Wednesday Jan 07, 2009

P-Asserted-Identity authentication in Sailfin Communication Server

P-Asserted-Identity authentication in Sailfin is based on RFC 3325 and requirements from JSR 289,

Steps to configure P-Asserted-Identity authentication

We will break the steps to configure P-Asserted-Identity authentication module into following steps,

       1.Configuring security realm
       2.Configuring Trust
       3.Configuring security for SIP Applications

1.Configuring security realm

Refer to section Configuring security realm in my previous blog entry.

2.Configuring Trust

  • Open sailfin administration console, default url will be http://localhost:4848
  • Click on Configuration tab
  • Click on Trust configurations

You can now either create new trust configuration elements or edit if you have already have one.
When you create a new trust configuration you have the option to either choose static configuration or you can write your own custom trust handler(to determine if a host from which message is being received or sent to is trusted).

Here are some snapshots 1 & 2.

Default trust handler provided by Sailfin trusts all hosts and maps the value in P-Asserted-Identity to a format suitable to the container for use in authentication,authorization tasks.For eg: "Cullen Jennings" value will be mapped/formatted to "CullenJ".

3.Configuring security for SIP Applications.

  • Configuration as per JSR 289
           1.Login configuration
           2.Securing methods

  • Implementation specific configuration
           1.Configuring sun-sip.xml

Configuration as per JSR 289.

1.Login configuration

              JSR 289 specific configuration elements (standard configuration) are defined in sip.xml, sip.xml has   following additional elements under login-config.

As per JSR 289 sailfin supports P-Asserted-Identity authentication in two modes (SUPPORTED , REQUIRED). When SUPPORTED value is used then incoming SIP messages are processed as follows

a) if P-Asserted-Identity header is present then process it.

b) if P-Asserted-Identity header is not present then apply the authentication method configured in auth-method element.


<identity-assertion>

          <identity-assertion-scheme>>P-Asserted-Identity</identity-assertion-scheme>

          <identity-assertion-support></identity-assertion-support>

          <!-- SUPPORTED/REQUIRED are supported values for identity-assertion-support -->

</identity-assertion>

As per JSR 289 Sailfin supports P-Asserted-Identity authentication in two modes (SUPPORTED , REQUIRED). When SUPPORTED value is used then incoming SIP messages are processed as follows

  a) if P-Asserted-Identity header is present then process it.

  b) if P-Asserted-Identity header is not present then apply the authentication method configured in auth-method element.        

<login-config>

          <identity-assertion>

                  <identity-assertion-scheme>P-Asserted-Identity</identity-assertion-scheme>

                  <identity-assertion-support>SUPPORTED</identity-assertion-support>

          </identity-assertion>

</login-config>

                                or

<login-config>

          <auth-method>DIGEST</auth-method>

          <realm-name>realmperapp</realm-name>

          <identity-assertion>

                  <identity-assertion-scheme>Identity</identity-assertion-scheme>

                  <identity-assertion-support>REQUIRED</identity-assertion-support>

         </identity-assertion>

</login-config>


When P-Asserted-Identity scheme is REQUIRED by the application, the P-Asserted-Identity header MUST be present in the request. If the P-Asserted-Identity header is not present, Sailfin will reject the request with a 403 response. If authorization of the Identity specified by P-Asserted-Identity header fails, Sailfin will return a 403 response.

2.Securing methods

   JSR 289 defines security-constraint( auth-constraints and resource-collection) elements which enables users to configure SIP methods that need to be secured i,e accessed by authorized users.

please refer to sample sip.xml file for more details.

Implementation specific configuration

1.Configuring sun-sip.xml

Following elements and properties need to configured in sun-sip.xml

security-role-mapping  element to enable principal to role mapping

properties trust-id-ref  and trust-auth-realm-ref, please refer to my previous blog entry to know learn about these properties.


