EJB and Security (JAAS)

I have been using J2EE for some time now but have never used the built in security that comes with it. I am creating a new web based application that I would like to implement the security directly into the application instead of using my own home grown method. Does anybody have any advice on the best and quickest way to implement this? I am currently using JBoss 4.0.2 as my application server. Is this a good idea for a smaller scale project or should I stick with using good ole homegrown security through databases and some programming?

In our department, we are going to move from custom authentication to container authentication. To do credential authentication, we will implement WebLogic Server's Security Service Provider Interface with our LDAP as the persistent store. JBoss will have its version of container authentication.

You can also use JAAS, though its implementation does vary from the use of JAAS configuaration files to calling vendor-specific APIs.

For more info, see this J2EE security: Container versus custom article. This Customized EJB security in JBoss article also looks useful.

Hi Sloan,

Unless some very specific requirements enforce it, there is no reason to use a homegrown security framework. Whether the project is small or large has no importance and should not influence your decision. The advantages of using standard security are enormous, starting with less coding, les maintenance problems, much more flexibility and the possibility to integrate with other systems, etc. But above all it provides REAL SECURITY. The J2EE security (and not only) comes with a long history of hacking and a lot of experience and expertise. I bet that most of the custom security frameworks have serious security leaks. In my opinion the J2EE standard security make the difference between being secure (and nobody can penetrate the system) and being obscure, where the application is secure enough to resist to local/inexperienced user attacks, but probably would be defeated by experienced hackers.
Regards.

hi, Roger

for a basic container authentication on Weblogic using embeded LDAP server:

Should I use JMX like UserEditorMBean for authentication?

or shall I build an Authentication provider which consists of a MBean and a Login module, and use JNDI access LDAP?

Asserition provider or Role mapper need to be implemented?

I appreciate the responses I have received so far regarding this. From reading it appears this is the best way to go by far. Is there a pretty big learning curve to implementing this?

Hi Robert,

for a basic container authentication on Weblogic using embeded LDAP server:

Should I use JMX like UserEditorMBean for authentication?

or shall I build an Authentication provider which consists of a MBean and a Login module, and use JNDI access LDAP?

None of the above. Weblogic allows you to integrate your LDAP with your server security, configuring an LDAP authentication provider. This could be achieved pretty easily, using the weblogic console. What will happen though is that your server could read and import the users and groups from your LDAP. Is quite nice though, because you can use the weblogic console to create/remove users/groups, or to define user membership. But is strange because you won�t be able to manage the roles through the console the same way (Weblogic uses the embedded ldap for this and it can�t be changed that easily).

Asserition provider or Role mapper need to be implemented?

You probably don�t need to implement an Asserition provider, unless you need to provide a custom single-sign-on solution. As for the role mapper this you mostly have to do it, because you need to define a way to map the users defined in deployment descriptors to roles specified in your LDAP, or other external storage. Let me know if you need more directions or code samples.
Regards.

Hi valentine:

thank you for your reply.

if I've configured a LDAP authentication provider on Weblogic, how can I code authentication logic in a struts action? or shall I just use declarative security? could you give me a sample code?

thank you again!

Hi Robert,

You definitely must use declarative security, this is the whole purpose of defining the LDAP authentication provider in the first place anyway (and not only). The only question you might be able to answer is about the way you�ll map the roles defined in your deployment descriptors to the roles you have defined externally in ldap or other persistence storage. For example you can set the next security constraints in web.xml:
<security-constraint> <web-resource-collection> <web-resource-name>ApplicationAccessPolicy</web-resource-name> <description>Controls the application access</description> <url-pattern>*.jsp</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description>Application Superuser and Help Desk User</description> <role-name>[B]AdminSuperUser[/B]</role-name> <role-name>[B]AdminHelpDeskUser[/B]</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>default</realm-name> <form-login-config> <form-login-page>logon.jsp</form-login-page> <form-error-page>logon_error.jsp</form-error-page> </form-login-config> </login-config> [B] <security-role> <description>Application Superuser</description> <role-name>AdminSuperUser</role-name> </security-role> <security-role> <description>Help Desk User</description> <role-name>AdminHelpDeskUser</role-name> </security-role> [/B]
Here I defined two roles AdminSuperUser and AdminHelpDeskUser. The problem is that the groups or users to whom the sysadmin assigned those roles are defined externally, in our ldap. The question becomes, how can we tell weblogic to associate the roles with some other similarly named roles but defined externally? Fortunately weblogic has a special tag for this, externally-defined. Hence the weblogic.xml fine must contain the next lines:
<security-role-assignment> <role-name>AdminHelpDeskUser</role-name> <externally-defined/> </security-role-assignment> <security-role-assignment> <role-name>AdminSuperUser</role-name> <externally-defined/> </security-role-assignment>
Now I instructed weblogic to search its security realm for two roles named AdminSuperUser and AdminHelpDeskUser. Probably now you realize why defining an LDAP authentication provider is so important. By doing so weblogic will be able to search your ldap for roles. In most of the cases you need to "enlighten" weblogic about the way the roles must be found, providing a RoleMapper.
Regards.

hi Valentin

thank you for your detailed descripton about declarative security using Weblogic LDAP Authentication.

I understand, with ldap authentication provider, a user can be authenticated against LDAP when he tries to login. But how can a user sign up using LDAP authentication provider?

Hi,

I probably didn�t get you question right, but from what I understand I�ll tell you that there is nothing much to say. The authentication/authorization process will follow the same process as it was before. Whether you use implicit or explicit security it won�t matter. The container will know how to authenticate/authorize the users (supposing you provided the right security components, like a role mapper for example).
Regards.

hi,

my question is that how to create a new user in LDAP through Web Application? can I use configured Authentication provider or I need to use LDAP API?

thank you again!


Bob

Hi Robert,

It�s been a while since I worked with an IPlanetAuthenticator provider, but from what I remember we were able to create users, groups and define memberships from within the weblogic console. Those were saved to our external ldap system and no coding was necessary. However, we were not able to save the roles to our external ldap, no matter what. Weblogic always saved the role information to the embedded ldap. We asked bea for help, but I don�t remember if they were able to help us much. As a rule of thumb you should know that weblogic will always allow you to manage users and groups (from within wl console) if you install a custom authenticator provider that implements certain interfaces. The IPlanetAuthenticator provider probably implements most of them but I�m not sure to which extend.
To conclude our story I�ll tell you that we finally decided to mange the users/groups/roles defined in our external ldap using the IPlanet console. You can use any third party software for managing the ldap, which will probably be more convenient than using the weblogic console. However the choice you will mostly not be required to use any ldap api, unless some very specific project requirements will force you to do so.
Regards.

Valentin:

thank you for your detailed explanations!!!

You're very welcome Robert