html5-img
1 / 68

Securing Java EE 5.0 Applications with Apache Geronimo

Securing Java EE 5.0 Applications with Apache Geronimo. Vamsavardhana Reddy Chillakuru a.k.a. Vamsi vamsic007@apache.org vamsic007@in.ibm.com. Who am I?. Member of Apache Geronimo PMC Involved with ASF since 2005 Over 11 years experience in software development

talmai
Télécharger la présentation

Securing Java EE 5.0 Applications with Apache Geronimo

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Java EE 5.0 Applications with Apache Geronimo Vamsavardhana Reddy Chillakuru a.k.a. Vamsi vamsic007@apache.org vamsic007@in.ibm.com

  2. Who am I? • Member of Apache Geronimo PMC • Involved with ASF since 2005 • Over 11 years experience in software development • Advisory Software Engineer at IBM • Employed with IBM India since 1996 Securing Java EE 5.0 Applications with Geronimo

  3. Geronimo in the making  That’s my son Susanth helping me with Geronimo  Securing Java EE 5.0 Applications with Geronimo

  4. Agenda • Introduction to Geronimo • Security implementation • Security Realms – Properties File • Securing Applications • Security Realms • Advanced Features • Summary • Q & A Securing Java EE 5.0 Applications with Geronimo

  5. Agenda • Introduction to Geronimo • Security implementation • Security Realms – Properties File • Securing Applications • Security Realms • Advanced Features • Summary • Q & A Securing Java EE 5.0 Applications with Geronimo

  6. Introduction to Geronimo • J2EE/Java EE Application Server from Apache Software Foundation • Brings together the best-of-breed technologies from open source to support J2EE/Java EE • Small foot print/Highly customizable • Ease of use is – foremost guiding principle • V2.1 Java EE 5 Certified – Feb/2008 Securing Java EE 5.0 Applications with Geronimo

  7. Geronimo History and Progress • Apache Geronimo Project formed • V1.0-M5 released, J2EE 1.4 certification • V2.2 Release • V1.0 Released • V1.1 Released • V2.1 Released • V2.0-M6 released, Java EE 5 certification • V1.1.1 Released • V2.0.1 Released • V2.0.2 Released August2003 Oct2005 Jan2006 June2006 Sep 2006 Jun 2007 Aug 2007 Oct 2007 Feb 2008 In Plan Securing Java EE 5.0 Applications with Geronimo

  8. Geronimo Architecture • GBeans are the building blocks • E.g. Containers, Connectors, Servlets… • Geronimo Kernel • A container for GBeans • Based on Inversion-of-Control/Dependency Injection • Provides Life Cycle management for GBeans • Loosely coupled system • Start/stop/remove components on the fly • Integrate new components on the fly • Plugins • Directory Server, Roller and many other Securing Java EE 5.0 Applications with Geronimo

  9. Geronimo Architecture *Ref: http://www.ibm.com/developerworks/library/os-ag-deploy/ Securing Java EE 5.0 Applications with Geronimo

  10. Apache Tomcat Jetty (Mort Bay) Apache Derby Apache OpenEJB Apache ActiveMQ Apache OpenJPA Apache Axis Apache Axis2 Apache CXF Apache Yoko Apache Commons Apache jUDDI Apache Log4J HOWL TRANQL Castor WADI CGLIB And many more… What it contains? Securing Java EE 5.0 Applications with Geronimo

  11. What’s new in 2.1? • Servers assembled out of plugins • Custom server assemblies • Assemble a server feature • Flexible admin console • Monitoring Console • GShell • WADI Clustering Support for Tomcat Securing Java EE 5.0 Applications with Geronimo

  12. How to get involved? • Geronimo project web site • http://geronimo.apache.org/ • Mailing lists • user@geronimo.apache.org • dev@geronimo.apache.org • Wiki • http://cwiki.apache.org/geronimo/ Securing Java EE 5.0 Applications with Geronimo