Thursday Dec 18, 2008

Configuring NonceManager for Digest and Identity authentication modules

Identity authentication and Digest authentication modules need NonceManager to cache call-id and nonce values respectively.
One can configure the max nonce age for these modules using NonceManager property under Security-Service element in domain.xml. maxNonceAge value is in milliseconds.
eg:
"property name="NonceManager" value="id=identity-nonce-config,maxNonceAge=350000;id=sip-nonce-config,maxNonceAge=3000"

NonceManager for Digest authentication module is sip-nonce-config whose default value is 600000 milliseconds.
NonceManager for identity authentication module is identity-nonce-config whose default value is 3600000 milliseconds.

Snapshot of configuring NonceManager using Admin UI is here

Friday Nov 28, 2008

Support for RFC 4474 in Sailfin Application Server

Introduction

           To learn what Identity authentication/RFC 4474 is all about read [1] and [2].

JSR 289 :

sip.xml has following additional elements under login-config.

<identity-assertion>

          <identity-assertion-scheme>Identity</identity-assertion-scheme>

          <identity-assertion-support></identity-assertion-support>

          <!-- SUPPORTED/REQUIRED are supported values for identity-assertion-support -->

</identity-assertion>

As per JSR 289 sailfin supports Identity authentication in two modes (SUPPORTED , REQUIRED). When SUPPORTED value is used then incoming SIP messages are processed as follows

  a) if Identity header is present then process it.

             b) if Identity header is not present then apply the authentication method configured in auth-method element.         

<login-config>

          <identity-assertion>

                  <identity-assertion-scheme>Identity</identity-assertion-scheme>

                  <identity-assertion-support>SUPPORTED</identity-assertion-support>

          </identity-assertion>

</login-config>


                                or


<login-config>

          <auth-method>DIGEST</auth-method>

          <realm-name>realmperapp</realm-name>

          <identity-assertion>

                  <identity-assertion-scheme>Identity</identity-assertion-scheme>

                  <identity-assertion-support>REQUIRED</identity-assertion-support>

         </identity-assertion>

                 </login-config>


Steps to configure Identity authentication module :

We will break the steps to configure Identity authentication module into following two steps,

  1. Configuring security realm

  2. Configuring security for SIP application

  3. Add root certificate (Certificate Authority) of your public key used in the Identity message into cacerts.jks

Configuring Security Realm :

Identity authentication module, will need a security realm with login-context value as “assertedRealm”. Follow below mentioned steps to configure the realm..

Steps :

  • Open sailfin administration console, default url will be http://localhost:4848

  • Click on Configuration tab

  • Click on Security

  • Click on Realms

  • Select new tab to create a new Realm, see figure

  • Enter the realm name

  • Select JDBCRealm as classname

  • Enter “assertedRealm” for JAAS Context

  • Enter the JDBC resource you want to use in JNDI column

rest of the values as per your database table structure, please refer to figures attached at the end of this blog.

Configuring security for SIP application :

To enable authentication and authorization of requests to an application, we need to configure following elements in sip.xml and sun-sip.xml

Elements in sip.xml (element are similar to web.xml except minor changes)

             <security-constraint>

             <login-config>

             <security-role>

please read the documentation / schema file to learn more about above elements, a sample configuration shown below means the following REGISTER and INVITE methods to SecurityTestServlet can be invoked by users with manager role and if the request MUST have Identity headers for authentication and authorization purpose.

             <security-constraint>

                     <display-name>UserConstraint</display-name>

                     <resource-collection>

                           <servlet-name>SecurityTestServlet</servlet-name>

                           <sip-method>REGISTER</sip-method>

                           <sip-method>INVITE</sip-method>

                     </resource-collection>

                     <auth-constraint>

                           <description>authentication-configuration</description>

                           <role-name>manager</role-name>

                     </auth-constraint>

             </security-constraint>

             <login-config>

                   <auth-method>DIGEST</auth-method>

                   <realm-name>realmperapp</realm-name>

                   <identity-assertion>

                          <identity-assertion-scheme>Identity</identity-assertion-scheme>

                          <identity-assertion-support>REQUIRED</identity-assertion-support>

                   </identity-assertion>

             </login-config>

             <security-role>

                    <description/>

                    <role-name>manager</role-name>

             </security-role>

Elements in sun-sip.xml

property “trust-auth-realm-ref

elementsecurity-role-mapping”

security-role-mapping element is same as security-role-mapping element in sun-web.xml , read this trus-auth-realm-ref refers to the Identity realm configured in domain.xml.

<sun-sip-app error-url="">

         <jsp-config>

              <property name="classdebuginfo" value="true">

                     <description>Enable debug info compilation in the generated servlet class</description>

              </property>

             <property name="mappedfile" value="true">

                   <description>Maintain a one-to-one correspondence between static content and the generated servlet class' java code</description>

               </property>

        </jsp-config>

        <property name="trust-auth-realm-ref" value="asserted_realm"/>

        <security-role-mapping>

                   <role-name>manager</role-name>

                   <principal-name>venu</principal-name>

                   <principal-name>jagan</principal-name>

                   <group-name>Management</group-name>

        </security-role-mapping>

 </sun-sip-app>


[1]http://www.tech-invite.com/Ti-sec-identity.html

[2]http://www.ietf.org/rfc/rfc4474.txt

[3]http://docs.sun.com/app/docs/doc/819-3669/bncbj?l=en&a=view&q=security-constraint

[4]

[5]

[6]

[7]

[8]

[9]

Thursday Nov 27, 2008

Configuration elements for Identity authentication(RFC 4474)

IdentityValidatorConfiguration :

property enables users to configure Identity (RFC 4474) authentication module in Sailfin, the property has name value pairs seperated by a comma as configuration parameters.This property can be configured under security element in domain.xml, use the Administration UI as shown here.


eg: maxClockSkew=30000, timestampFreshnessLimit=360000

  • maxClockSkew

This sets the maximum difference allowed between the system clocks of the sender and recipient. The value is specified in milliseconds.

  • timestampFreshnessLimit

Sets the maximum duration of time after which the timestamp becomes stale, the value MUST be specified in milliseconds and the default value is 600 seconds.

  • enableRevocationCheck

if this flag is set to true, the default revocation checking mechanism of the underlying PKIX service provider will be used, by default value is false.


  • certificateValidator

specifies the class name of custom certificate validator implemented by the user, this class must implement org.glassfish.comms.api.security.auth.CertificateValidator interface.

PrincipalMapper

is used by Identity and P-Asserted authentication modules of sailfin. PrincipalMapper is used convert user names to format understood by the Sailfin container, This property is optional and a default implementation is provided by Sailfin. This property points to a class name which implements com.sun.enterprise.security.auth.PrincipalMapper interface. This property can be configured under security element in domain.xml, use the Administration UI as shown here. Each application using P-Asserted / Identity authentication creates its own instance of PrincipalMapper implementation class.

Properties in sun-sip.xml

  • trust-auth-realm-ref

property is used by Identity and P-Asserted authentication modules and should point to any security realm with “assertedRealm” as jaas-context value.

  • trust-id-ref

property is used only by P-Asserted authentication module and should point to identity-assertion-trust configuration element in domain.xml. Trust-id-ref will have id value of “ identity-assertion-trust” element.



Friday Jan 25, 2008

svn proxy settings

Incase you get below mentioned error and you need to use a proxy to access your source repository using svn


svn: PROPFIND request failed on '/svn/glassfish-svn/trunk/v3/web/appserv-webtier'
svn: PROPFIND of '/svn/glassfish-svn/trunk/v3/web/appserv-webtier': Could not resolve hostname `svn.dev.java.net': No address associated with hostname (https://svn.dev.java.net)

then edit "servers" file and set http proxy host and port with appropriate values. This file will be present in your home
directory

~/.subversion/servers
http-proxy-host = xxx.xxx.xxx.com
http-proxy-port = 8080

Wednesday Jan 09, 2008

Reactor subproject failure occurred

If you get the below mentioned error when setting up Sailfin development workspace, then the problem can be that your

maven checkout and maven bootstrap-all commands have failed. Check the logs and update your sources or execute checkout and bootstrap-all commands again freshly.

build-pe:
[echo] ------------------------------
[echo] - Building GlassFish modules -
[echo] ------------------------------
[echo] Resolving appserv-docs binary dependency
Starting the reactor...

