Thursday Oct 29, 2009

Installing diameter on Sailfin 2.0

Diameter will be soon available as a pay for Addon module on Sailfin 2.0. Naman has written how to install and configure diameter on sailfin 2.0 here.

Wednesday Jan 07, 2009

P-Asserted-Identity authentication in Sailfin Communication Server

P-Asserted-Identity authentication in Sailfin is based on RFC 3325 and requirements from JSR 289,

Steps to configure P-Asserted-Identity authentication

We will break the steps to configure P-Asserted-Identity authentication module into following steps,

       1.Configuring security realm
       2.Configuring Trust
       3.Configuring security for SIP Applications

1.Configuring security realm

Refer to section Configuring security realm in my previous blog entry.

2.Configuring Trust

  • Open sailfin administration console, default url will be http://localhost:4848
  • Click on Configuration tab
  • Click on Trust configurations

You can now either create new trust configuration elements or edit if you have already have one.
When you create a new trust configuration you have the option to either choose static configuration or you can write your own custom trust handler(to determine if a host from which message is being received or sent to is trusted).

Here are some snapshots 1 & 2.

Default trust handler provided by Sailfin trusts all hosts and maps the value in P-Asserted-Identity to a format suitable to the container for use in authentication,authorization tasks.For eg: "Cullen Jennings" value will be mapped/formatted to "CullenJ".

3.Configuring security for SIP Applications.

  • Configuration as per JSR 289
           1.Login configuration
           2.Securing methods

  • Implementation specific configuration
           1.Configuring sun-sip.xml

Configuration as per JSR 289.

1.Login configuration

              JSR 289 specific configuration elements (standard configuration) are defined in sip.xml, sip.xml has   following additional elements under login-config.

As per JSR 289 sailfin supports P-Asserted-Identity authentication in two modes (SUPPORTED , REQUIRED). When SUPPORTED value is used then incoming SIP messages are processed as follows

a) if P-Asserted-Identity header is present then process it.

b) if P-Asserted-Identity header is not present then apply the authentication method configured in auth-method element.


<identity-assertion>

          <identity-assertion-scheme>>P-Asserted-Identity</identity-assertion-scheme>

          <identity-assertion-support></identity-assertion-support>

          <!-- SUPPORTED/REQUIRED are supported values for identity-assertion-support -->

</identity-assertion>

As per JSR 289 Sailfin supports P-Asserted-Identity authentication in two modes (SUPPORTED , REQUIRED). When SUPPORTED value is used then incoming SIP messages are processed as follows

  a) if P-Asserted-Identity header is present then process it.

  b) if P-Asserted-Identity header is not present then apply the authentication method configured in auth-method element.        

<login-config>

          <identity-assertion>

                  <identity-assertion-scheme>P-Asserted-Identity</identity-assertion-scheme>

                  <identity-assertion-support>SUPPORTED</identity-assertion-support>

          </identity-assertion>

</login-config>

                                or

<login-config>

          <auth-method>DIGEST</auth-method>

          <realm-name>realmperapp</realm-name>

          <identity-assertion>

                  <identity-assertion-scheme>Identity</identity-assertion-scheme>

                  <identity-assertion-support>REQUIRED</identity-assertion-support>

         </identity-assertion>

</login-config>


When P-Asserted-Identity scheme is REQUIRED by the application, the P-Asserted-Identity header MUST be present in the request. If the P-Asserted-Identity header is not present, Sailfin will reject the request with a 403 response. If authorization of the Identity specified by P-Asserted-Identity header fails, Sailfin will return a 403 response.

2.Securing methods

   JSR 289 defines security-constraint( auth-constraints and resource-collection) elements which enables users to configure SIP methods that need to be secured i,e accessed by authorized users.

please refer to sample sip.xml file for more details.

Implementation specific configuration

1.Configuring sun-sip.xml

Following elements and properties need to configured in sun-sip.xml

security-role-mapping  element to enable principal to role mapping

properties trust-id-ref  and trust-auth-realm-ref, please refer to my previous blog entry to know learn about these properties.


