Chapter 7. Security
Security in JBoss EAP is a vast topic. Both JBoss EAP and Camel have well documented, standardised methods of securing configuration, endpoints and payloads.
7.1. JAX-RS Security
The following topics explain how to secure JAX-RS endpoints.
7.2. JAX-WS Security
The following topics explain how to secure JAX-WS endpoints.
7.3. JMS Security
The following topics explain how to secure JMS endpoints.
Additionally, you can use Camel’s notion of Route Policies to integrate with the JBoss EAP security system.
7.4. Route Policy
Camel supports the notion of RoutePolicies, which can be used to integrate with the JBoss EAP security system. There are currently two supported scenarios for security integration.
7.4.1. Camel calls into JavaEE
When a camel route calls into a secured JavaEE component, it acts as a client and must provide appropriate credentials associated with the call.
You can decorate the route with a ClientAuthorizationPolicy
as follows:
CamelContext camelctx = new DefaultCamelContext(); camelctx.addRoutes(new RouteBuilder() { @Override public void configure() throws Exception { from("direct:start") .policy(new ClientAuthorizationPolicy()) .to("ejb:java:module/AnnotatedSLSB?method=doSelected"); } });
This does not do any authentication and authorization, as a part of the camel message processing. Instead, it associates the credentials that come with the Camel Exchange with the call into the EJB3 layer.
The client that calls the message consumer must provide appropriate credentials in the AUTHENTICATION header like this:
ProducerTemplate producer = camelctx.createProducerTemplate(); Subject subject = new Subject(); subject.getPrincipals().add(new DomainPrincipal(domain)); subject.getPrincipals().add(new EncodedUsernamePasswordPrincipal(username, password)); producer.requestBodyAndHeader("direct:start", "Kermit", Exchange.AUTHENTICATION, subject, String.class);
Authentication and authorization will happen in the JavaEE layer.
7.4.2. Securing a Camel Route
In order to secure a Camel Route, you can associate a DomainAuthorizationPolicy
with the route. This policy requires a successful authentication against the given security domain and authorization for "Role2".
CamelContext camelctx = new DefaultCamelContext(); camelctx.addRoutes(new RouteBuilder() { @Override public void configure() throws Exception { from("direct:start") .policy(new DomainAuthorizationPolicy().roles("Role2")) .transform(body().prepend("Hello ")); } }); camelctx.start();
Again, the client that calls the message consumer must provide appropriate credentials in the AUTHENTICATION header like this:
ProducerTemplate producer = camelctx.createProducerTemplate(); Subject subject = new Subject(); subject.getPrincipals().add(new DomainPrincipal(domain)); subject.getPrincipals().add(new EncodedUsernamePasswordPrincipal(username, password)); producer.requestBodyAndHeader("direct:start", "Kermit", Exchange.AUTHENTICATION, subject, String.class);
7.5. Using Elytron Security for Camel on EAP applications
You can secure a Camel on EAP application by using the Elytron security framework.
The following example demonstrates how to secure CXF endpoints with an Elytron security domain.
In this example, a Camel route takes a message payload from a direct endpoint and passes it to a CXF producer endpoint. The producer uses the payload to pass arguments to a CXF JAX-WS web service that is secured by TLS mutual authentication (two-way SSL and client certificate authentication).
7.5.1. Running a Sample Project
Before running the project, ensure that your setup includes maven and the application server with Red Hat Fuse.
Perform the following steps to run your project:
Add a new application user by invoking the
add-user
utility, for example:${JBOSS_HOME}/bin/add-user.sh -a -u client -p whatever -g testRole
Start the application server in a standalone mode:
${JBOSS_HOME}/bin/standalone.sh -c standalone-full.xml
Copy the security key stores from the
src/main/resources/keys
file to the${JBOSS_HOME}/standalone/configuration
file.cp -t ${JBOSS_HOME}/standalone/configuration src/main/resources/keys/*
Create the Security domain and other related objects in the management model of the application server by invoking a JBoss CLI script:
${JBOSS_HOME}/bin/jboss-cli.sh --connect --file=configure-tls-security.cli
-
Read carefully the
jboss-web-xml
andweb.xml files
in thewebapp/WEB-INF
directory of the project. They set the application security domain, security roles and constraints. Build and deploy the project by invoking the following command:
mvn install -Pdeploy
-
Browse to the
camel-cxf-jaxws-cdi-secure`file location. The `Send a Greeting
web page appears. The User Interface enables you to interact with the testgreeting
web service.
7.6. Configuring an Elytron Security Domain
Camel on EAP secures camel-cxf
consumer endpoints with the Elytron security framework.
To accomplish this, refer to an application security domain the WEB-INF/jboss-web.xml
file of your WAR deployment, for example:
<jboss-web> <security-domain>my-application-security-domain</security-domain> </jboss-web>
The <security-domain>
configuration references the name of <application-security-domain>
that is defined by the Undertow subsystem. For example, you can configure the Undertow subsystem <application-security-domain>
within the JBoss EAP server standalone.xml
configuration file as follows:
<subsystem xmlns="urn:jboss:domain:undertow:6.0"> ... <application-security-domains> <application-security-domain name="my-application-security-domain" http-authentication-factory="application-http-authentication"/> </application-security-domains> </subsystem>
The Elytron subsystem defines the HTTP authentication factory, application-http-authentication
. The application-http-authentication
factory is available by default in both the standalone.xml
and standalone-full.xml
server configuration. For example:
<subsystem xmlns="urn:wildfly:elytron:1.2"> ... <http> ... <http-authentication-factory name="application-http-authentication" http-server-mechanism-factory="global" security-domain="ApplicationDomain"> <mechanism-configuration> <mechanism mechanism-name="BASIC"> <mechanism-realm realm-name="Application Realm" /> </mechanism> <mechanism mechanism-name="FORM" /> </mechanism-configuration> </http-authentication-factory> <provider-http-server-mechanism-factory name="global" /> </http> ... </subsystem>
The <http-authentication-factory>
named application-http-authentication
holds a reference to an Elytron security domain called ApplicationDomain
.
For more information on configuring the Elytron subsystem, see the Elytron documentation.
7.7. Configuring Security for Camel-CXF Consumer Endpoints
You can configure security constraints, authentication methods and security roles for camel-cxf
consumer endpoints within your WAR deployment WEB-INF/web.xml
file. For example, to configure the basic authentication:
<web-app> <security-constraint> <web-resource-collection> <web-resource-name>secure</web-resource-name> <url-pattern>/webservices/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>my-role</role-name> </auth-constraint> </security-constraint> <security-role> <description>The role that is required to log in to /webservices/*</description> <role-name>my-role</role-name> </security-role> <login-config> <auth-method>BASIC</auth-method> <realm-name>my-realm</realm-name> </login-config> </web-app>
The <url-pattern>
defined by the Servlet Specification is relative to the context path of the web application. If your application is packaged as my-app.war
, JBoss EAP makes it accessible under the context path /my-app
. Also, you can apply the <url-pattern>
/webservices/*
to paths relative to /my-app
.
For example, requests against http://my-server/my-app/webservices/my-endpoint
will match the /webservices/*
pattern. However, http://my-server/webservices/my-endpoint
does not match.
Using Camel on EAP, you can also create the camel-cxf
endpoint consumer whose base path is outside of the host web application context path.
To define the security constraints for camel-cxf
consumer endpoints whose base path is outside of the host web application context path, Camel on EAP supports a custom, non-standard <url-pattern>
convention. For example, to secure http://my-server/webservices/my-endpoint
inside the my-app.war
file, you can add the following configuration to the `web.xml`file:
<web-app> <security-constraint> <web-resource-collection> <web-resource-name>secure</web-resource-name> <url-pattern>///webservices/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>my-role</role-name> </auth-constraint> </security-constraint> <security-role> <description>The role that is required to log in to /webservices/*</description> <role-name>my-role</role-name> </security-role> <login-config> <auth-method>BASIC</auth-method> <realm-name>my-realm</realm-name> </login-config> </web-app>