Wednesday Jul 25, 2007

LDAP based user authentication in glassfish

If you're using glassfish and developing a new web application that needs to be authenticated against an LDAP server, this blog talks about how you can do it.

For a normal (default) file-realm based authentication, your web.xml would have a security-constraint that should look something like:


 <security-constraint>
        <web-resource-collection>
            <web-resource-name>build</web-resource-name>
            <url-pattern>\*.jsf</url-pattern>
            <url-pattern>/download/\*</url-pattern>
            <url-pattern>/resource/\*</url-pattern>
            <http-method>DELETE</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>admin-realm</realm-name>
        <form-login-config>
            <form-login-page>/login.jsf</form-login-page>
            <form-error-page>/loginError.jsf</form-error-page>
        </form-login-config>
    </login-config>
    <security-role>
        <role-name>admin</role-name>
    </security-role>

Now you want to change this to have an authentication against your LDAP server. You need to do the following:

First, you should create an LDAP realm in glassfish appserver i.e. the domain.xml entries should look something like:


<auth-realm classname="com.sun.enterprise.security.auth.realm.ldap.LDAPRealm" name="myLDAPRealm">
        <property name="directory" value="ldap://myldapserver:portnumber"/>
        <property name="base-dn" value="dc=sun,dc=com"/>
        <property name="jaas-context" value="ldapRealm"/>
</auth-realm>  

Now in your web.xml file configure your app to use this LDAP i.e. the web.xml entries should look like:


    <security-constraint>
        <web-resource-collection>
            <web-resource-name>protected</web-resource-name>
            <url-pattern>\*.jsf</url-pattern>
            <url-pattern>/download/\*</url-pattern>
            <url-pattern>/resource/\*</url-pattern>
            <http-method>DELETE</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>USER</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>myLDAPRealm</realm-name>
            <form-login-config>
            <form-login-page>/login.jsf</form-login-page>
            <form-error-page>/loginError.jsf</form-error-page>
        </form-login-config>
    </login-config> 
    <security-role>
        <role-name>USER</role-name>
    </security-role>

Your sun-web.xml should look something like,


<security-role-mapping>
              <role-name>USER</role-name>
              <group-name>people</group-name>
              <group-name>Employee Group</group-name>
</security-role-mapping>

VOILA!

Thursday May 17, 2007

Sun's training offering on developing secure Java Web services

You're back from JavaOne, with buzz words of cool new technologies you heard about still ringing in your ears. Here you are sitting at your desk, thinking about all the cool stuff you wish you could learn.

Well, there is HOPE.

Did you know that Sun Microsystems Inc. offers comprehensive training and certification for several Java technology components and the Java Platform, Enterprise Edition (Java EE)?

What?

To add to the list of courses being offered in the Web Services learning path , is an offering on XML and Web Services security (DWS-4120-EE5) being offered in the Java EE track.

When?

Estimated to be on the training schedule mid June. Stay tuned!

Where?

Watch this space.

What will I learn?

As part of the course, you will learn to :

  • Identify the need to secure web services
  • List and explain the primary elements and concepts of application security
  • Outline the factors that must be considered when designing a web service security solution
  • Determine the issues and concerns related to securing web service interactions
  • Evaluate the tools and technologies available for securing a Java web service
  • Analyze the security requirements of web services
  • Identify the security challenges and threats in a web service application
  • Secure web services using application-layer, transport-layer security, and message-layer security
  • Secure web services using the message security providers available in the Sun Java System Application Server
  • Describe the concept of identity and the drivers behind identity management solutions
  • Explain the role of the Access Manager in securing web services
  • Illustrate identity management capabilities in the NetBeans environment
  • Secure web services using the Username token profile
  • Secure web services using SAML assertions and Liberty tokens
  • And if this isn't enough- there is another incentive as well. The course will also help in preparation towards the SCJDWS (Sun Certified Developer for Java Web Services) exam.

    The students perform the course lab exercises using the NetBeans 5.5 Enterprise Pack Integrated Development Environment (IDE) and using AppServer 9.0 U1.

