Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 8. Advanced Security Options

8.1. Security Propagation
Link kopieren

The term "security propagation" refers to the process of passing security information to an external system. For example, you might want to use the same credentials to call both the Enterprise Service Bus and an Enterprise Java Beans method.

Link kopieren

Report a bug

8.2. SecurityContextPropagator
Link kopieren

The SecurityContextPropagator class passes the security context to the destination environment.

Link kopieren

Report a bug

8.3. SecurityContextPropagator Implementations
Link kopieren

Expand
Table 8.1. Implementations of SecurityContextPropagator
Class Description
Package: org.jboss.internal.soa.esb.services.security
Class: JBossASContextPropagator
This propagator will send security credentials to the ESB. If you need to write your own implementation you only have to write a class that implements org.jboss.internal.soa.esb.services.security.SecurityContextPropagator and then either specify that implementation in jbossesb-properties.xml or jboss-esb.xml.

Link kopieren

Report a bug

8.4. Add a Custom Log-In Module
Link kopieren

Procedure 8.1. Task

  1. Open the log-in configuration file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/conf/login-config.xml
  2. Add the details of your custom log-in module.
  3. Save the file and exit.
  4. Since different log-in modules require different information, you must specify the CallbackHandler attribute to be used. Open the specific security configuration for that service.
  5. Make sure that the CallbackHandler specifies a fully-qualified classname for the class which implements the EsbCallbackHandler interface. This code shows you how to do so: 
    public interface EsbCallbackHandler extends CallbackHandler
{
  void setAuthenticationRequest(final AuthenticationRequest authRequest);
  void setSecurityConfig(final SecurityConfig config);
}
    Copy to Clipboard Toggle word wrap
  6. Add both the "principle" and the credentials needed to authenticate a caller to the AuthenticationRequest class.
Result

JaasSecurityService is replaced with your custom security implementation.

Link kopieren

Report a bug

8.5. Certificate Log-In Module
Link kopieren

The Certificate Log-in Module performs authentication by verifying the certificate that is passed with the call to the Enterprise Service Bus against a certificate held in a local key-store. The certificate's common name creates a "principle".

Link kopieren

Report a bug

8.6. Certificate Log-In Module Properties
Link kopieren

<security moduleName="CertLogin" rolesAllowed="worker"
  callbackHandler="org.jboss.soa.esb.services.security.auth.loginUserPass
CallbackHandler">
  <property name="alias" value="certtest"/>
</security>
Copy to Clipboard Toggle word wrap
Expand
Table 8.2. Properties
Property Description
moduleName
This identifies the JAAS Login module to use. This module will be specified in JBossAS login-config.xml.
rolesAllow
This is a comma-separated list of the roles that are allowed to execute this service.
alias
This is the alias which is used to look up the local key-store and which will be used to verify the caller's certificate.

Link kopieren

Report a bug

8.7. Certificate Log-In Module Configuration File Properties
Link kopieren

<application-policy name="CertLogin">
<authentication>
  <login-module
code="org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule"
flag = "required" >
  <module-option name="keyStoreURL">
    file://pathToKeyStore
  </module-option>
  <module-option name="keyStorePassword">storepassword</module-option>
  <module-option name="rolesPropertiesFile">
    file://pathToRolesFile
  </module-option>
  </login-module>
</authentication>
</application-policy>
Copy to Clipboard Toggle word wrap
Expand
Table 8.3. Certificate Log-In Module Configuration File Properties
Property Description
keyStoreURL
This is the path to the key-store used to verify the certificates. It can be a file on the local file system or on the class-path.
keyStorePassword
This is the password for the key-store above.
rolesPropertiesFile
This is optional. It is the path to a file containing role mappings. Refer to the “Role Mapping” section of the Getting Started Guide for more details about this.

Link kopieren

Report a bug

8.8. Callback Handler
Link kopieren

A callback handler is a type of library used in back-end operations. It allows applications to "talk" to each other through security services and can be used to confirm authentication data.

Link kopieren

Report a bug

8.9. Role Mapping
Link kopieren

Role mapping is a way of sharing data between secure hosts. A file containing a list of trusted hosts is created, with each host assigned several role mappings. Mapping occurs when you accesses data from one of the hosts. The sender's roles are mapped onto the receiver's roles to allow for authentication and data sharing. Types of roles include user roles, application roles and so forth. This is an optional feature and is not enabled by default.

Link kopieren

Report a bug

8.10. Enable Role Mapping
Link kopieren

Procedure 8.2. Task

  1. Open the log-in configuration file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/conf/login-config.xml
  2. Set the rolesPropertiesFile property. (This property can point to a file located on either the local file system or the class-path).
  3. Map users to roles. This example code shows how to do so: 
    # user=role1,role2,...
guest=guest
esbuser=esbrole
# The current implementation will use the Common Name(CN) specified
# for the certificate as the user name.
# The unicode escape is needed only if your CN contains a space
Andy\u0020Anderson=esbrole,worker
    Copy to Clipboard Toggle word wrap
  4. Save the file and exit.

Link kopieren

Report a bug

8.11. security_cert Quickstart
Link kopieren

The security_cert quickstart demonstrates the JBoss Enterprise SOA Platform's role-mapping functionality.

Link kopieren

Report a bug

8.12. Security Service
Link kopieren

The SecurityService interface is the Enterprise Service Bus' central security component.

Link kopieren

Report a bug

8.13. Customize the Security Service Interface
Link kopieren

Procedure 8.3. Task

  1. Implement the SecurityService interface: 
    public interface SecurityService
{
    void configure() throws ConfigurationException;

    void authenticate(
        final SecurityConfig securityConfig, 
        final SecurityContext securityContext, 
        final AuthenticationRequest authRequest) 
        throws SecurityServiceException;

    boolean checkRolesAllowed(
        final List<String> rolesAllowed, 
        final SecurityContext securityContext);

    boolean isCallerInRole(
        final Subject subject, 
        final Principle role);

    void logout(final SecurityConfig securityConfig);

    void refreshSecurityConfig();
}
    Copy to Clipboard Toggle word wrap
  2. Open the global configuration file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/deployers/esb.deployer/jbossesb-properties.xml.
  3. Configure the file to use the customized SecurityService
  4. Save the file and exit.

Link kopieren

Report a bug

8.14. Remote Invocation Class
Link kopieren

As its name implies, a remote invocation class is a class that can be called from a remote machine. This can be useful for developers but can also lead to potential security risks.

Link kopieren

Report a bug

8.15. Secure Non-Remote Method Invocation Classes on Port 8083
Link kopieren

Client applications can, by default, utilize Remote Method Invocation to download Enterprise Java Bean classes through port 8083. However, you can also configure the system's Remote Method Invocation settings to allow client applications to download any deployed resources you desire.

Procedure 8.4. Task

  1. Edit the Settings in the jboss-service.xml File

    Open the file in a text editor: vi SOA_ROOT/server/PROFILE/conf/jboss-service.xml

  2. Configure the Settings in the File

    Here is an example: 
    <attribute name="DownloadServerClasses">false</attribute>
    Copy to Clipboard Toggle word wrap
    Set this value to false to ensure that client applications can only download Enterprise Java Bean classes.

    Important

    By default, this value is set to false in the SOA Platform's 'production' profile. The value is set to true in all other cases, including the SOA Standalone version's default profile. Note that this is not a secure configuration and should only be used in development environments.

Link kopieren

Report a bug
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat