just press Tab and search appropriate action.
And besides this primary use-case, you can also browse recent items which were logged by Zeitgeist, in case you close a document by mistake or just want to hear again the music track that played a few minutes ago.”

Its really really fast and has a Plugin management. The list of available Plugins isn’t as long as the gnome-do list, but i think this is a matter of time. On my desk, it looks like this:

synapse

Be sure to give it a try:
sudo add-apt-repository ppa:synapse-core/ppa
sudo apt-get update && sudo apt-get install synapse

Java Web Start and Security Manager

During my work, I had some issues with java-web-start (jws) and GlassFish v3.0.1 with activated “Security Manager”. The goal was to deploy a simple hello world Java EE 6 “Enterprise Application” with a “EJB-Module” and a “Enterprise Client Application” an run the “Enterprise Client Application” through the jws. The basic function was a “Remote Call” (@EJB) of a @javax.ejb.Stateless EJB out of my swing based “Enterprise Client Application”.

Certainly, this construct works fine inside Netbeans and without jws (“Enterprise Application” deployment out of Netbeans to GlassFish and starting the “Enterprise Client Application” directly).

directory deployment

jar-files which should started with jws (and all needed libraries) need a signature. Netbeans have the feature, that it can deploy a Application directly into the GlassFish Application directory. In this case GlassFish doesn’t sign the jar files. The are signed by Netbeans and his key. The result is, that the deployment fail and you get a message like:

1. A valid ejb jar requires at least one session, entity (1.x/2.x style), or message driven bean.
2. EJB3+ entity beans (@Entity) are POJOs and please package them as library jar.
com.sun.enterprise.deployment.backend.IASDeploymentException: Error loading deployment descriptors for module …

Solution: Deploy the application (.ear-file) through the web gui of GlassFish v3. Don’t forget to set the “Java Web Start”-Option in the “Deploy Applications or Modules”-Window. GlassFish auto sign all jar-files which are deployed with the web gui.

Server Permission

If you activate the “Security Manager” for GlassFish in the web gui (“Configuration”->”Security”), GlassFish can not sign the jar-files. You get some exception as followed (it’s a summary):

java.io.IOException: Server returned HTTP response code: 500 for URL:http://….
JACC Policy Provider: Failed Permission Check, context(null)- permission((java.lang.RuntimePermission accessClassInPackage.sun.misc))
java.lang.RuntimeException: java.io.IOException: java.lang.Exception: Error attempting to create signed jar /opt/glassfish/…
Caused by: java.io.IOException: java.lang.Exception: Error attempting to create signed jar
Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.misc)

Solution: Add following lines into the policy-file(server.policy) of the GlassFish-Domain:

//JWS Permission
//JACC Policy Provider: Failed Permission  Check, context(null)- permission java.lang.RuntimePermission  accessClassInPackage.sun.misc
grant {
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.*";
};

client and server cache

When I have made an update the “Enterprise Client Application” should actually update itself automatically. However, Java does not always recognize the new version. In that case, you can force the update / a fresh download by doing the following:
Start -> Run -> Type “javaws -viewer” (without the quotes) -> Ok

A window named “Java Cache Viewer” should pop up. In that window, delete everything that look like your Application, close it and try to start the jws again. You should see a download window for the new version and the program should start normally.

When I did major reconfiguration on GlassFish and/or I believed “it should work, but it didn’t” I made the same on my server

bash# rm -r /opt/glassfishv3/glassfish/domains/domain1/java-web-start/
bash# rm -r /opt/glassfishv3/glassfish/domains/domain1/osgi-cache/

With Picasa plugin by Wott