  13. Geronimo Installation • http://geronimo.apache.org/downloads.html • Geronimo Tomcat or Geronimo Jetty distributions • Extract the archive to any directory • On windows, use a short directory name (for e.g. C:\ or C:\g) to avoid long-path problems. Securing Java EE 5.0 Applications with Geronimo

  14. Geronimo Startup/Shutdown • Requires Sun J2SE 5.0 JDK/JRE • Environment variables • JAVA_HOME/JRE_HOME • GERONIMO_OPTS • JAVA_OPTS • Run the server • <g_home>/bin/geronimo start • <g_home>/bin/geronimo jpda run • Stop the server • Control+C in server console • <g_home>/bin/shutdown Securing Java EE 5.0 Applications with Geronimo

  15. Securing Java EE 5.0 Applications with Geronimo

  16. Administration Console • Web-based, Convenient, user-friendly • Based on Apache Pluto (JSR-168) • Access at http://localhost:8080/console • Portlets for administration • Web Server, JMS Server, JMS Resources, DB Manager, Database Pools • Application portlets – Deploy New, Web App WARs, Plan Creator etc.. • Security Realms, Keystores • Portlets for monitoring server status • Information, Java System Info, Server Logs, Monitoring, etc. • Don’t forget the Help view in the portlets Securing Java EE 5.0 Applications with Geronimo

  17. Agenda • Introduction to Geronimo • Security implementation • Security Realms – Properties File • Securing Applications • Security Realms • Advanced Features • Summary • Q & A Securing Java EE 5.0 Applications with Geronimo

  18. Introduction to JAAS • Java Authentication and Authorization Service • Pluggable Authentication Modules • Subject and Principals • LoginModules composed into a Configuration • Control-flags for execution control • Each LoginModule with successful login adds zero or more Principals to the Subject Securing Java EE 5.0 Applications with Geronimo

  19. JACC • Java Authorization Contract for Containers (JSR-115) • Defines new Permission classes to satisfy the Java EE 5 authorization model • Geronimo has JACC 1.1 implementation Securing Java EE 5.0 Applications with Geronimo

  20. What Geronimo provides? • Embedded Database – Apache Derby • LDAP Server – Apache Directory Server • Can be installed as a plug-in • JAAS Authentication LoginModules • PropertiesFileLoginModule • SQLLoginModule • LDAPLoginModule • CertificatePropertiesFileLoginModule Securing Java EE 5.0 Applications with Geronimo

  21. What Geronimo provides? (contd.) • JAAS LoginModules • FileAuditLoginModule • RepeatedFailureLockoutLoginModule • GeronimoPasswordCredentialLoginModule • NamedUsernamePasswordCredentialLoginModule • Principal classes • GeronimoUserPrincipal • GeronimoGroupPrincipal • LoginDomainPrincipal • RealmPrincipal • CredentialStores • SimpleCredentialStoreImpl • Security Realms portlet • Create, Edit and see Usage for a realm Securing Java EE 5.0 Applications with Geronimo

  22. Agenda • Introduction to Geronimo • Security implementation • Security Realms – Properties File • Securing Applications • Security Realms • Advanced Features • Summary • Q & A Securing Java EE 5.0 Applications with Geronimo

  23. Properties File Realm • Prerequisites • None • Parameters • usersURI = relative path of users properties file from <g_home> • groupsURI = relative path of groups properties file from <g_home> • digest = Message Digest algorithm (e.g. MD5, SHA1, etc.) used on the passwords • encoding = Encoding to be used with digest (e.g, HEX, BASE64) Securing Java EE 5.0 Applications with Geronimo

  24. Sample my-users.properties user1=password1 user2=password2 user3=pwd3 ... Securing Java EE 5.0 Applications with Geronimo

  25. Sample my-groups.properties group1=user1,user2 group2=user3,user4,user5 guest=john,mary admin=someuser Securing Java EE 5.0 Applications with Geronimo