    Cool stuff! Is there anything else you would want to learn?

Thursday Mar 29, 2007

On configuring Glassfish keystores...

Ok, so you like glassfish . You really think that message based security is pretty cool. You've even tried the security samples (successfully!). Now you're ready to take the next big step. Try creating your own secure application and attempting interoperability. Except that there is one problem.

You don't have the certificates and keys you need to interoperate in the glassfish keystore and truststores! You're thinking what do I do now? Well, just read on....

Let's see what we know. For an application to interoperate, you need to know the keys to be used for encryption and digital signing. The certificates and keys to be used are typically negotiated out of band between both parties. So you should have the certificates with you. If you have them in a JKS format, here's what you can do to configure your keystore.

In a snapshot, what you need to do is get the copyv3 module, modify the ant script so that you import the correct keys into the default glassfish keystore and truststore.

Let's say your client alias is alice and server alias is bob. The client trusts bob and server trusts alice.

Here's roughly how the updated script looks like-

<project name="keycopy" default="main" basedir="."> 
	<property environment="env" /> 
	<property name="proxy.host" value="webcache.sfbay.sun.com" /> 
	<property name="proxy.port" value="8080" /> 
	<property name="AS_HOME" value="${env.GF_HOME}" /> 
	<target name="main" description="copy v3 keypair to GF Keystore"> 
	<setproxy proxyhost="${proxy.host}" proxyport="${proxy.port}" /> 
	<java classname="KeyImport" dir="." fork="true"> 
		<arg value="srcstore=server-keystore.jks" /> 
		<arg value="dststore=${AS_HOME}/domains/domain1/config/keystore.jks" /> 
		<arg value="srcalias=bob" /> 
		<arg value="dstalias=bob" /> 
 		<classpath> 
			<pathelement location="./test.jar" /> 
		</classpath> 
	</java> 
 	<java classname="KeyImport" dir="." fork="true"> 
		<arg value="srcstore=client-keystore.jks" /> 
		<arg value="dststore=${AS_HOME}/domains/domain1/config/keystore.jks" /> 
		<arg value="srcalias=alice" /> 
		<arg value="dstalias=alice" /> 
 		<classpath> 
			<pathelement location="./test.jar" /> 
		</classpath> 
	</java> 
 	<java classname="KeyImport" dir="." fork="true"> 
		<arg value="srcstore=server-truststore.jks" /> 
		<arg value="dststore=${AS_HOME}/domains/domain1/config/cacerts.jks" /> 
		<arg value="srcalias=alice" /> 
		<arg value="dstalias=alice" /> 
		<arg value="trustedentry=true" />  
		<classpath> 
			<pathelement location="./test.jar" /> 
		</classpath> 
	</java> 
 	<java classname="KeyImport" dir="." fork="true"> 
		<arg value="srcstore=server-truststore.jks" /> 
		<arg value="dststore=${AS_HOME}/domains/domain1/config/cacerts.jks" /> 
		<arg value="srcalias=xws-security-client" /> 
		<arg value="dstalias=xws-security-client" /> 
		<arg value="trustedentry=true" /> 
		<classpath> 
			<pathelement location="./test.jar" /> 
		</classpath> 
	</java> 
	<java classname="KeyImport" dir="." fork="true"> 
		<arg value="srcstore=client-truststore.jks" /> 
		<arg value="dststore=${AS_HOME}/domains/domain1/config/cacerts.jks" /> 
		<arg value="srcalias=bob" /> 
		<arg value="dstalias=bob" /> 
		<arg value="trustedentry=true" /> 
		 <classpath> 
			<pathelement location="./test.jar" /> 
		</classpath> 
	</java> 
</target> 
</project>

Get set (glassfish home), on your mark (edit aliases, source JKS keystore names), go (run the script)!

Now you are all set to test out your secure application! Security can be a tricky thing. Let me know if you thought this was confusing....and do share your ideas if you think this could be made any simpler!

About

manveen

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today