Securing Java EE 5.0 Applications with Apache Geronimo

Securing Java EE 5.0 Applications with Apache

GeronimoVamsavardhana Reddy Chillakuru

a.k.a. [email protected]@in.ibm.com

mailto:[email protected]


09-Apr-2008 Securing Java EE 5.0 Applications with Geronimo

2

Who am I?

• Member of Apache Geronimo PMC

• Involved with ASF since 2005

• Over 11 years experience in software development

• Advisory Software Engineer at IBM

• Employed with IBM India since 1996


3

Geronimo in the making

That’s my son Susanth helping me with Geronimo


4

Agenda• Introduction to Geronimo• Security implementation• Security Realms – Properties File• Securing Applications• Security Realms• Advanced Features• Summary• Q & A


5



6

Introduction to Geronimo• J2EE/Java EE Application Server from

Apache Software Foundation• Brings together the best-of-breed

technologies from open source to support J2EE/Java EE

• Small foot print/Highly customizable• Ease of use is – foremost guiding principle• V2.1 Java EE 5 Certified – Feb/2008


7

Geronimo History and Progress

August2003

Apa

che G

eron

imo P

rojec

t for

med

V1.0

-M5 r

eleas

ed, J

2EE 1.

4 cer

tifica

tion

Oct2005

Jan2006

V1.0

Rele

ased

June2006

V1.1

Rele

ased

In Plan

V2.2

Rele

ase

Sep2006

V1.1

.1 Rele

ased

Jun2007

V2.0

-M6 r

eleas

ed, J

ava E

E 5 ce

rtifica

tion

Aug2007

V2.0

.1 Rele

ased

Oct2007

V2.0

.2 Rele

ased

Feb2008

V2.1

Rele

ased


8

Geronimo Architecture• GBeans are the building blocks

– E.g. Containers, Connectors, Servlets…

• Geronimo Kernel– A container for GBeans– Based on Inversion-of-Control/Dependency Injection – Provides Life Cycle management for GBeans

• Loosely coupled system– Start/stop/remove components on the fly– Integrate new components on the fly

• Plugins– Directory Server, Roller and many other


9

Geronimo Architecture

*Ref: http://www.ibm.com/developerworks/library/os-ag-deploy/


10

What it contains?• Apache Tomcat• Jetty (Mort Bay)• Apache Derby• Apache OpenEJB• Apache ActiveMQ• Apache OpenJPA• Apache Axis• Apache Axis2• Apache CXF• Apache Yoko

• Apache Commons• Apache jUDDI• Apache Log4J• HOWL• TRANQL• Castor• WADI• CGLIBAnd many more…


11

What’s new in 2.1?

• Servers assembled out of plugins

• Custom server assemblies– Assemble a server feature

• Flexible admin console

• Monitoring Console

• GShell

• WADI Clustering Support for Tomcat


12

How to get involved?

• Geronimo project web site– http://geronimo.apache.org/

• Mailing lists– [email protected]– [email protected]

• Wiki– http://cwiki.apache.org/geronimo/

http://geronimo.apache.org/



http://cwiki.apache.org/geronimo/


13

Geronimo Installation• http://geronimo.apache.org/downloads.html

• Geronimo Tomcat or Geronimo Jetty distributions

• Extract the archive to any directory– On windows, use a short directory name

(for e.g. C:\ or C:\g) to avoid long-path problems.

http://geronimo.apache.org/downloads.html


14

Geronimo Startup/Shutdown• Requires Sun J2SE 5.0 JDK/JRE• Environment variables

– JAVA_HOME/JRE_HOME– GERONIMO_OPTS– JAVA_OPTS

• Run the server– <g_home>/bin/geronimo start– <g_home>/bin/geronimo jpda run

• Stop the server– Control+C in server console– <g_home>/bin/shutdown


15


16

Administration Console• Web-based, Convenient, user-friendly• Based on Apache Pluto (JSR-168)• Access at http://localhost:8080/console• Portlets for administration

– Web Server, JMS Server, JMS Resources, DB Manager, Database Pools

– Application portlets – Deploy New, Web App WARs, Plan Creator etc..

– Security Realms, Keystores• Portlets for monitoring server status

– Information, Java System Info, Server Logs, Monitoring, etc.

