Search

Chapter 7. Security

download PDF

Security in JBoss EAP is a vast topic. Both JBoss EAP and Camel have well documented, standardised methods of securing configuration, endpoints and payloads.

7.1. JAX-RS Security

The following topics explain how to secure JAX-RS endpoints.

7.2. JAX-WS Security

The following topics explain how to secure JAX-WS endpoints.

7.3. JMS Security

The following topics explain how to secure JMS endpoints.

Additionally, you can use Camel’s notion of Route Policies to integrate with the JBoss EAP security system.

7.4. Route Policy

Camel supports the notion of RoutePolicies, which can be used to integrate with the JBoss EAP security system. There are currently two supported scenarios for security integration.

7.4.1. Camel calls into JavaEE

When a camel route calls into a secured JavaEE component, it acts as a client and must provide appropriate credentials associated with the call.

You can decorate the route with a ClientAuthorizationPolicy as follows:

CamelContext camelctx = new DefaultCamelContext();
camelctx.addRoutes(new RouteBuilder() {
    @Override
    public void configure() throws Exception {
        from("direct:start")
        .policy(new ClientAuthorizationPolicy())
        .to("ejb:java:module/AnnotatedSLSB?method=doSelected");
    }
});

This does not do any authentication and authorization, as a part of the camel message processing. Instead, it associates the credentials that come with the Camel Exchange with the call into the EJB3 layer.

The client that calls the message consumer must provide appropriate credentials in the AUTHENTICATION header like this:

ProducerTemplate producer = camelctx.createProducerTemplate();
Subject subject = new Subject();
subject.getPrincipals().add(new DomainPrincipal(domain));
subject.getPrincipals().add(new EncodedUsernamePasswordPrincipal(username, password));
producer.requestBodyAndHeader("direct:start", "Kermit", Exchange.AUTHENTICATION, subject, String.class);

Authentication and authorization will happen in the JavaEE layer.

7.4.2. Securing a Camel Route

In order to secure a Camel Route, you can associate a DomainAuthorizationPolicy with the route. This policy requires a successful authentication against the given security domain and authorization for "Role2".

CamelContext camelctx = new DefaultCamelContext();
camelctx.addRoutes(new RouteBuilder() {
    @Override
    public void configure() throws Exception {
        from("direct:start")
        .policy(new DomainAuthorizationPolicy().roles("Role2"))
        .transform(body().prepend("Hello "));
    }
});
camelctx.start();

Again, the client that calls the message consumer must provide appropriate credentials in the AUTHENTICATION header like this:

ProducerTemplate producer = camelctx.createProducerTemplate();
Subject subject = new Subject();
subject.getPrincipals().add(new DomainPrincipal(domain));
subject.getPrincipals().add(new EncodedUsernamePasswordPrincipal(username, password));
producer.requestBodyAndHeader("direct:start", "Kermit", Exchange.AUTHENTICATION, subject, String.class);

7.5. Using Elytron Security for Camel on EAP applications

You can secure a Camel on EAP application by using the Elytron security framework.

The following example demonstrates how to secure CXF endpoints with an Elytron security domain.

In this example, a Camel route takes a message payload from a direct endpoint and passes it to a CXF producer endpoint. The producer uses the payload to pass arguments to a CXF JAX-WS web service that is secured by TLS mutual authentication (two-way SSL and client certificate authentication).

7.5.1. Running a Sample Project

Before running the project, ensure that your setup includes maven and the application server with Red Hat Fuse.

Perform the following steps to run your project:

  1. Add a new application user by invoking the add-user utility, for example:

    ${JBOSS_HOME}/bin/add-user.sh -a -u client -p whatever -g testRole
  2. Start the application server in a standalone mode:

    ${JBOSS_HOME}/bin/standalone.sh -c standalone-full.xml
  3. Copy the security key stores from the src/main/resources/keys file to the ${JBOSS_HOME}/standalone/configuration file.

    cp -t ${JBOSS_HOME}/standalone/configuration src/main/resources/keys/*
  4. Create the Security domain and other related objects in the management model of the application server by invoking a JBoss CLI script:

    ${JBOSS_HOME}/bin/jboss-cli.sh --connect --file=configure-tls-security.cli
  5. Read carefully the jboss-web-xml and web.xml files in the webapp/WEB-INF directory of the project. They set the application security domain, security roles and constraints.
  6. Build and deploy the project by invoking the following command:

    mvn install -Pdeploy
  7. Browse to the camel-cxf-jaxws-cdi-secure`file location. The `Send a Greeting web page appears. The User Interface enables you to interact with the test greeting web service.

