Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 8. Advanced Security Options

8.1. Security Propagation
Copiar enlace

The term "security propagation" refers to the process of passing security information to an external system. For example, you might want to use the same credentials to call both the Enterprise Service Bus and an Enterprise Java Beans method.

Copiar enlace

Report a bug

8.2. SecurityContextPropagator
Copiar enlace

The SecurityContextPropagator class passes the security context to the destination environment.

Copiar enlace

Report a bug

8.3. SecurityContextPropagator Implementations
Copiar enlace

Expand
Table 8.1. Implementations of SecurityContextPropagator
Class Description
Package: org.jboss.internal.soa.esb.services.security
Class: JBossASContextPropagator
This propagator will send security credentials to the ESB. If you need to write your own implementation you only have to write a class that implements org.jboss.internal.soa.esb.services.security.SecurityContextPropagator and then either specify that implementation in jbossesb-properties.xml or jboss-esb.xml.

Copiar enlace

Report a bug

8.4. Add a Custom Log-In Module
Copiar enlace

Procedure 8.1. Task

  1. Open the log-in configuration file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/conf/login-config.xml
  2. Add the details of your custom log-in module.
  3. Save the file and exit.
  4. Since different log-in modules require different information, you must specify the CallbackHandler attribute to be used. Open the specific security configuration for that service.
  5. Make sure that the CallbackHandler specifies a fully-qualified classname for the class which implements the EsbCallbackHandler interface. This code shows you how to do so: 
    public interface EsbCallbackHandler extends CallbackHandler
{
  void setAuthenticationRequest(final AuthenticationRequest authRequest);
  void setSecurityConfig(final SecurityConfig config);
}
    Copy to Clipboard Toggle word wrap
  6. Add both the "principle" and the credentials needed to authenticate a caller to the AuthenticationRequest class.
Result

JaasSecurityService is replaced with your custom security implementation.

Copiar enlace

Report a bug

8.5. Certificate Log-In Module
Copiar enlace

The Certificate Log-in Module performs authentication by verifying the certificate that is passed with the call to the Enterprise Service Bus against a certificate held in a local key-store. The certificate's common name creates a "principle".

Copiar enlace

Report a bug

8.6. Certificate Log-In Module Properties
Copiar enlace

<security moduleName="CertLogin" rolesAllowed="worker"
  callbackHandler="org.jboss.soa.esb.services.security.auth.loginUserPass
CallbackHandler">
  <property name="alias" value="certtest"/>
</security>
Copy to Clipboard Toggle word wrap
Expand
Table 8.2. Properties
Property Description
moduleName
This identifies the JAAS Login module to use. This module will be specified in JBossAS login-config.xml.
rolesAllow
This is a comma-separated list of the roles that are allowed to execute this service.
alias
This is the alias which is used to look up the local key-store and which will be used to verify the caller's certificate.

Copiar enlace

Report a bug

8.7. Certificate Log-In Module Configuration File Properties
Copiar enlace

<application-policy name="CertLogin">
<authentication>
  <login-module
code="org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule"
flag = "required" >
  <module-option name="keyStoreURL">
    file://pathToKeyStore
  </module-option>
  <module-option name="keyStorePassword">storepassword</module-option>
  <module-option name="rolesPropertiesFile">
    file://pathToRolesFile
  </module-option>
  </login-module>
</authentication>
</application-policy>
Copy to Clipboard Toggle word wrap
Expand
Table 8.3. Certificate Log-In Module Configuration File Properties
Property Description
keyStoreURL
This is the path to the key-store used to verify the certificates. It can be a file on the local file system or on the class-path.
keyStorePassword
This is the password for the key-store above.
rolesPropertiesFile
This is optional. It is the path to a file containing role mappings. Refer to the “Role Mapping” section of the Getting Started Guide for more details about this.

Copiar enlace

Report a bug

8.8. Callback Handler
Copiar enlace

A callback handler is a type of library used in back-end operations. It allows applications to "talk" to each other through security services and can be used to confirm authentication data.

Copiar enlace

Report a bug

8.9. Role Mapping
Copiar enlace

Role mapping is a way of sharing data between secure hosts. A file containing a list of trusted hosts is created, with each host assigned several role mappings. Mapping occurs when you accesses data from one of the hosts. The sender's roles are mapped onto the receiver's roles to allow for authentication and data sharing. Types of roles include user roles, application roles and so forth. This is an optional feature and is not enabled by default.

Copiar enlace

Report a bug

8.10. Enable Role Mapping
Copiar enlace

Procedure 8.2. Task

  1. Open the log-in configuration file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/conf/login-config.xml
  2. Set the rolesPropertiesFile property. (This property can point to a file located on either the local file system or the class-path).
  3. Map users to roles. This example code shows how to do so: 
    # user=role1,role2,...
guest=guest
esbuser=esbrole
# The current implementation will use the Common Name(CN) specified
# for the certificate as the user name.
# The unicode escape is needed only if your CN contains a space
Andy\u0020Anderson=esbrole,worker
    Copy to Clipboard Toggle word wrap
  4. Save the file and exit.

Copiar enlace

Report a bug

8.11. security_cert Quickstart
Copiar enlace

The security_cert quickstart demonstrates the JBoss Enterprise SOA Platform's role-mapping functionality.

Copiar enlace

Report a bug

8.12. Security Service
Copiar enlace

The SecurityService interface is the Enterprise Service Bus' central security component.

Copiar enlace

Report a bug

8.13. Customize the Security Service Interface
Copiar enlace

Procedure 8.3. Task

  1. Implement the SecurityService interface: 
    public interface SecurityService
{
    void configure() throws ConfigurationException;

    void authenticate(
        final SecurityConfig securityConfig, 
        final SecurityContext securityContext, 
        final AuthenticationRequest authRequest) 
        throws SecurityServiceException;

    boolean checkRolesAllowed(
        final List<String> rolesAllowed, 
        final SecurityContext securityContext);

    boolean isCallerInRole(
        final Subject subject, 
        final Principle role);

    void logout(final SecurityConfig securityConfig);

    void refreshSecurityConfig();
}
    Copy to Clipboard Toggle word wrap
  2. Open the global configuration file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/deployers/esb.deployer/jbossesb-properties.xml.
  3. Configure the file to use the customized SecurityService
  4. Save the file and exit.

Copiar enlace

Report a bug

8.14. Remote Invocation Class
Copiar enlace

As its name implies, a remote invocation class is a class that can be called from a remote machine. This can be useful for developers but can also lead to potential security risks.

Copiar enlace

Report a bug

8.15. Secure Non-Remote Method Invocation Classes on Port 8083
Copiar enlace

Client applications can, by default, utilize Remote Method Invocation to download Enterprise Java Bean classes through port 8083. However, you can also configure the system's Remote Method Invocation settings to allow client applications to download any deployed resources you desire.

Procedure 8.4. Task

  1. Edit the Settings in the jboss-service.xml File

    Open the file in a text editor: vi SOA_ROOT/server/PROFILE/conf/jboss-service.xml

  2. Configure the Settings in the File

    Here is an example: 
    <attribute name="DownloadServerClasses">false</attribute>
    Copy to Clipboard Toggle word wrap
    Set this value to false to ensure that client applications can only download Enterprise Java Bean classes.

    Important

    By default, this value is set to false in the SOA Platform's 'production' profile. The value is set to true in all other cases, including the SOA Standalone version's default profile. Note that this is not a secure configuration and should only be used in development environments.

Copiar enlace

Report a bug
Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat