Securing Java EE 5.0 Applications with Apache Geronimo Vamsavardhana Reddy Chillakuru a.k.a. Vamsi [email protected] [email protected] Who am I? • Member of Apache Geronimo PMC • Involved with ASF.
Download ReportTranscript Securing Java EE 5.0 Applications with Apache Geronimo Vamsavardhana Reddy Chillakuru a.k.a. Vamsi [email protected] [email protected] Who am I? • Member of Apache Geronimo PMC • Involved with ASF.
Securing Java EE 5.0 Applications with Apache Geronimo Vamsavardhana Reddy Chillakuru a.k.a. Vamsi [email protected] [email protected] Who am I? • Member of Apache Geronimo PMC • Involved with ASF since 2005 • Over 11 years experience in software development • Advisory Software Engineer at IBM • Employed with IBM India since 1996 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 2 Geronimo in the making That’s my son Susanth helping me with Geronimo 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 3 Agenda • • • • • • • • Introduction to Geronimo Security implementation Security Realms – Properties File Securing Applications Security Realms Advanced Features Summary Q&A 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 4 Agenda • • • • • • • • Introduction to Geronimo Security implementation Security Realms – Properties File Securing Applications Security Realms Advanced Features Summary Q&A 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 5 Introduction to Geronimo • J2EE/Java EE Application Server from Apache Software Foundation • Brings together the best-of-breed technologies from open source to support J2EE/Java EE • Small foot print/Highly customizable • Ease of use is – foremost guiding principle • V2.1 Java EE 5 Certified – Feb/2008 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 6 Geronimo History and Progress August 2003 Oct 2005 Jan June Sep 2006 2006 2006 09-Apr-2008 Jun Aug Oct Feb In Plan 2007 2007 2007 2008 Securing Java EE 5.0 Applications with Geronimo 7 Geronimo Architecture • GBeans are the building blocks – E.g. Containers, Connectors, Servlets… • Geronimo Kernel – A container for GBeans – Based on Inversion-of-Control/Dependency Injection – Provides Life Cycle management for GBeans • Loosely coupled system – Start/stop/remove components on the fly – Integrate new components on the fly • Plugins – Directory Server, Roller and many other 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 8 Geronimo Architecture *Ref: http://www.ibm.com/developerworks/library/os-ag-deploy/ 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 9 What it contains? • • • • • • • • • • Apache Tomcat Jetty (Mort Bay) Apache Derby Apache OpenEJB Apache ActiveMQ Apache OpenJPA Apache Axis Apache Axis2 Apache CXF Apache Yoko 09-Apr-2008 • Apache Commons • Apache jUDDI • Apache Log4J • HOWL • TRANQL • Castor • WADI • CGLIB And many more… Securing Java EE 5.0 Applications with Geronimo 10 What’s new in 2.1? • Servers assembled out of plugins • Custom server assemblies – Assemble a server feature • • • • Flexible admin console Monitoring Console GShell WADI Clustering Support for Tomcat 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 11 How to get involved? • Geronimo project web site – http://geronimo.apache.org/ • Mailing lists – [email protected] – [email protected] • Wiki – http://cwiki.apache.org/geronimo/ 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 12 Geronimo Installation • http://geronimo.apache.org/downloads.html • Geronimo Tomcat or Geronimo Jetty distributions • Extract the archive to any directory – On windows, use a short directory name (for e.g. C:\ or C:\g) to avoid long-path problems. 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 13 Geronimo Startup/Shutdown • Requires Sun J2SE 5.0 JDK/JRE • Environment variables – JAVA_HOME/JRE_HOME – GERONIMO_OPTS – JAVA_OPTS • Run the server – <g_home>/bin/geronimo start – <g_home>/bin/geronimo jpda run • Stop the server – Control+C in server console – <g_home>/bin/shutdown 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 14 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 15 Administration Console • • • • Web-based, Convenient, user-friendly Based on Apache Pluto (JSR-168) Access at http://localhost:8080/console Portlets for administration – Web Server, JMS Server, JMS Resources, DB Manager, Database Pools – Application portlets – Deploy New, Web App WARs, Plan Creator etc.. – Security Realms, Keystores • Portlets for monitoring server status – Information, Java System Info, Server Logs, Monitoring, etc. • Don’t forget the Help view in the portlets 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 16 Agenda • • • • • • • • Introduction to Geronimo Security implementation Security Realms – Properties File Securing Applications Security Realms Advanced Features Summary Q&A 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 17 Introduction to JAAS • Java Authentication and Authorization Service • Pluggable Authentication Modules • Subject and Principals • LoginModules composed into a Configuration – Control-flags for execution control • Each LoginModule with successful login adds zero or more Principals to the Subject 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 18 JACC • Java Authorization Contract for Containers (JSR-115) • Defines new Permission classes to satisfy the Java EE 5 authorization