BUILD FAILED
File...... /home/venu/work/workspace/sailfin/bootstrap/maven.xml
Element... maven:reactor
Line...... 52
Column.... 40
Unable to obtain goal [build] -- /home/venu/work/workspace/sailfin/bootstrap/../../glassfish/bootstrap/maven.xml:264:40: Reactor subproject failure occurred

Wednesday Jan 02, 2008

Using Digest Authentication with SIP Servlets

It is time to write in detail on how to use security features available in Sailfin, so here we go.

Before you begin follow these two common steps.
  1. Download latest stable sailfin build from here.
  2. Install Netbeans 6.0 with SIP plugin. You will find this installation document useful.

In this entry I will share on how to enable SIP Digest Authentication for SIP Servlet Application and authenticate using a SIP Client(We have tried Twinkle available with Ubuntu and X-Lite)


Step 1:

Create a new SIP Project in Netbeans as shown in Fig1.




Figure: 1


Step 2 :  Create a new Sip Servlet as shown in Figure 2






Figure 2

Step 3 :  Netbeans generates the SIP servlet with empty methods, I changed it to look like what is seen in figure 3.





Figure 3


Step 4 :  Now that we have created the servlet, we will now proceed to configure the application server.
            To do this Start the application server and database using following commands

            To start Sailfin Application server
                        asadmin start-domain domain1

            To start database   
                       asadmin start-database



Figure : 4

Step 5  Login into Admin console( http://localhost:4848 ) and create JDBC resource as shown in Figure 5



 Figure : 5






Step 6 : Now that we have created the JDBC resource we can now go ahead and create JDBC Digest Realm using the Admin console (shown in Figure 6)




Figure:  6


Step 7 :  Next step is to setup the backend . Connect to the database using Netbeans as shown in Figure 7 and run the following sql script.



Figure 7


Step 8 : Now that we have configured both the backend and the application server it is time to enable security in the SIP Servlet application.Create sip.xml and sun.xml as shown in Figure 8 and Figure 9.  The security constraint in sip.xml shows that REGISTER methods should be authenticated and only users with manager role should be allowed to register.





Figure 8





Figure : 9





Step 9 : Now build and deploy the application on to the Sip Application server. You can either do this using Netbeans or command line option (asadmin deploy <filename>).



Step 10 : Once the application is deployed run the SIP Client(In this case I used twinkle) . When the client tries to register user will be requested to enter authentication information as shown in Figure 10 and Figure 11 shows logs in Application server once the user is authenticated and authorized.




Figure: 10




Figure : 11


Powered by ScribeFire.

Monday Dec 31, 2007

Security in Sailfin Milestone3

Sailfin milestone 3 is out and here is the list of features we added as per JSR 289. I will talk in detail on how to use each of these security features in my next blog.

We have provided support for

  • run-as
             - can be configured using standard descriptors (sip.xml), example:
                  <servlet>
                        <servlet-name>SipSample</servlet-name>
                        <display-name>SipSample</display-name>
                        <servlet-class>com.sun.test.SipSample</servlet-class>
                        <load-on-startup>0</load-on-startup>
                        <run-as>
                            <role-name>externalUser</role-name>
                        </run-as>
                 </servlet>

  • P-Asserted Identity authentication
          P-Asserted Identity form of authentication requires us to define trust rules. Sailfin allows users to achieve this using configuration elements defined in domain.xml. GUI and command line options enable users to configure trust rules. A SIP entity on the network can be part of the trust domain by adding its IP address or hostname under the element trusted-entity as shown below.  To enable users define custom trust rules sailfin provides a TrustHandler interface which the user can implement.
           example:

                  <identity-assertion-trust id="default_id_assertion" is-default="true">
                         <!--
                              <trust-handler class-name="org.jvnet.glassfish.comms.security.auth.impl.TrustHandlerImpl">
                                  <property name="certstore" value="/home/venu/certstore.jks"/>
                             </trust-handler>
                         -->
                          <trusted-entity id="tr" trusted-as="intermediate">
                                <ip-address>129.158.229.124</ip-address>
                         </trusted-entity>
                  </identity-assertion-trust>

more soon......


Powered by ScribeFire.

International Conference on IP Multimedia Subsytems Architecture and Applications 2007 ( IMSAA 2007 )

Recently I had opportunity to attend IMSAA conference held at IITB . It was a nice learning experience for a person like me who is new to the IMS world.
The conference was well organized [1] .  We (Sun Microsystems) showcased our opensource Communication Application server  named Sailfin,
you can find all that you will need on Prasad's blog.

I did not attend Prasad's tutorial as I knew most of it :), so instead opted to attend other tutorials. Dr.Simon gave an excellent tutorial on IMS Service Architecture and was always around answering questions , Dr.Archan in his tutorial talked a lot about Presence and shared his experience. I found both T1 and T6 tutorials very informative.

What caught my attention was a demo [2] given my IIIB students, they have done a good job of using and integrating Opensource products available and demonstrating their use. It was good to see
IIIB encouraging and preparing students to be more Industry ready!.

Finally here are some photos[3] of the event , courtesy "Prof Debabrata Das".



[1]http://www.iiitb.ac.in/imsaa2007/schedule.html
[2]http://www.iiitb.ac.in/imsaa2007/demo.html
[3]http://picasaweb.google.com/IMSAA2007


Powered by ScribeFire.

Monday Sep 24, 2007

Implementing Custom Realms for Digest Authentication in Sun Java System Communication Application Server

Recently we refactored and enabled Digest authentication support for both HTTP and SIP Container in Sun Java System Communication Application Server(SJSCAS/Sailfin).Supporting digest authentication with different backends can be done by writing custom Login modules and a custom realm.

1.Custom Login Module
2.Custom Realm

1.Custom Login module:
can be provided either by extendingcom.sun.enterprise.security.auth.login.DigestLogin abstract class or by implementing javax.security.auth.spi.LoginModule standard interface. If one chooses to extend from DigestLogin module class then below mentioned abstract method has to be implemented. The getGroups method returns all the groups the user belongs to.

protected abstract Enumeration getGroups(String username);

The login module has to be configured in login.conf file under $AS_INSTALL_HOME/domains/domain1/config/login.conf directory.
Eg: of JDBC Digest Login module in login.conf file is shown below

++++++

/\* Copyright 2004 Sun Microsystems, Inc. All rights reserved. \*/
/\* SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. \*/

fileRealm {
com.sun.enterprise.security.auth.login.FileLoginModule required;
};
ldapRealm {
com.sun.enterprise.security.auth.login.LDAPLoginModule required;
};
solarisRealm {
com.sun.enterprise.security.auth.login.SolarisLoginModule required;
};
jdbcRealm {
com.sun.enterprise.security.auth.login.JDBCLoginModule required;
};
jdbcDigestRealm {
com.sun.enterprise.security.auth.login.JDBCDigestLoginModule required;
};

++++++

Sample implementation of DigestLogin Module is shown below.

public class JDBCDigestLoginModule extends DigestLoginModule {

public JDBCDigestLoginModule() {
}

protected Enumeration getGroups(String username) {

   try {

    return this.getRealm().getGroupNames(username);

   } catch (InvalidOperationException ex) {

   Logger.getLogger("global").log(Level.SEVERE, null, ex);

   } catch (NoSuchUserException ex) {

   Logger.getLogger("global").log(Level.SEVERE, null, ex);

  }

   return null;

  }

}


2.Custom Realm :

Inorder to provide a custom realm one has to write a new custom realm[1] or modfiy existing realms by extending from com.sun.enterprise.security.auth.realm.DigestRealmBase abstract class. The method validate is an abstract method in DigestRealmBase.

public boolean validate(String username, DigestAlgorithmParameter[] params);

the implementors validate function will have to retrieve the password from the backend and invoke the validate method of the super class. The validate method syntax of the super class DigestRealmBase is shown below. The validate method will return true if digest validation has succeeded or false if digest does not match. The DigestAlgorithmParameter parameter shown below represents the digest algorithm parameters retrieved from incoming SIP/HTTP request.