Friday Jan 25, 2008

svn proxy settings

Incase you get below mentioned error and you need to use a proxy to access your source repository using svn


svn: PROPFIND request failed on '/svn/glassfish-svn/trunk/v3/web/appserv-webtier'
svn: PROPFIND of '/svn/glassfish-svn/trunk/v3/web/appserv-webtier': Could not resolve hostname `svn.dev.java.net': No address associated with hostname (https://svn.dev.java.net)

then edit "servers" file and set http proxy host and port with appropriate values. This file will be present in your home
directory

~/.subversion/servers
http-proxy-host = xxx.xxx.xxx.com
http-proxy-port = 8080

Monday Sep 24, 2007

Implementing Custom Realms for Digest Authentication in Sun Java System Communication Application Server

Recently we refactored and enabled Digest authentication support for both HTTP and SIP Container in Sun Java System Communication Application Server(SJSCAS/Sailfin).Supporting digest authentication with different backends can be done by writing custom Login modules and a custom realm.

1.Custom Login Module
2.Custom Realm

1.Custom Login module:
can be provided either by extendingcom.sun.enterprise.security.auth.login.DigestLogin abstract class or by implementing javax.security.auth.spi.LoginModule standard interface. If one chooses to extend from DigestLogin module class then below mentioned abstract method has to be implemented. The getGroups method returns all the groups the user belongs to.

protected abstract Enumeration getGroups(String username);

The login module has to be configured in login.conf file under $AS_INSTALL_HOME/domains/domain1/config/login.conf directory.
Eg: of JDBC Digest Login module in login.conf file is shown below

++++++

/\* Copyright 2004 Sun Microsystems, Inc. All rights reserved. \*/
/\* SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. \*/

fileRealm {
com.sun.enterprise.security.auth.login.FileLoginModule required;
};
ldapRealm {
com.sun.enterprise.security.auth.login.LDAPLoginModule required;
};
solarisRealm {
com.sun.enterprise.security.auth.login.SolarisLoginModule required;
};
jdbcRealm {
com.sun.enterprise.security.auth.login.JDBCLoginModule required;
};
jdbcDigestRealm {
com.sun.enterprise.security.auth.login.JDBCDigestLoginModule required;
};

++++++

Sample implementation of DigestLogin Module is shown below.

public class JDBCDigestLoginModule extends DigestLoginModule {

public JDBCDigestLoginModule() {
}

protected Enumeration getGroups(String username) {

   try {

    return this.getRealm().getGroupNames(username);

   } catch (InvalidOperationException ex) {

   Logger.getLogger("global").log(Level.SEVERE, null, ex);

   } catch (NoSuchUserException ex) {

   Logger.getLogger("global").log(Level.SEVERE, null, ex);

  }

   return null;

  }

}


2.Custom Realm :

Inorder to provide a custom realm one has to write a new custom realm[1] or modfiy existing realms by extending from com.sun.enterprise.security.auth.realm.DigestRealmBase abstract class. The method validate is an abstract method in DigestRealmBase.

public boolean validate(String username, DigestAlgorithmParameter[] params);

the implementors validate function will have to retrieve the password from the backend and invoke the validate method of the super class. The validate method syntax of the super class DigestRealmBase is shown below. The validate method will return true if digest validation has succeeded or false if digest does not match. The DigestAlgorithmParameter parameter shown below represents the digest algorithm parameters retrieved from incoming SIP/HTTP request.

protected final boolean validate(Password passwd, DigestAlgorithmParameter[] params) throws NoSuchAlgorithmException ;

com.sun.enterprise.security.auth.digest.api.Password is used to pass the password either a prehashed (username+realmname+password) password or plain text password to validate the digest.

public interface Password {

public static final int PLAIN_TEXT= 0;
public static final int HASHED = 1;

/\*\*
\* returns PLAIN_TEXT or HASHED.
\* @returns int
\*/
    public int getType();

/\*\*
\* returns password.
\* @returns byte[]
\*/
  public byte[] getValue();

}

This custom realm can be configured for use in SIP/HTTP applications as described in docs [2].

You can download sailfin/SJSCAS builds from https://sailfin.dev.java.net/.

[1]http://docs.sun.com/app/docs/doc/819-3659/6n5s6m58k?a=view
[2]http://docs.sun.com/app/docs/doc/819-3658/6n5s5nkmq?l=en&a=view#ablpi



Note : Interfaces and classes described above are subject to improvement and change in future milestone releases of SJSCAS

Powered by ScribeFire.

About

venu

Search

Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today