model • Geronimo has JACC 1.1 implementation 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 19 What Geronimo provides? • Embedded Database – Apache Derby • LDAP Server – Apache Directory Server • Can be installed as a plug-in • JAAS Authentication LoginModules – – – – PropertiesFileLoginModule SQLLoginModule LDAPLoginModule CertificatePropertiesFileLoginModule 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 20 What Geronimo provides? (contd.) • JAAS LoginModules – – – – FileAuditLoginModule RepeatedFailureLockoutLoginModule GeronimoPasswordCredentialLoginModule NamedUsernamePasswordCredentialLoginModule • Principal classes – – – – GeronimoUserPrincipal GeronimoGroupPrincipal LoginDomainPrincipal RealmPrincipal • CredentialStores – SimpleCredentialStoreImpl • Security Realms portlet – Create, Edit and see Usage for a realm 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 21 Agenda • • • • • • • • Introduction to Geronimo Security implementation Security Realms – Properties File Securing Applications Security Realms Advanced Features Summary Q&A 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 22 Properties File Realm • Prerequisites – None • Parameters – usersURI = relative path of users properties file from <g_home> – groupsURI = relative path of groups properties file from <g_home> – digest = Message Digest algorithm (e.g. MD5, SHA1, etc.) used on the passwords – encoding = Encoding to be used with digest (e.g, HEX, BASE64) 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 23 Sample my-users.properties user1=password1 user2=password2 user3=pwd3 ... 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 24 Sample my-groups.properties group1=user1,user2 group2=user3,user4,user5 guest=john,mary admin=someuser 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 25 Creating the Realm • Create the properties files – Typically under var/security dir. • Security Realms portlet – Specify realm name – Select type Properties File Realm • Fill in the parameters • Option to test the realm • Option to generate deployment plan 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 26 LoginModuleConfiguration <xml-reference name="LoginModuleConfiguration"> <login-config xmlns="http://geronimo.apache.org/xml/ns/loginconfig-2.0"> <login-module control-flag="REQUIRED" wrap-principals="false"> <login-domain-name>my-realm</login-domain-name> <login-moduleclass>org.apache.geronimo.security.realm.providers.PropertiesFil eLoginModule</login-module-class> <option name="usersURI">var/security/myusers.properties</option> <option name="groupsURI">var/security/mygroups.properties</option> <option name="digest">MD5</option> <option name=“encoding”>HEX</option> </login-module> </login-config> </xml-reference> 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 27 Realm GBean <gbean name="my-realm" class="org.apache.geronimo.security.realm.GenericS ecurityRealm" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deplo yment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance"> <attribute name="realmName"> my-realm </attribute> <reference name="ServerInfo"> <name>ServerInfo</name> </reference> <!-- LoginModuleConfiguration goes here --> </gbean> 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 28 Agenda • • • • • • • • Introduction to Geronimo Security implementation Security Realms – Properties File Securing Applications Security Realms Advanced Features Summary Q&A 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 29 Secure a Web Application • web.xml – login-config • auth-method – security-role – security-constraint • auth-constraint – run-as • role-name 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 30 Secure a Web Application • geronimo-web.xml – security-realm-name – role-mappings – credential-store-ref – run-as-subject – default-subject 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 31 Credential Store <gbean name="CredentialStore" class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreI mpl"> <xml-attribute name="credentialStore"> <credential-store xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0"> <realm name="my-realm"> <subject> <id>admin-run-as</id> <credential> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</ty pe> <value>system</value> </credential> <credential> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler </type> <value>manager</value> </credential> </subject> </realm> </credential-store> </xml-attribute> </gbean> 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 32 Sample web.xml <web-app id="SimpleWebApp" version="2.5" ... > <display-name>SimpleWebApp</display-name> <servlet> . . . <run-as> <role-name>user</role-name> </run-as> </servlet> <login-config> <auth-method>BASIC</auth-method> <!-- For 'BASIC', realm-name will be shown in the prompt -> <realm-name>my-realm</realm-name> </login-config> <!-- Security roles used in the application --> <security-role><role-name>admin</role-name></security-role> <security-role><role-name>user</role-name></security-role> 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 33 Sample web.xml (contd.) <!