Metro support for JAAS Keystore Login Module

KeyStoreLoginModule: This class provides a JAAS login module that prompts for a key store alias and populates the subject with the alias's principal and credentials. Stores an X500Principal for the subject distinguished name of the first certificate in the alias's credentials in the subject's principals, the alias's certificate path in the subject's public credentials, and a X500PrivateCredential whose certificate is the first certificate in the alias's certificate path and whose private key is the alias's private key in the subject's private credentials.


For more details , go through the link JAASKeyStoreLoginModule .The clear usage of this keystore login module is documented here 


This feature is just an  another way of configuring keystore's properties in the wsdl configuration.With this support in metro,  we can configure the PKCS#11 keystore types also


To use this feature with metro,  follow the below steps:


1) Configure a jaas keystore login module entry in the Glassfish's login.conf file($GF_Home/domains/domain1/config/login.conf) as shown below

JAASLoginModuleForKeyStore{
    com.sun.security.auth.module.KeyStoreLoginModule required
    keyStoreURL="file:///home/suresh/glassfish/domains/domain1/config/keystore.jks"
    keyStoreType="JKS"
    keyStoreAlias="xws-security-client"
    keyStorePasswordURL="file:///home/suresh/glassfish/domains/domain1/config/JAASKeystorePassword.txt";
};

If you are providing a callback handler for this login module ,  in the wsdl configuration,you don't need to configure the keyStoreAlias and keyStorePasswordURL in the config entry.


Otherwise


If you are using a stand alone web service/client , we have to set a property like this :


-Djava.security.auth.login.config=mycustompath/login.conf where this login.conf file contains a login module entry as stated above


2) The existing way of configuring the keystore properties in wsdl looks like :


<sc:KeyStore wspp:visibility="private" location="/home/suresh/glassfish/domains/domain1/config/keystore.jks" type="JKS" storepass="changeit" alias="xws-security-server"/>


with this keystore login module feature , we can simply configure the keystore as :


<sc:KeyStore wspp:visibility="private" keystoreloginmoduleconfig="JAASLoginModuleForKeyStore" />


or in addition, if we want to provide a  custom callback handler for login module which looks like :


<sc:KeyStore wspp:visibility="private" keystoreloginmoduleconfig="JAASLoginModuleForKeyStore" callbackHandler="suresh.test.KeyStoreCallbackHandler"/>


where the JAASLoginModuleForKeyStore is the glassfish login module config entry as shown above . Metro reads the keystoreloginmoduleconfig entry from the keystore and uses it to access the GF's config entry and thus populates the subject with certificate and privatekeys.Metro gets the certificate/privatekeys from this subject and uses them for signature/encryption.


The advantage of this feature is we can configure the PKCS#11 keystore types in addition to the default .JKS types


Note:


1) This login module feature works only for keystore's , but not for truststores .


2) If you are using a callback handler for login module , then the login module expects the TextOutputCallback, NameCallback( for specifying cert alias), PasswordCallback(for keystore password), and ConfirmationCallback(for login confirmation) in the callback handler


The sample callback handler is attached here


The sample  netbeans webservice client(build/web/WEB-INF/classes/META-INF/NewWebServiceService.xml) which uses the above feature is attached here


Download the latest metro nightly builds from here










Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Suresh Mandalapu

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today