Monday Jan 31, 2011

Secure Communication between Web-app and EJB3.x in GlassFish

This post describes how one could make secure calls to an EJB (3.x) from a web application using SSL or MUTUAL_SSL, even when the web-app and the EJB are running on GlassFish instances in different host machines.

Wth the following <ior-security-config> in the EJB (glassfish-ejb-jar.xml), SSL is forced by the EJB.

  <ior-security-config>
                <transport-config>
<integrity>
                        required
                    </integrity>
                    <confidentiality>
                        required
                    </confidentiality>

                    <establish-trust-in-target>SUPPORTED</establish-trust-in-target>
                    <establish-trust-in-client>REQUIRED</establish-trust-in-client>

               </transport-config>
                <sas-context>
          <caller-propagation>supported</caller-propagation>
        </sas-context>
       </ior-security-config>


With the following annotation in the servlet:

    @EJB(name="secureejbref")
   private SecureEjbRemote secureRemote;

and the following element in glassfish-web.xml, the client (servlet) is forced to contact the Ejb securely (using the MUTUAL_SSL ORB port 3820)

  <ejb-ref>
    <ejb-ref-name>secureejbref</ejb-ref-name>
 <jndi-name>corbaname:iiop:<host in which EJB is deployed>:3820#SecureEjbBean</jndi-name>
  </ejb-ref>


With the following jvm-option added to the domain.xml of the host in which the web-app is deployed,

  <jvm-options>-Dcom.sun.CSIV2.ssl.standalone.client.required=true</jvm-options>

secure communication happens between the servlet and the EJB for the name service lookup (before the EJB create call)


Thursday Jan 27, 2011

Change in the default digest algorithm in FileRealms (GF 3.1)

In GlassFish 3,1, the digest algorithm for storing file users in the keyfiles for the FileRealm based realms has been changed to SHA-256 from the previous SHA-1. This includes the default realm - file and the admin-realm. The change can be observed in respective keyfiles - keyfile and admin-keyfile - The SSHA256 tag and a longer digest  than the earlier SSHA tag (representing SHA-1 algorithm).

 Keyfile and admin-keyfile in GlassFish 3.1

test;{SSHA256}RsvY2gBprLirxbEgUklqKGWiH31uDnMgyL54eGGgNs48PpYVUkILtg==;

admin;{SSHA256}yRrrmQ0GxF6U8lp0A8EZvphpdC5dsVPMdreZDh3tOsFVMMk57tVz4w==;asadmin

Keyfile and admin-keyfile prior to GlassFish 3.1

 test;{SSHA}jTFkVn/hPKjzsI1WsdlihHCL+5rh6++KTEqfYg==;

admin;{SSHA}d18x+nm1GkaoXQpT3NiecZaBwZSrGm50disn0A==;asadmin

 Support is provided for users created in versions of GlassFish prior to GlassFish 3.1 and upgraded to the latest 3.1. The decoding mechanism interprets the algorithm to be used for decoding the digest. However while creating new users in the latest version (3.1), only SHA-256 is employed. This change has been effected since SHA-256 is known to provide better security than SHA-1. To the end-user, there is no difference in the usage of file user passwords.

Tuesday Jan 25, 2011

PAMRealm in GlassFish 3.1

A new realm (PamRealm) has been made available in GlassFish 3.1 for  Unix based OSx (Solaris, Linux, MacOS). PAMRealm is based on the Pluggable Authentication Module (PAM) mechanism of the underlying Unix OSx. If this realm is configured for an application deployed in GlassFish, users created in the underlying OSx can authenticate themselves to access an application, with their Unix passwords.

PamRealm can be configured either through the admin-console (server-config->Security->Realms->New). This realm can be chosen from the dropdown in the list of Realm classes. The jaas-context for the realm is pamRealm.

 This realm can also be configured using the asadmin CLI :

./asadmin create-auth-realm --classname com.sun.enterprise.security.auth.realm.pam.PamRealm --property jaas-context=pamRealm PamRealm
Command create-auth-realm executed successfully.

The pamRealm jaas-context has been mapped to the following LoginModule class in login.conf

pamRealm {
        com.sun.enterprise.security.auth.login.PamLoginModule required;
};

To configure this realm, GlassFish should be installed as the root user (that can access the PAM's underlying authentication files in Unix)


About

nitkal

Search

Categories
Archives
« January 2011
SunMonTueWedThuFriSat
      
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
26
28
29
30
     
Today
Bookmarks