-- Configure authorization for Admin pages --> <security-constraint> <web-resource-collection> <web-resource-name>Admin</web-resourcename> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> </web-app> 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 34 Sample geronimo-web.xml <security-realm-name>my-realm</security-realm-name> <security> <credential-store-ref> <name xmlns="http://geronimo.apache.org/xml/ns/deployment1.2">CredentialStore</name> </credential-store-ref> <default-subject> <realm>my-realm</realm> <id>admin-run-as</id> </default-subject> <role-mappings> <role role-name="admin"> <!-- from web.xml --> <principal name="Admin" class="org.apache.geronimo.security.realm.providers.Gero nimoGroupPrincipal"/> </role> 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 35 Sample geronimo-web.xml (contd.) <role role-name="user"> <run-as-subject> <realm>my-realm</realm> <id>user-run-as</id> </run-as-subject> <principal name="User" class="org.apache.geronimo.security.realm.pro viders.GeronimoGroupPrincipal"/> <principal name="john" class="org.apache.geronimo.security.realm.pro viders.GeronimoUserPrincipal"/> </role> </role-mappings> </security> 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 36 Secure an EJB Application ejb-jar.xml • security-identity – use-caller-identity – run-as • assembly-descriptor – security-role • role-name – method-permission • method • role-name • unchecked 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 37 Secure an EJB Application openejb-jar.xml • security – role-mappings – credential-store-ref – run-as-subject – default-subject 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 38 ejb-jar.xml <ejb-jar> <enterprise-beans> <session> <ejb-name>SecurityEJB</ejb-name> <ejbclass>myejbs.SecurityEJBean</ejb-class> ... <security-identity> <use-caller-identity/> </security-identity> </session> </enterprise-beans> </ejb-jar> 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 39 ejb-jar.xml (2) <assembly-descriptor> <security-role> <role-name>user</role-name> </security-role> <method-permission> <role-name>user</role-name> <method> <ejb-name>StockQuoteServiceBean</ejb-name> <method-name>getQuoteUser</method-name> </method> </method-permission> <method-permission> <unchecked/> <method> <ejb-name>StockQuoteServiceBean</ejb-name> <method-name>getQuote</method-name> </method> </method-permission> </assembly-descriptor> 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 40 Secure an EAR Application • application.xml – security-role • geronimo-application.xml – security-realm-name for each web app – role-mappings – credential-store-ref – run-as-subject – default-subject 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 41 application.xml <application …> <display-name>TutorialEntApp</display-name> <module id="WebModule_1154872888098"> <web> <web-uri>WebApp1.war</web-uri> <context-root>WebApp1</context-root> </web> </module> <security-role> <role-name>administrator</role-name> </security-role> <security-role> <role-name>guest-user</role-name> </security-role> </application> 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 42 geronimo-application.xml <application ...> <module> <web>WebApp1.war</web> <web-app ...> <security-realm-name>sample-properties-file-realm</securityrealm-name> </web-app> </module> <security> <role-mappings> <role role-name="administrator"> <principal name="admin" class="org.apache.geronimo.security.realm.providers.GeronimoGrou pPrincipal"/> </role> </role-mappings> </security> </application> 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 43 Agenda • • • • • • • • Introduction to Geronimo Security implementation Security Realms – Properties File Securing Applications Security Realms Advanced Features Summary Q&A 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 44 Database (SQL) Realm • Prerequisites – Database tables for user credentials and group mapping • Parameters – userSelect SQL statement – groupSelect SQL statement – digest = Message Digest algorithm (e.g. MD5, SHA1, etc.) used on the passwords – encoding = Encoding to be used with digest (e.g, HEX, BASE64) • For database connection either a Database pool or JDBC parameters can be used 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 45 Creating the Realm • DB Manager portlet – Create DB – Execute SQL • Database Pools portlet – DB Pool for Embedded Derby • Security Realms portlet – Select type Database (SQL) Realm • Either Database Pool or JDBC parameters needed. 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 46 SQL Realm: Points to note • Qualify table name with schema name to avoid unexpected errors – Prefer AUTH.USERS_TABLE to USERS_TABLE • Use VARCHAR data type to avoid trailing spaces in the values retrieved from database. 