Thursday Nov 27, 2008

Configuration elements for Identity authentication(RFC 4474)

IdentityValidatorConfiguration :

property enables users to configure Identity (RFC 4474) authentication module in Sailfin, the property has name value pairs seperated by a comma as configuration parameters.This property can be configured under security element in domain.xml, use the Administration UI as shown here.

eg: maxClockSkew=30000, timestampFreshnessLimit=360000

  • maxClockSkew

This sets the maximum difference allowed between the system clocks of the sender and recipient. The value is specified in milliseconds.

  • timestampFreshnessLimit

Sets the maximum duration of time after which the timestamp becomes stale, the value MUST be specified in milliseconds and the default value is 600 seconds.

  • enableRevocationCheck

if this flag is set to true, the default revocation checking mechanism of the underlying PKIX service provider will be used, by default value is false.

  • certificateValidator

specifies the class name of custom certificate validator implemented by the user, this class must implement interface.


is used by Identity and P-Asserted authentication modules of sailfin. PrincipalMapper is used convert user names to format understood by the Sailfin container, This property is optional and a default implementation is provided by Sailfin. This property points to a class name which implements interface. This property can be configured under security element in domain.xml, use the Administration UI as shown here. Each application using P-Asserted / Identity authentication creates its own instance of PrincipalMapper implementation class.

Properties in sun-sip.xml

  • trust-auth-realm-ref

property is used by Identity and P-Asserted authentication modules and should point to any security realm with “assertedRealm” as jaas-context value.

  • trust-id-ref

property is used only by P-Asserted authentication module and should point to identity-assertion-trust configuration element in domain.xml. Trust-id-ref will have id value of “ identity-assertion-trust” element.

Wednesday Jan 02, 2008

Using Digest Authentication with SIP Servlets

It is time to write in detail on how to use security features available in Sailfin, so here we go.

Before you begin follow these two common steps.
  1. Download latest stable sailfin build from here.
  2. Install Netbeans 6.0 with SIP plugin. You will find this installation document useful.

In this entry I will share on how to enable SIP Digest Authentication for SIP Servlet Application and authenticate using a SIP Client(We have tried Twinkle available with Ubuntu and X-Lite)

Step 1:

Create a new SIP Project in Netbeans as shown in Fig1.

Figure: 1

Step 2 :  Create a new Sip Servlet as shown in Figure 2

Figure 2

Step 3 :  Netbeans generates the SIP servlet with empty methods, I changed it to look like what is seen in figure 3.

Figure 3

Step 4 :  Now that we have created the servlet, we will now proceed to configure the application server.
            To do this Start the application server and database using following commands

            To start Sailfin Application server
                        asadmin start-domain domain1

            To start database   
                       asadmin start-database

Figure : 4

Step 5  Login into Admin console( http://localhost:4848 ) and create JDBC resource as shown in Figure 5

 Figure : 5

Step 6 : Now that we have created the JDBC resource we can now go ahead and create JDBC Digest Realm using the Admin console (shown in Figure 6)

Figure:  6

Step 7 :  Next step is to setup the backend . Connect to the database using Netbeans as shown in Figure 7 and run the following sql script.

Figure 7

Step 8 : Now that we have configured both the backend and the application server it is time to enable security in the SIP Servlet application.Create sip.xml and sun.xml as shown in Figure 8 and Figure 9.  The security constraint in sip.xml shows that REGISTER methods should be authenticated and only users with manager role should be allowed to register.

Figure 8

Figure : 9

Step 9 : Now build and deploy the application on to the Sip Application server. You can either do this using Netbeans or command line option (asadmin deploy <filename>).

Step 10 : Once the application is deployed run the SIP Client(In this case I used twinkle) . When the client tries to register user will be requested to enter authentication information as shown in Figure 10 and Figure 11 shows logs in Application server once the user is authenticated and authorized.

Figure: 10

Figure : 11

Powered by ScribeFire.

Monday Sep 24, 2007

Implementing Custom Realms for Digest Authentication in Sun Java System Communication Application Server

Recently we refactored and enabled Digest authentication support for both HTTP and SIP Container in Sun Java System Communication Application Server(SJSCAS/Sailfin).Supporting digest authentication with different backends can be done by writing custom Login modules and a custom realm.

1.Custom Login Module
2.Custom Realm

1.Custom Login module:
can be provided either by abstract class or by implementing standard interface. If one chooses to extend from DigestLogin module class then below mentioned abstract method has to be implemented. The getGroups method returns all the groups the user belongs to.

protected abstract Enumeration getGroups(String username);

The login module has to be configured in login.conf file under $AS_INSTALL_HOME/domains/domain1/config/login.conf directory.
Eg: of JDBC Digest Login module in login.conf file is shown below


/\* Copyright 2004 Sun Microsystems, Inc. All rights reserved. \*/
/\* SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. \*/

fileRealm { required;
ldapRealm { required;
solarisRealm { required;
jdbcRealm { required;
jdbcDigestRealm { required;


Sample implementation of DigestLogin Module is shown below.

public class JDBCDigestLoginModule extends DigestLoginModule {

public JDBCDigestLoginModule() {

protected Enumeration getGroups(String username) {

   try {

    return this.getRealm().getGroupNames(username);

   } catch (InvalidOperationException ex) {

   Logger.getLogger("global").log(Level.SEVERE, null, ex);

   } catch (NoSuchUserException ex) {

   Logger.getLogger("global").log(Level.SEVERE, null, ex);


   return null;



2.Custom Realm :

Inorder to provide a custom realm one has to write a new custom realm[1] or modfiy existing realms by extending from abstract class. The method validate is an abstract method in DigestRealmBase.

public boolean validate(String username, DigestAlgorithmParameter[] params);

the implementors validate function will have to retrieve the password from the backend and invoke the validate method of the super class. The validate method syntax of the super class DigestRealmBase is shown below. The validate method will return true if digest validation has succeeded or false if digest does not match. The DigestAlgorithmParameter parameter shown below represents the digest algorithm parameters retrieved from incoming SIP/HTTP request.

protected final boolean validate(Password passwd, DigestAlgorithmParameter[] params) throws NoSuchAlgorithmException ; is used to pass the password either a prehashed (username+realmname+password) password or plain text password to validate the digest.

public interface Password {

public static final int PLAIN_TEXT= 0;
public static final int HASHED = 1;

\* returns PLAIN_TEXT or HASHED.
\* @returns int
    public int getType();

\* returns password.
\* @returns byte[]
  public byte[] getValue();


This custom realm can be configured for use in SIP/HTTP applications as described in docs [2].

You can download sailfin/SJSCAS builds from


Note : Interfaces and classes described above are subject to improvement and change in future milestone releases of SJSCAS

Powered by ScribeFire.




« December 2016