• Don’t forget the Help view in the portlets

http://localhost:8080/console


17



18

Introduction to JAAS• Java Authentication and Authorization

Service• Pluggable Authentication Modules• Subject and Principals• LoginModules composed into a

Configuration– Control-flags for execution control

• Each LoginModule with successful login adds zero or more Principals to the Subject


19

JACC

• Java Authorization Contract for Containers (JSR-115)

• Defines new Permission classes to satisfy the Java EE 5 authorization model

• Geronimo has JACC 1.1 implementation


20

What Geronimo provides?• Embedded Database – Apache Derby• LDAP Server – Apache Directory Server

• Can be installed as a plug-in

• JAAS Authentication LoginModules– PropertiesFileLoginModule– SQLLoginModule– LDAPLoginModule– CertificatePropertiesFileLoginModule


21

What Geronimo provides? (contd.)• JAAS LoginModules

– FileAuditLoginModule– RepeatedFailureLockoutLoginModule– GeronimoPasswordCredentialLoginModule– NamedUsernamePasswordCredentialLoginModule

• Principal classes– GeronimoUserPrincipal– GeronimoGroupPrincipal– LoginDomainPrincipal– RealmPrincipal

• CredentialStores– SimpleCredentialStoreImpl

• Security Realms portlet– Create, Edit and see Usage for a realm


22



23

Properties File Realm• Prerequisites

– None• Parameters

– usersURI = relative path of users properties file from <g_home>

– groupsURI = relative path of groups properties file from <g_home>

– digest = Message Digest algorithm (e.g. MD5, SHA1, etc.) used on the passwords

– encoding = Encoding to be used with digest (e.g, HEX, BASE64)


24

Sample my-users.properties

user1=password1

user2=password2

user3=pwd3

...


25

Sample my-groups.properties

group1=user1,user2

group2=user3,user4,user5

guest=john,mary

admin=someuser


26

Creating the Realm• Create the properties files

– Typically under var/security dir.

• Security Realms portlet– Specify realm name– Select type Properties File Realm

• Fill in the parameters• Option to test the realm• Option to generate deployment plan


27

LoginModuleConfiguration<xml-reference name="LoginModuleConfiguration"> <login-config

xmlns="http://geronimo.apache.org/xml/ns/loginconfig-2.0"> <login-module control-flag="REQUIRED" wrap-principals="false"> <login-domain-name>my-realm</login-domain-name> <login-module-

class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</login-module-class>

<option name="usersURI">var/security/my-users.properties</option>

<option name="groupsURI">var/security/my-groups.properties</option>

<option name="digest">MD5</option> <option name=“encoding”>HEX</option> </login-module> </login-config></xml-reference>

28

Realm GBean<gbean name="my-realm"

class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<attribute name="realmName"> my-realm </attribute> <reference name="ServerInfo"> <name>ServerInfo</name> </reference></gbean>


29



30

Secure a Web Application

• web.xml– login-config

• auth-method

– security-role– security-constraint

• auth-constraint

– run-as• role-name


31

Secure a Web Application

• geronimo-web.xml– security-realm-name– role-mappings– credential-store-ref– run-as-subject – default-subject


32

Credential Store<gbean name="CredentialStore"

class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">

<xml-attribute name="credentialStore"> <credential-store

xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0"> <realm name="my-realm"> <subject> <id>admin-run-as</id> <credential>

<type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type> <value>system</value>

</credential> <credential>

<type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type> <value>manager</value>

</credential> </subject> </realm> </credential-store> </xml-attribute></gbean>

33

Sample web.xml<web-app id="SimpleWebApp" version="2.5" ... > <display-name>SimpleWebApp</display-name> <servlet> . . . <run-as> <role-name>user</role-name> </run-as> </servlet> <login-config> <auth-method>BASIC</auth-method>  <security-role><role-name>admin</role-name></security-role> <security-role><role-name>user</role-name></security-role>

34

Sample web.xml (contd.) 

<security-constraint> <web-resource-collection> <web-resource-name>Admin</web-resource-

name> <url-pattern>/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint></web-app>

35

Sample geronimo-web.xml<security-realm-name>my-realm</security-realm-name><security><credential-store-ref><name xmlns="http://geronimo.apache.org/xml/ns/deployment-

1.2">CredentialStore</name></credential-store-ref><default-subject> <realm>my-realm</realm> <id>admin-run-as</id></default-subject><role-mappings><role role-name="admin">  <principal name="Admin"

class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>

</role>


36

Sample geronimo-web.xml (contd.)

<role role-name="user"> <run-as-subject> <realm>my-realm</realm> <id>user-run-as</id> </run-as-subject> <principal name="User"

class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>

<principal name="john" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"/> </role>

</role-mappings></security>


37

Secure an EJB Applicationejb-jar.xml• security-identity

– use-caller-identity– run-as

• assembly-descriptor– security-role

• role-name– method-permission

• method• role-name• unchecked


38

Secure an EJB Application

openejb-jar.xml

• security– role-mappings– credential-store-ref– run-as-subject – default-subject


39

ejb-jar.xml <ejb-jar> <enterprise-beans> <session> <ejb-name>SecurityEJB</ejb-name>

<ejb-class>myejbs.SecurityEJBean</ejb-class> ... <security-identity> <use-caller-identity/> </security-identity> </session> </enterprise-beans> </ejb-jar>


40

ejb-jar.xml (2) <assembly-descriptor> <security-role> <role-name>user</role-name> </security-role> <method-permission> <role-name>user</role-name> <method> <ejb-name>StockQuoteServiceBean</ejb-name> <method-name>getQuoteUser</method-name> </method> </method-permission> <method-permission> <unchecked/> <method> <ejb-name>StockQuoteServiceBean</ejb-name> <method-name>getQuote</method-name> </method> </method-permission></assembly-descriptor>


41

Secure an EAR Application• application.xml

– security-role

• geronimo-application.xml– security-realm-name for each web app– role-mappings– credential-store-ref– run-as-subject – default-subject


42

application.xml<application …>

<display-name>TutorialEntApp</display-name><module id="WebModule_1154872888098">

<web><web-uri>WebApp1.war</web-uri><context-root>WebApp1</context-root>

</web></module><security-role><role-name>administrator</role-name></security-role><security-role><role-name>guest-user</role-name></security-role>

</application>


43

geronimo-application.xml<application ...> <module> <web>WebApp1.war</web>

<web-app ...> <security-realm-name>sample-properties-file-realm</security-

realm-name></web-app>

</module>

<security> <role-mappings> <role role-name="administrator">

<principal name="admin" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>

</role></role-mappings> </security></application>


44



45

Database (SQL) Realm• Prerequisites

– Database tables for user credentials and group mapping

• Parameters– userSelect SQL statement– groupSelect SQL statement– digest = Message Digest algorithm (e.g. MD5, SHA1,

etc.) used on the passwords– encoding = Encoding to be used with digest (e.g, HEX,

BASE64)

• For database connection either a Database pool or JDBC parameters can be used


46

Creating the Realm• DB Manager portlet

– Create DB– Execute SQL

• Database Pools portlet– DB Pool for Embedded Derby

• Security Realms portlet– Select type Database (SQL) Realm

• Either Database Pool or JDBC parameters needed.


47

SQL Realm: Points to note

• Qualify table name with schema name to avoid unexpected errors– Prefer AUTH.USERS_TABLE to

USERS_TABLE

• Use VARCHAR data type to avoid trailing spaces in the values retrieved from database.


48

LDAP Realm

• Prerequisites– LDAP Server

• Apache Directory Server Can be installed as a plug-in

• Use Plugins portlet– http://geronimo.apache.org/plugins/geronimo-2.1

• Create using Security Realms portlet– Select type LDAP Realm


49

LDAP Connection parameters

• Initial Context Factory

• Connection URL

• Connect Username

• Connect Password

• Confirm Password

• Connect Protocol

• Authentication


50

LDAP Realm Parameters• User Base• User Search Matching• User Search Subtree • Role Base• Role Name• Role User Search String• Role Search Subtree• User Role Search String