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 47 LDAP Realm • Prerequisites – LDAP Server • Apache Directory Server Can be installed as a plug-in • Use Plugins portlet – http://geronimo.apache.org/plugins/geronimo-2.1 • Create using Security Realms portlet – Select type LDAP Realm 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 48 LDAP Connection parameters • • • • • • • Initial Context Factory Connection URL Connect Username Connect Password Confirm Password Connect Protocol Authentication 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 49 LDAP Realm Parameters • • • • • • • • User Base User Search Matching User Search Subtree Role Base Role Name Role User Search String Role Search Subtree User Role Search String 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 50 Certificate Properties Realm • Prerequisites – Certificate for Server Authentication – HTTPS port setup for Client Authentication – Web Clients should have installed Certificates issued by a CA configured as trusted in HTTPS port setup • Parameters – usersURI = certificate to user mapping file – groupsURI = group mapping file 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 51 Create Certificate Properties Realm • Keystores portlet to prepare keystores • Web Servers portlet to add HTTPS Connector • CA Portlet to issue client certificates • Security Realms portlet – Select type Certificate Properties File Realm 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 52 cert-users.properties webclient01=CN=Web Client01,OU=Org Unit0,O=Org0,L=Loc0,ST=St0,C=IN webclient02=CN=Web Client02,OU=Org Unit0,O=Org0,L=Loc0,ST=St0,C=IN webclient11=CN=Web Client11,OU=Org Unit1,O=Org1,L=Loc1,ST=St1,C=US webclient12=CN=Web Client12,OU=Org Unit1,O=Org1,L=Loc1,ST=St1,C=US 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 53 cert-groups.properties admin=webclient01,webclient02 guest=webclient11,webclient12 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 54 Agenda • • • • • • • • Introduction to Geronimo Security implementation Security Realms – Properties File Securing Applications Security Realms Advanced Features Summary Q&A 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 55 Advanced Features • Auditing – Every login attempt will be recorded to the specified file. • Lockout – A certain number of failed logins in a particular time frame will cause a user's account to be locked for a certain period of time. 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 56 Advanced Features (contd.) • Store Password – Store each user's password in a private credential in the Subject. – GeronimoPasswordCredential • Named Credential – Store each username and password in a private credential in the Subject under a specified credential name. – NamedUsernamePasswordCredential 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 57 Principal Wrapping • Edit realm from Security Realms portlet – Support Advanced Mapping to Yes – LoginDomainPrincipal and RealmPrincipal added to subject – login-domain-principal and realmprincipal used in role-mapping in addition to principal tag. 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 58 Recall LoginModuleConfiguration <xml-reference name="LoginModuleConfiguration"> <login-config xmlns="http://geronimo.apache.org/xml/ns/loginconfig-2.0"> <login-module control-flag="REQUIRED" wrap-principals="false"> <login-domain-name>my-realm</login-domain-name> <login-moduleclass>org.apache.geronimo.security.realm.providers.PropertiesFil eLoginModule</login-module-class> <option name="usersURI">var/security/myusers.properties</option> <option name="groupsURI">var/security/mygroups.properties</option> <option name="digest">MD5</option> <option name=“encoding”>HEX</option> </login-module> </login-config> </xml-reference> 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 59 Application Scoped Realm • Security Realm GBean is part of application deployment plan • Use the Security Realms portlet to generate realm plan and add GBean to application plan – May need to specify dependency on j2ee-security config 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 60 Single Sign-On • Login to one application maintains login across all applications on the server • Create a SingleSignOn valve and connect to the valve chain in Tomcat config. – Edit config.xml (xml fragment shown next) 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 61 Xml fragment for SSO <gbean name="AccessLogValve"> <reference name="NextValve"> <pattern> <name>SSOValve</name> </pattern> </reference> </gbean> <gbean gbeanInfo="org.apache.geronimo.tomcat.ValveGBean" name="org.apache.geronimo.configs/tomcat6/2.1/car?S erviceModule=org.apache.geronimo.configs/tomcat6/2.1/car,j 2eeType=GBean,name=SSOValve"> <attribute name="className">org.apache.catalina.authenticator.Si ngleSignOn</attribute> </gbean> 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 62 Agenda • • • • • • • • Introduction to Geronimo Security implementation Security Realms – Properties File Securing Applications Security Realms Advanced Features Summary Q&A 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 63 Summary • • • • • • Introduction to Geronimo Security Implementation Security Realms portlet Security Realms Securing WAR, EJB, JAR Advanced Features 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 64 Agenda • • • • • • • • • Introduction to Geronimo Geronimo Administration Console Security implementation Security Realms – Properties File Securing Applications Security Realms Advanced Features Application Scoped Realm Q&A 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 65 Securing Java EE 5.0 Applications with Geronimo Q&A 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 66 Resources • http://geronimo.apache.org • http://cwiki.apache.org/geronimo/ • Geronimo Mailing lists – [email protected] – [email protected] • IBM developerWorks – http://www.ibm.com/developerworks/ope nsource/top-projects/geronimo.html 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 67 Thank you 09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo 68