Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 8. Advanced Security Options

8.1. Security Propagation
Copier lien

The term "security propagation" refers to the process of passing security information to an external system. For example, you might want to use the same credentials to call both the Enterprise Service Bus and an Enterprise Java Beans method.

Copier lien

Report a bug

8.2. SecurityContextPropagator
Copier lien

The SecurityContextPropagator class passes the security context to the destination environment.

Copier lien

Report a bug

8.3. SecurityContextPropagator Implementations
Copier lien

Expand
Table 8.1. Implementations of SecurityContextPropagator
Class Description
Package: org.jboss.internal.soa.esb.services.security
Class: JBossASContextPropagator
This propagator will send security credentials to the ESB. If you need to write your own implementation you only have to write a class that implements org.jboss.internal.soa.esb.services.security.SecurityContextPropagator and then either specify that implementation in jbossesb-properties.xml or jboss-esb.xml.

Copier lien

Report a bug

8.4. Add a Custom Log-In Module
Copier lien

Procedure 8.1. Task

  1. Open the log-in configuration file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/conf/login-config.xml
  2. Add the details of your custom log-in module.
  3. Save the file and exit.
  4. Since different log-in modules require different information, you must specify the CallbackHandler attribute to be used. Open the specific security configuration for that service.
  5. Make sure that the CallbackHandler specifies a fully-qualified classname for the class which implements the EsbCallbackHandler interface. This code shows you how to do so: 
    public interface EsbCallbackHandler extends CallbackHandler
{
  void setAuthenticationRequest(final AuthenticationRequest authRequest);
  void setSecurityConfig(final SecurityConfig config);
}
    Copy to Clipboard Toggle word wrap
  6. Add both the "principle" and the credentials needed to authenticate a caller to the AuthenticationRequest class.
Result

JaasSecurityService is replaced with your custom security implementation.

Copier lien

Report a bug

8.5. Certificate Log-In Module
Copier lien

The Certificate Log-in Module performs authentication by verifying the certificate that is passed with the call to the Enterprise Service Bus against a certificate held in a local key-store. The certificate's common name creates a "principle".

Copier lien

Report a bug

8.6. Certificate Log-In Module Properties
Copier lien

<security moduleName="CertLogin" rolesAllowed="worker"
  callbackHandler="org.jboss.soa.esb.services.security.auth.loginUserPass
CallbackHandler">
  <property name="alias" value="certtest"/>
</security>
Copy to Clipboard Toggle word wrap
Expand
Table 8.2. Properties
Property Description
moduleName
This identifies the JAAS Login module to use. This module will be specified in JBossAS login-config.xml.
rolesAllow
This is a comma-separated list of the roles that are allowed to execute this service.
alias
This is the alias which is used to look up the local key-store and which will be used to verify the caller's certificate.

Copier lien

Report a bug

8.7. Certificate Log-In Module Configuration File Properties
Copier lien

<application-policy name="CertLogin">
<authentication>
  <login-module
code="org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule"
flag = "required" >
  <module-option name="keyStoreURL">
    file://pathToKeyStore
  </module-option>
  <module-option name="keyStorePassword">storepassword</module-option>
  <module-option name="rolesPropertiesFile">
    file://pathToRolesFile
  </module-option>
  </login-module>
</authentication>
</application-policy>
Copy to Clipboard Toggle word wrap
Expand
Table 8.3. Certificate Log-In Module Configuration File Properties
Property Description
keyStoreURL
This is the path to the key-store used to verify the certificates. It can be a file on the local file system or on the class-path.
keyStorePassword
This is the password for the key-store above.
rolesPropertiesFile
This is optional. It is the path to a file containing role mappings. Refer to the “Role Mapping” section of the Getting Started Guide for more details about this.

Copier lien

Report a bug

8.8. Callback Handler
Copier lien

A callback handler is a type of library used in back-end operations. It allows applications to "talk" to each other through security services and can be used to confirm authentication data.

Copier lien

Report a bug

8.9. Role Mapping
Copier lien

Role mapping is a way of sharing data between secure hosts. A file containing a list of trusted hosts is created, with each host assigned several role mappings. Mapping occurs when you accesses data from one of the hosts. The sender's roles are mapped onto the receiver's roles to allow for authentication and data sharing. Types of roles include user roles, application roles and so forth. This is an optional feature and is not enabled by default.

Copier lien

Report a bug

8.10. Enable Role Mapping
Copier lien

Procedure 8.2. Task

  1. Open the log-in configuration file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/conf/login-config.xml
  2. Set the rolesPropertiesFile property. (This property can point to a file located on either the local file system or the class-path).
  3. Map users to roles. This example code shows how to do so: 
    # user=role1,role2,...
guest=guest
esbuser=esbrole
# The current implementation will use the Common Name(CN) specified
# for the certificate as the user name.
# The unicode escape is needed only if your CN contains a space
Andy\u0020Anderson=esbrole,worker
    Copy to Clipboard Toggle word wrap
  4. Save the file and exit.

Copier lien

Report a bug

8.11. security_cert Quickstart
Copier lien

The security_cert quickstart demonstrates the JBoss Enterprise SOA Platform's role-mapping functionality.

Copier lien

Report a bug

8.12. Security Service
Copier lien

The SecurityService interface is the Enterprise Service Bus' central security component.

Copier lien

Report a bug

8.13. Customize the Security Service Interface
Copier lien

Procedure 8.3. Task

  1. Implement the SecurityService interface: 
    public interface SecurityService
{
    void configure() throws ConfigurationException;

    void authenticate(
        final SecurityConfig securityConfig, 
        final SecurityContext securityContext, 
        final AuthenticationRequest authRequest) 
        throws SecurityServiceException;

    boolean checkRolesAllowed(
        final List<String> rolesAllowed, 
        final SecurityContext securityContext);

    boolean isCallerInRole(
        final Subject subject, 
        final Principle role);

    void logout(final SecurityConfig securityConfig);

    void refreshSecurityConfig();
}
    Copy to Clipboard Toggle word wrap
  2. Open the global configuration file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/deployers/esb.deployer/jbossesb-properties.xml.
  3. Configure the file to use the customized SecurityService
  4. Save the file and exit.

Copier lien

Report a bug

8.14. Remote Invocation Class
Copier lien

As its name implies, a remote invocation class is a class that can be called from a remote machine. This can be useful for developers but can also lead to potential security risks.

Copier lien

Report a bug

8.15. Secure Non-Remote Method Invocation Classes on Port 8083
Copier lien

Client applications can, by default, utilize Remote Method Invocation to download Enterprise Java Bean classes through port 8083. However, you can also configure the system's Remote Method Invocation settings to allow client applications to download any deployed resources you desire.

Procedure 8.4. Task

  1. Edit the Settings in the jboss-service.xml File

    Open the file in a text editor: vi SOA_ROOT/server/PROFILE/conf/jboss-service.xml

  2. Configure the Settings in the File

    Here is an example: 
    <attribute name="DownloadServerClasses">false</attribute>
    Copy to Clipboard Toggle word wrap
    Set this value to false to ensure that client applications can only download Enterprise Java Bean classes.

    Important

    By default, this value is set to false in the SOA Platform's 'production' profile. The value is set to true in all other cases, including the SOA Standalone version's default profile. Note that this is not a secure configuration and should only be used in development environments.

Copier lien

Report a bug
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat