Friday Nov 28, 2008

Support for RFC 4474 in Sailfin Application Server

Introduction

           To learn what Identity authentication/RFC 4474 is all about read [1] and [2].

JSR 289 :

sip.xml has following additional elements under login-config.

<identity-assertion>

          <identity-assertion-scheme>Identity</identity-assertion-scheme>

          <identity-assertion-support></identity-assertion-support>

          <!-- SUPPORTED/REQUIRED are supported values for identity-assertion-support -->

</identity-assertion>

As per JSR 289 sailfin supports Identity authentication in two modes (SUPPORTED , REQUIRED). When SUPPORTED value is used then incoming SIP messages are processed as follows

  a) if Identity header is present then process it.

             b) if Identity header is not present then apply the authentication method configured in auth-method element.         

<login-config>

          <identity-assertion>

                  <identity-assertion-scheme>Identity</identity-assertion-scheme>

                  <identity-assertion-support>SUPPORTED</identity-assertion-support>

          </identity-assertion>

</login-config>


                                or


<login-config>

          <auth-method>DIGEST</auth-method>

          <realm-name>realmperapp</realm-name>

          <identity-assertion>

                  <identity-assertion-scheme>Identity</identity-assertion-scheme>

                  <identity-assertion-support>REQUIRED</identity-assertion-support>

         </identity-assertion>

                 </login-config>


Steps to configure Identity authentication module :

We will break the steps to configure Identity authentication module into following two steps,

  1. Configuring security realm

  2. Configuring security for SIP application

  3. Add root certificate (Certificate Authority) of your public key used in the Identity message into cacerts.jks

Configuring Security Realm :

Identity authentication module, will need a security realm with login-context value as “assertedRealm”. Follow below mentioned steps to configure the realm..

Steps :

  • Open sailfin administration console, default url will be http://localhost:4848

  • Click on Configuration tab

  • Click on Security

  • Click on Realms

  • Select new tab to create a new Realm, see figure

  • Enter the realm name

  • Select JDBCRealm as classname

  • Enter “assertedRealm” for JAAS Context

  • Enter the JDBC resource you want to use in JNDI column

rest of the values as per your database table structure, please refer to figures attached at the end of this blog.

Configuring security for SIP application :

To enable authentication and authorization of requests to an application, we need to configure following elements in sip.xml and sun-sip.xml

Elements in sip.xml (element are similar to web.xml except minor changes)

             <security-constraint>

             <login-config>

             <security-role>

please read the documentation / schema file to learn more about above elements, a sample configuration shown below means the following REGISTER and INVITE methods to SecurityTestServlet can be invoked by users with manager role and if the request MUST have Identity headers for authentication and authorization purpose.

             <security-constraint>

                     <display-name>UserConstraint</display-name>

                     <resource-collection>

                           <servlet-name>SecurityTestServlet</servlet-name>

                           <sip-method>REGISTER</sip-method>

                           <sip-method>INVITE</sip-method>

                     </resource-collection>

                     <auth-constraint>

                           <description>authentication-configuration</description>

                           <role-name>manager</role-name>

                     </auth-constraint>

             </security-constraint>

             <login-config>

                   <auth-method>DIGEST</auth-method>

                   <realm-name>realmperapp</realm-name>

                   <identity-assertion>

                          <identity-assertion-scheme>Identity</identity-assertion-scheme>

                          <identity-assertion-support>REQUIRED</identity-assertion-support>

                   </identity-assertion>

             </login-config>

             <security-role>

                    <description/>

                    <role-name>manager</role-name>

             </security-role>

Elements in sun-sip.xml

property “trust-auth-realm-ref

elementsecurity-role-mapping”

security-role-mapping element is same as security-role-mapping element in sun-web.xml , read this trus-auth-realm-ref refers to the Identity realm configured in domain.xml.

<sun-sip-app error-url="">

         <jsp-config>

              <property name="classdebuginfo" value="true">

                     <description>Enable debug info compilation in the generated servlet class</description>

              </property>

             <property name="mappedfile" value="true">

                   <description>Maintain a one-to-one correspondence between static content and the generated servlet class' java code</description>

               </property>

        </jsp-config>

        <property name="trust-auth-realm-ref" value="asserted_realm"/>

        <security-role-mapping>

                   <role-name>manager</role-name>

                   <principal-name>venu</principal-name>

                   <principal-name>jagan</principal-name>

                   <group-name>Management</group-name>

        </security-role-mapping>

 </sun-sip-app>


[1]http://www.tech-invite.com/Ti-sec-identity.html

[2]http://www.ietf.org/rfc/rfc4474.txt

[3]http://docs.sun.com/app/docs/doc/819-3669/bncbj?l=en&a=view&q=security-constraint

[4]

[5]

[6]

[7]

[8]

[9]

Thursday Nov 27, 2008

Configuration elements for Identity authentication(RFC 4474)

IdentityValidatorConfiguration :

property enables users to configure Identity (RFC 4474) authentication module in Sailfin, the property has name value pairs seperated by a comma as configuration parameters.This property can be configured under security element in domain.xml, use the Administration UI as shown here.


eg: maxClockSkew=30000, timestampFreshnessLimit=360000

  • maxClockSkew

This sets the maximum difference allowed between the system clocks of the sender and recipient. The value is specified in milliseconds.

  • timestampFreshnessLimit

Sets the maximum duration of time after which the timestamp becomes stale, the value MUST be specified in milliseconds and the default value is 600 seconds.

  • enableRevocationCheck

if this flag is set to true, the default revocation checking mechanism of the underlying PKIX service provider will be used, by default value is false.


  • certificateValidator

specifies the class name of custom certificate validator implemented by the user, this class must implement org.glassfish.comms.api.security.auth.CertificateValidator interface.

PrincipalMapper

is used by Identity and P-Asserted authentication modules of sailfin. PrincipalMapper is used convert user names to format understood by the Sailfin container, This property is optional and a default implementation is provided by Sailfin. This property points to a class name which implements com.sun.enterprise.security.auth.PrincipalMapper interface. This property can be configured under security element in domain.xml, use the Administration UI as shown here. Each application using P-Asserted / Identity authentication creates its own instance of PrincipalMapper implementation class.

Properties in sun-sip.xml

  • trust-auth-realm-ref

property is used by Identity and P-Asserted authentication modules and should point to any security realm with “assertedRealm” as jaas-context value.

  • trust-id-ref

property is used only by P-Asserted authentication module and should point to identity-assertion-trust configuration element in domain.xml. Trust-id-ref will have id value of “ identity-assertion-trust” element.



About

venu

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today