protected final boolean validate(Password passwd, DigestAlgorithmParameter[] params) throws NoSuchAlgorithmException ;

com.sun.enterprise.security.auth.digest.api.Password is used to pass the password either a prehashed (username+realmname+password) password or plain text password to validate the digest.

public interface Password {

public static final int PLAIN_TEXT= 0;
public static final int HASHED = 1;

/\*\*
\* returns PLAIN_TEXT or HASHED.
\* @returns int
\*/
    public int getType();

/\*\*
\* returns password.
\* @returns byte[]
\*/
  public byte[] getValue();

}

This custom realm can be configured for use in SIP/HTTP applications as described in docs [2].

You can download sailfin/SJSCAS builds from https://sailfin.dev.java.net/.

[1]http://docs.sun.com/app/docs/doc/819-3659/6n5s6m58k?a=view
[2]http://docs.sun.com/app/docs/doc/819-3658/6n5s5nkmq?l=en&a=view#ablpi



Note : Interfaces and classes described above are subject to improvement and change in future milestone releases of SJSCAS

Powered by ScribeFire.

Wednesday Aug 29, 2007

Sailfin/Sun Java System Communication Application Server/SJSCAS

From past couple of months I have been working on implementing Security features for Sailfin. Sailfin is based on JSR 289 and all the functional specifications that are under development are posted here. You can post your comments on features,requirements using the template posted here.

JSR 289 requires Sailfin to support Digest Authentication and P-Asserted Identity. We have enabled Digest authentication for both SIP and HTTP containers and one should be able to try it out using latest builds. I will soon write on how to configure Digest authentication for HTTP, SIP Containers in SJSCAS/Sailfin.




Tuesday Jun 12, 2007

Project Tango releases WSIT Milestone 5

Like Harold said in his blog this milestone has lots of fixes and it is not too late to provide feedback on any issues that you think needs to be fixed. So go ahead and file them....


Powered by ScribeFire.

Wednesday May 09, 2007

WS Security @ Java One 2007

We have a BOF(4108) at JavaOne  this year. Jiandong,Ashutosh and Shyam will be available to discuss how to build Secure Web Services in an interoperable manner using WSIT. To learn more please visit Hall E 134 Moscone Center on Thursday(May 10) at 7.55 PM.


Powered by ScribeFire.

Tuesday Apr 17, 2007

WSIT Security Configuration

Kumar recently wrote a nice article which covers some important details about WSIT Security Configuration. If you want to learn all about WSIT Security Token Validators then this is the article you need to read.

Tuesday Apr 03, 2007

Configuring Message Parts to be secured in WSIT 1.0

WSIT 1.0 allows different message parts(eg: Addressing Headers,SOAP Body etc..) to be either signed or encrypted. Netbeans  provides a easy way to configure message has to be secured. One can configure their application such that only responses from the server can be secured and request from the client to the server can be plain SOAP Message.



                                                          Snapshot 1: Input and Ouput Message parts

Snapshot 1 shows Message Parts tabs for Input and Output Message under the operation getAccountBalance. These tabs allow user to configure message parts to be Signed/Encrpted for getAccountBalance request from the client and getAccountBalance response from the server.




Snapshot 2 : Message Parts that are Signed and Encrypted by default
 
Snapshot 2 shows the message parts that are Signed, Encrypted by default. As seen the snapshot 2 user has the option to change the default configuration by adding/removing message parts.

For eg: If user wants to secure only the response message from the server and not the request then the user needs to unselect all the Message Parts under Input Message as shown in snapshot 3.




Snapshot 3: All Message Parts unselected (Message will be secured).

Note : Even though none of the message parts shown above may be secured but the SOAP Message may have
Security Header with Signature and Timestamp based on the Binding level policy.

WSIT is available as part of Glassfish v2.



Technorati Tags: , , , , , , , , ,
About

venu

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today