  26. Creating the Realm • Create the properties files • Typically under var/security dir. • Security Realms portlet • Specify realm name • Select type Properties File Realm • Fill in the parameters • Option to test the realm • Option to generate deployment plan Securing Java EE 5.0 Applications with Geronimo

  27. LoginModuleConfiguration <xml-reference name="LoginModuleConfiguration"> <login-config xmlns="http://geronimo.apache.org/xml/ns/loginconfig-2.0"> <login-module control-flag="REQUIRED" wrap-principals="false"> <login-domain-name>my-realm</login-domain-name> <login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</login-module-class> <option name="usersURI">var/security/my-users.properties</option> <option name="groupsURI">var/security/my-groups.properties</option> <option name="digest">MD5</option> <option name=“encoding”>HEX</option> </login-module> </login-config> </xml-reference> Securing Java EE 5.0 Applications with Geronimo

  28. Realm GBean <gbean name="my-realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <attribute name="realmName"> my-realm </attribute> <reference name="ServerInfo"> <name>ServerInfo</name> </reference> <!-- LoginModuleConfiguration goes here --> </gbean> Securing Java EE 5.0 Applications with Geronimo

  29. Agenda • Introduction to Geronimo • Security implementation • Security Realms – Properties File • Securing Applications • Security Realms • Advanced Features • Summary • Q & A Securing Java EE 5.0 Applications with Geronimo

  30. Secure a Web Application • web.xml • login-config • auth-method • security-role • security-constraint • auth-constraint • run-as • role-name Securing Java EE 5.0 Applications with Geronimo

  31. Secure a Web Application • geronimo-web.xml • security-realm-name • role-mappings • credential-store-ref • run-as-subject • default-subject Securing Java EE 5.0 Applications with Geronimo

  32. Credential Store <gbean name="CredentialStore" class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl"> <xml-attribute name="credentialStore"> <credential-store xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0"> <realm name="my-realm"> <subject> <id>admin-run-as</id> <credential> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type> <value>system</value> </credential> <credential> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type> <value>manager</value> </credential> </subject> </realm> </credential-store> </xml-attribute> </gbean> Securing Java EE 5.0 Applications with Geronimo

  33. Sample web.xml <web-app id="SimpleWebApp" version="2.5" ... > <display-name>SimpleWebApp</display-name> <servlet> . . . <run-as> <role-name>user</role-name> </run-as> </servlet> <login-config> <auth-method>BASIC</auth-method> <!-- For 'BASIC', realm-name will be shown in the prompt --> <realm-name>my-realm</realm-name> </login-config> <!-- Security roles used in the application --> <security-role><role-name>admin</role-name></security-role> <security-role><role-name>user</role-name></security-role> Securing Java EE 5.0 Applications with Geronimo

  34. Sample web.xml (contd.) <!-- Configure authorization for Admin pages --> <security-constraint> <web-resource-collection> <web-resource-name>Admin</web-resource-name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> </web-app> Securing Java EE 5.0 Applications with Geronimo

  35. Sample geronimo-web.xml <security-realm-name>my-realm</security-realm-name> <security> <credential-store-ref> <name xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">CredentialStore</name> </credential-store-ref> <default-subject> <realm>my-realm</realm> <id>admin-run-as</id> </default-subject> <role-mappings> <role role-name="admin"> <!-- from web.xml --> <principal name="Admin" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/> </role> Securing Java EE 5.0 Applications with Geronimo

  36. Sample geronimo-web.xml (contd.) <role role-name="user"> <run-as-subject> <realm>my-realm</realm> <id>user-run-as</id> </run-as-subject> <principal name="User" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/> <principal name="john" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"/> </role> </role-mappings> </security> Securing Java EE 5.0 Applications with Geronimo

  37. Secure an EJB Application ejb-jar.xml • security-identity • use-caller-identity • run-as • assembly-descriptor • security-role • role-name • method-permission • method • role-name • unchecked Securing Java EE 5.0 Applications with Geronimo

  38. Secure an EJB Application openejb-jar.xml • security • role-mappings • credential-store-ref • run-as-subject • default-subject Securing Java EE 5.0 Applications with Geronimo

