Chapter 8. Advanced Security Options
8.1. Security Propagation
The term "security propagation" refers to the process of passing security information to an external system. For example, you might want to use the same credentials to call both the Enterprise Service Bus and an Enterprise Java Beans method.
8.2. SecurityContextPropagator
The SecurityContextPropagator class passes the security context to the destination environment.
8.3. SecurityContextPropagator Implementations
| Class | Description |
|---|---|
|
Package: org.jboss.internal.soa.esb.services.security
Class: JBossASContextPropagator
|
This propagator will send security credentials to the ESB. If you need to write your own implementation you only have to write a class that implements
org.jboss.internal.soa.esb.services.security.SecurityContextPropagator and then either specify that implementation in jbossesb-properties.xml or jboss-esb.xml.
|
8.4. Add a Custom Log-In Module
Procedure 8.1. Task
- Open the log-in configuration file in a text editor:
vi SOA_ROOT/jboss-as/server/PROFILE/conf/login-config.xml - Add the details of your custom log-in module.
- Save the file and exit.
- Since different log-in modules require different information, you must specify the CallbackHandler attribute to be used. Open the specific security configuration for that service.
- Make sure that the
CallbackHandlerspecifies a fully-qualified classname for the class which implements theEsbCallbackHandlerinterface. This code shows you how to do so:public interface EsbCallbackHandler extends CallbackHandler { void setAuthenticationRequest(final AuthenticationRequest authRequest); void setSecurityConfig(final SecurityConfig config); } - Add both the "principle" and the credentials needed to authenticate a caller to the
AuthenticationRequestclass.
Result
JaasSecurityService is replaced with your custom security implementation.
8.5. Certificate Log-In Module
The Certificate Log-in Module performs authentication by verifying the certificate that is passed with the call to the Enterprise Service Bus against a certificate held in a local key-store. The certificate's common name creates a "principle".
8.6. Certificate Log-In Module Properties
<security moduleName="CertLogin" rolesAllowed="worker" callbackHandler="org.jboss.soa.esb.services.security.auth.loginUserPass CallbackHandler"> <property name="alias" value="certtest"/> </security>
| Property | Description |
|---|---|
|
moduleName
|
This identifies the JAAS Login module to use. This module will be specified in JBossAS login-config.xml.
|
|
rolesAllow
|
This is a comma-separated list of the roles that are allowed to execute this service.
|
|
alias
|
This is the alias which is used to look up the local key-store and which will be used to verify the caller's certificate.
|
8.7. Certificate Log-In Module Configuration File Properties
<application-policy name="CertLogin">
<authentication>
<login-module
code="org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule"
flag = "required" >
<module-option name="keyStoreURL">
file://pathToKeyStore
</module-option>
<module-option name="keyStorePassword">storepassword</module-option>
<module-option name="rolesPropertiesFile">
file://pathToRolesFile
</module-option>
</login-module>
</authentication>
</application-policy>
| Property | Description |
|---|---|
|
keyStoreURL
|
This is the path to the key-store used to verify the certificates. It can be a file on the local file system or on the class-path.
|
|
keyStorePassword
|
This is the password for the key-store above.
|
|
rolesPropertiesFile
|
This is optional. It is the path to a file containing role mappings. Refer to the “Role Mapping” section of the Getting Started Guide for more details about this.
|
8.8. Callback Handler
A callback handler is a type of library used in back-end operations. It allows applications to "talk" to each other through security services and can be used to confirm authentication data.
8.9. Role Mapping
Role mapping is a way of sharing data between secure hosts. A file containing a list of trusted hosts is created, with each host assigned several role mappings. Mapping occurs when you accesses data from one of the hosts. The sender's roles are mapped onto the receiver's roles to allow for authentication and data sharing. Types of roles include user roles, application roles and so forth. This is an optional feature and is not enabled by default.
8.10. Enable Role Mapping
Procedure 8.2. Task
- Open the log-in configuration file in a text editor:
vi SOA_ROOT/jboss-as/server/PROFILE/conf/login-config.xml - Set the rolesPropertiesFile property. (This property can point to a file located on either the local file system or the class-path).
- Map users to roles. This example code shows how to do so:
# user=role1,role2,... guest=guest esbuser=esbrole # The current implementation will use the Common Name(CN) specified # for the certificate as the user name. # The unicode escape is needed only if your CN contains a space Andy\u0020Anderson=esbrole,worker
- Save the file and exit.
8.11. security_cert Quickstart
The security_cert quickstart demonstrates the JBoss Enterprise SOA Platform's role-mapping functionality.
8.12. Security Service
The
SecurityService interface is the Enterprise Service Bus' central security component.
8.13. Customize the Security Service Interface
Procedure 8.3. Task
- Implement the
SecurityServiceinterface:public interface SecurityService { void configure() throws ConfigurationException; void authenticate( final SecurityConfig securityConfig, final SecurityContext securityContext, final AuthenticationRequest authRequest) throws SecurityServiceException; boolean checkRolesAllowed( final List<String> rolesAllowed, final SecurityContext securityContext); boolean isCallerInRole( final Subject subject, final Principle role); void logout(final SecurityConfig securityConfig); void refreshSecurityConfig(); } - Open the global configuration file in a text editor:
vi SOA_ROOT/jboss-as/server/PROFILE/deployers/esb.deployer/jbossesb-properties.xml. - Configure the file to use the customized
SecurityService - Save the file and exit.
8.14. Remote Invocation Class
As its name implies, a remote invocation class is a class that can be called from a remote machine. This can be useful for developers but can also lead to potential security risks.
8.15. Secure Non-Remote Method Invocation Classes on Port 8083
Client applications can, by default, utilize Remote Method Invocation to download Enterprise Java Bean classes through
port 8083. However, you can also configure the system's Remote Method Invocation settings to allow client applications to download any deployed resources you desire.
Procedure 8.4. Task
Edit the Settings in the jboss-service.xml File
Open the file in a text editor:vi SOA_ROOT/server/PROFILE/conf/jboss-service.xmlConfigure the Settings in the File
Here is an example:<attribute name="DownloadServerClasses">false</attribute>
Set this value to false to ensure that client applications can only download Enterprise Java Bean classes.Important
By default, this value is set to false in the SOA Platform's 'production' profile. The value is set to true in all other cases, including the SOA Standalone version's default profile. Note that this is not a secure configuration and should only be used in development environments.