7.6. Configuring an Elytron Security Domain

Camel on EAP secures camel-cxf consumer endpoints with the Elytron security framework.

To accomplish this, refer to an application security domain the WEB-INF/jboss-web.xml file of your WAR deployment, for example:

<jboss-web>
  <security-domain>my-application-security-domain</security-domain>
</jboss-web>

The <security-domain> configuration references the name of <application-security-domain> that is defined by the Undertow subsystem. For example, you can configure the Undertow subsystem <application-security-domain> within the JBoss EAP server standalone.xml configuration file as follows:

<subsystem xmlns="urn:jboss:domain:undertow:6.0">
    ...
    <application-security-domains>
        <application-security-domain name="my-application-security-domain" http-authentication-factory="application-http-authentication"/>
    </application-security-domains>
</subsystem>

The Elytron subsystem defines the HTTP authentication factory, application-http-authentication. The application-http-authentication factory is available by default in both the standalone.xml and standalone-full.xml server configuration. For example:

<subsystem xmlns="urn:wildfly:elytron:1.2">
    ...
    <http>
        ...
        <http-authentication-factory name="application-http-authentication" http-server-mechanism-factory="global" security-domain="ApplicationDomain">
            <mechanism-configuration>
                <mechanism mechanism-name="BASIC">
                    <mechanism-realm realm-name="Application Realm" />
                </mechanism>
                <mechanism mechanism-name="FORM" />
            </mechanism-configuration>
        </http-authentication-factory>
        <provider-http-server-mechanism-factory name="global" />
    </http>
    ...
</subsystem>

The <http-authentication-factory> named application-http-authentication holds a reference to an Elytron security domain called ApplicationDomain.

For more information on configuring the Elytron subsystem, see the Elytron documentation.

7.7. Configuring Security for Camel-CXF Consumer Endpoints

You can configure security constraints, authentication methods and security roles for camel-cxf consumer endpoints within your WAR deployment WEB-INF/web.xml file. For example, to configure the basic authentication:

<web-app>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>secure</web-resource-name>
      <url-pattern>/webservices/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>my-role</role-name>
    </auth-constraint>
  </security-constraint>
  <security-role>
    <description>The role that is required to log in to /webservices/*</description>
    <role-name>my-role</role-name>
  </security-role>
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>my-realm</realm-name>
  </login-config>
</web-app>

The <url-pattern> defined by the Servlet Specification is relative to the context path of the web application. If your application is packaged as my-app.war, JBoss EAP makes it accessible under the context path /my-app. Also, you can apply the <url-pattern> /webservices/* to paths relative to /my-app.

For example, requests against http://my-server/my-app/webservices/my-endpoint will match the /webservices/* pattern. However, http://my-server/webservices/my-endpoint does not match.

Note

Using Camel on EAP, you can also create the camel-cxf endpoint consumer whose base path is outside of the host web application context path.

To define the security constraints for camel-cxf consumer endpoints whose base path is outside of the host web application context path, Camel on EAP supports a custom, non-standard <url-pattern> convention. For example, to secure http://my-server/webservices/my-endpoint inside the my-app.war file, you can add the following configuration to the `web.xml`file:

<web-app>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>secure</web-resource-name>
      <url-pattern>///webservices/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>my-role</role-name>
    </auth-constraint>
  </security-constraint>
  <security-role>
    <description>The role that is required to log in to /webservices/*</description>
    <role-name>my-role</role-name>
  </security-role>
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>my-realm</realm-name>
  </login-config>
</web-app>
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.