51

Certificate Properties Realm• Prerequisites

– Certificate for Server Authentication– HTTPS port setup for Client Authentication– Web Clients should have installed Certificates

issued by a CA configured as trusted in HTTPS port setup

• Parameters– usersURI = certificate to user mapping file– groupsURI = group mapping file


52

Create Certificate Properties Realm

• Keystores portlet to prepare keystores

• Web Servers portlet to add HTTPS Connector

• CA Portlet to issue client certificates

• Security Realms portlet– Select type Certificate Properties File

Realm


53

cert-users.propertieswebclient01=CN=Web Client01,OU=Org Unit0,O=Org0,L=Loc0,ST=St0,C=IN

webclient02=CN=Web Client02,OU=Org Unit0,O=Org0,L=Loc0,ST=St0,C=IN

webclient11=CN=Web Client11,OU=Org Unit1,O=Org1,L=Loc1,ST=St1,C=US

webclient12=CN=Web Client12,OU=Org Unit1,O=Org1,L=Loc1,ST=St1,C=US


54

cert-groups.properties

admin=webclient01,webclient02

guest=webclient11,webclient12


55



56

Advanced Features

• Auditing– Every login attempt will be recorded to

the specified file.

• Lockout– A certain number of failed logins in a

particular time frame will cause a user's account to be locked for a certain period of time.


57

Advanced Features (contd.)• Store Password

– Store each user's password in a private credential in the Subject.

– GeronimoPasswordCredential

• Named Credential– Store each username and password in a

private credential in the Subject under a specified credential name.

– NamedUsernamePasswordCredential


58

Principal Wrapping

• Edit realm from Security Realms portlet– Support Advanced Mapping to Yes– LoginDomainPrincipal and

RealmPrincipal added to subject– login-domain-principal and realm-

principal used in role-mapping in addition to principal tag.


59

Recall LoginModuleConfiguration

<xml-reference name="LoginModuleConfiguration"> <login-config

xmlns="http://geronimo.apache.org/xml/ns/loginconfig-2.0"> <login-module control-flag="REQUIRED" wrap-principals="false"> <login-domain-name>my-realm</login-domain-name> <login-module-

class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</login-module-class>

<option name="usersURI">var/security/my-users.properties</option>

<option name="groupsURI">var/security/my-groups.properties</option>

<option name="digest">MD5</option> <option name=“encoding”>HEX</option> </login-module> </login-config></xml-reference>


60

Application Scoped Realm

• Security Realm GBean is part of application deployment plan

• Use the Security Realms portlet to generate realm plan and add GBean to application plan– May need to specify dependency on

j2ee-security config


61

Single Sign-On

• Login to one application maintains login across all applications on the server

• Create a SingleSignOn valve and connect to the valve chain in Tomcat config.– Edit config.xml (xml fragment shown

next)


62

Xml fragment for SSO<gbean name="AccessLogValve"> <reference name="NextValve"> <pattern> <name>SSOValve</name> </pattern>

</reference> </gbean><gbean gbeanInfo="org.apache.geronimo.tomcat.ValveGBean"

name="org.apache.geronimo.configs/tomcat6/2.1/car?ServiceModule=org.apache.geronimo.configs/tomcat6/2.1/car,j2eeType=GBean,name=SSOValve"> <attribute name="className">org.apache.catalina.authenticator.SingleSignOn</attribute>

</gbean>


63



64

Summary

• Introduction to Geronimo

• Security Implementation

• Security Realms portlet

• Security Realms

• Securing WAR, EJB, JAR

• Advanced Features


65

Agenda• Introduction to Geronimo• Geronimo Administration Console• Security implementation• Security Realms – Properties File• Securing Applications• Security Realms• Advanced Features• Application Scoped Realm• Q & A


66

Q & A

Securing Java EE 5.0 Applications with Geronimo


67

Resources• http://geronimo.apache.org• http://cwiki.apache.org/geronimo/• Geronimo Mailing lists

– [email protected]– [email protected]

• IBM developerWorks– http://www.ibm.com/developerworks/

opensource/top-projects/geronimo.html

http://geronimo.apache.org/

http://cwiki.apache.org/geronimo/




68

Thank you

Securing Java EE 5.0 Applications with Apache Geronimo

Documents

Transcript of Securing Java EE 5.0 Applications with Apache Geronimo