  39. ejb-jar.xml <ejb-jar> <enterprise-beans> <session> <ejb-name>SecurityEJB</ejb-name> <ejb-class>myejbs.SecurityEJBean</ejb-class> ... <security-identity> <use-caller-identity/> </security-identity> </session> </enterprise-beans> </ejb-jar> Securing Java EE 5.0 Applications with Geronimo

  40. ejb-jar.xml (2) <assembly-descriptor> <security-role> <role-name>user</role-name> </security-role> <method-permission> <role-name>user</role-name> <method> <ejb-name>StockQuoteServiceBean</ejb-name> <method-name>getQuoteUser</method-name> </method> </method-permission> <method-permission> <unchecked/> <method> <ejb-name>StockQuoteServiceBean</ejb-name> <method-name>getQuote</method-name> </method> </method-permission> </assembly-descriptor> Securing Java EE 5.0 Applications with Geronimo

  41. Secure an EAR Application • application.xml • security-role • geronimo-application.xml • security-realm-name for each web app • role-mappings • credential-store-ref • run-as-subject • default-subject Securing Java EE 5.0 Applications with Geronimo

  42. application.xml <application …> <display-name>TutorialEntApp</display-name> <module id="WebModule_1154872888098"> <web> <web-uri>WebApp1.war</web-uri> <context-root>WebApp1</context-root> </web> </module> <security-role> <role-name>administrator</role-name> </security-role> <security-role> <role-name>guest-user</role-name> </security-role> </application> Securing Java EE 5.0 Applications with Geronimo

  43. geronimo-application.xml <application ...> <module> <web>WebApp1.war</web> <web-app ...> <security-realm-name>sample-properties-file-realm</security-realm-name> </web-app> </module> <security> <role-mappings> <role role-name="administrator"> <principal name="admin" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/> </role> </role-mappings> </security> </application> Securing Java EE 5.0 Applications with Geronimo

  44. Agenda • Introduction to Geronimo • Security implementation • Security Realms – Properties File • Securing Applications • Security Realms • Advanced Features • Summary • Q & A Securing Java EE 5.0 Applications with Geronimo

  45. Database (SQL) Realm • Prerequisites • Database tables for user credentials and group mapping • Parameters • userSelect SQL statement • groupSelect SQL statement • digest = Message Digest algorithm (e.g. MD5, SHA1, etc.) used on the passwords • encoding = Encoding to be used with digest (e.g, HEX, BASE64) • For database connection either a Database pool or JDBC parameters can be used Securing Java EE 5.0 Applications with Geronimo

  46. Creating the Realm • DB Manager portlet • Create DB • Execute SQL • Database Pools portlet • DB Pool for Embedded Derby • Security Realms portlet • Select type Database (SQL) Realm • Either Database Pool or JDBC parameters needed. Securing Java EE 5.0 Applications with Geronimo

  47. SQL Realm: Points to note • Qualify table name with schema name to avoid unexpected errors • Prefer AUTH.USERS_TABLE to USERS_TABLE • Use VARCHAR data type to avoid trailing spaces in the values retrieved from database. Securing Java EE 5.0 Applications with Geronimo

  48. LDAP Realm • Prerequisites • LDAP Server • Apache Directory Server Can be installed as a plug-in • Use Plugins portlet • http://geronimo.apache.org/plugins/geronimo-2.1 • Create using Security Realms portlet • Select type LDAP Realm Securing Java EE 5.0 Applications with Geronimo

  49. LDAP Connection parameters • Initial Context Factory • Connection URL • Connect Username • Connect Password • Confirm Password • Connect Protocol • Authentication Securing Java EE 5.0 Applications with Geronimo

  50. LDAP Realm Parameters • User Base • User Search Matching • User Search Subtree • Role Base • Role Name • Role User Search String • Role Search Subtree • User Role Search String Securing Java EE 5.0 Applications with Geronimo

More Related