• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Security features in Jboss

 
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I want to implement security feature for the web application with JBoss 4.2.2.
I have seen some examples of implementing authorization,authentication, confidentiality and integrity in Tomcat server, by adding the users and roles in the vendor specific xml file and then configure it to DD.
How can we achieve it in JBoss? In tomcat, I have come across the realm concept. I don't want to use memory realm (hardcoding the roles and users details in xm).
i want to use it from DB (like JDBC realm). How can we do for JBoss?

Another question: We can restrict the user to access the constrainted resources with Http method (in securit-constraint - web level). If that is the case, then why we need to restrict the methods in ejb (in assembly descriptor - application level)?
Any one is enough right? Am i missing anything? please advice.
 
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I want to implement security feature for the web application with JBoss 4.2.2.
...
How can we achieve it in JBoss?


See if this helps http://www.jboss.org/community/docs/DOC-12185

Another question: We can restrict the user to access the constrainted resources with Http method (in securit-constraint - web level). If that is the case, then why we need to restrict the methods in ejb (in assembly descriptor - application level)?



Its not just HTTP servlets which act as clients of EJB. If you have a standalone java class or a webservice or something else - those clients too can access the EJB. Applying the permission access restrictions on the EJB (which is nothing but a resource) helps in taking care of security of the EJB without having to worry about the type of clients.

 
Mark Henryson
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am refering the link provided by you.My requirement is to provide authenication and authorization using relational database.
So I have referred DatabaseServerLoginModule. I have couple of doubts in it.

http://www.jboss.org/file-access/default/members/jbossas/freezone/docs/Server_Configuration_Guide/4/html/Using_JBoss_Login_Modules-DatabaseServerLoginModule.html

1. Whether we need the Principals and Roles table with the same column name specific to JBoss.?
2. Whether we can define our own tables for users and user roles.?
3. I will copy the below code in login-config.xml, after that how can i invoke it to get the result in Struts action/servlet?
What are the corresponding changes needs to be done at jboss-web.xml? PLease throw some light on it.
 
Jaikiran Pai
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Mark Henryson wrote:

1. Whether we need the Principals and Roles table with the same column name specific to JBoss.?


No. You can name the columns and tables to anything of your choice. All you have to do is provide that query in the login-config.xml and use the datasource that contains these tables.

Mark Henryson wrote:
2. Whether we can define our own tables for users and user roles.?


Yes, you can.

Mark Henryson wrote:
What are the corresponding changes needs to be done at jboss-web.xml? PLease throw some light on it.


Your jboss-web.xml should refer to this application policy in the login-config.xml:

 
Mark Henryson
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am not clear with one thing.
1. I have created two tables users and userroles.
2. Added the below coding to login-config.xml



3. Added the bleow code to jboss-web.xml



4. created a JSP page with the username and password and submitting it will go to the action servlet. How can i get these password/roles for the users?

Step 4 is confusing. Any other thing I am missing?? please advice
 
Mark Henryson
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sorry, I have confused little bit.
I have added the following entries in web.xml:



I can able to get the pop up, asking for user name and password.



I have a query: Whether it is possible to customise the principalsQuery and rolesquery? Like I am having more fields in the users and usersroles table and checking some other conditions in principalsQuery and rolesquery?
 
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Increasing security log level can help:

http://primalcortex.wordpress.com/2007/11/28/jboss-and-jaas-debug/

Instructions are related for JAAS, but I believe they log all others too. You will be able to see exact query executed, as well as parameters provide to query, so you can see what role you got.

Regarding queries, you can create as complex SQL Query as you wish, as long as you DB can execute it. The only important thing is that you select only:



so, result of your query sold be something like:


Regardless of actual column name (userRoles) on your database

Same goes for the password. You need query to return something to match password you enter, regardless of column and table names. You have single input which is question mark (?) to be replaced with data you enter. Further more you can specify encoding of password if you don't have plain text passwords.

 
Mark Henryson
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have a query:

I don't want to store the password as a clear text in db, so I am using some sort of encryption technique to encrypt it and then storing it in DB.
Now, using the DatabaseServerLoginModule, how it will verify the password?



Now, when the pop up is asking for the password, the user will key in "passwd" in the password text box.
How DatabaseServerLoginModule will verify the password?

Another query:
I have added the below code in web.xml in securit-constraint for SSL. But I could able to bring up the applicarion. any configuration setting needs to be done for SSL?
 
Dejan Mratinkovic
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Mark,

Please check: http://www.jboss.org/community/wiki/DatabaseServerLoginModule

There you can see that some of the optional parameters are: hashAlgorithm and hashEncoding (you can also see there which are default). Set them to match your password encoding. If you wish to use alternative (your own specific) way of password encoding, I am afraid you would need to extend login-module class, and introduce your custom password handling, which I would not recommend.

Regarding confidential communication, you would need to set up url pattern, as this is only are which will be affected by <security-constraint>

I.e <url-pattern>/*</url-pattern>.

Setting up CONFIDENTIAL will auto redirect all HTTP communication to HTTPS (of all requests that match url pattern).

NOTE: If you have multiple security constraints within same web.xml that first match will be applied.
 
Mark Henryson
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Below is ny code. Yes, I want my application with Https protocal.
Please advice the below one is having any corrections?

 
Dejan Mratinkovic
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Code seems to be fine, but you are missing <realm-name> from <login-config> .

This would need to match security-domain from jboss-web.xml, which need to match application-policy from login-config.xml.

I am not sure this is minimal, as I am using certificate login which is a bit different than yours, but it works fine for me.
 
Mark Henryson
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I an trying to encrypt the password using the message digest - MD5(given below) and store it in the mysql DB.
Using DatabaseServerLoginModule, I am trying to authenticate, but it's failing. Please help on this.







Geting the error message:


But for the userid: ram and passwd, I am able to login. Whereas for the user "tiger" with the encrypted password, I couldn't able to login.
Please throw some light on it. Please help to check the configuration in login-config.xml

And I have an another doubt. If the user is attempting to enter invalid password for more than 5 times, we need to lock his account.
Whether JBoss' DatabaseServerLoginModule or any other loginmodule is providing this functionality? If not, how to achieve?
 
Mark Henryson
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
please help on this.
 
Mark Henryson
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Please help on the below query.

I am trying to encrypt the password using the message digest - MD5(given below) and store it in the mysql DB.
Using DatabaseServerLoginModule, I am trying to authenticate, but it's failing. Please help on this.







Geting the error message:


But for the userid: ram and passwd, I am able to login. Whereas for the user "tiger" with the encrypted password, I couldn't able to login.
Please throw some light on it. Please help to check the configuration in login-config.xml

And I have an another doubt. If the user is attempting to enter invalid password for more than 5 times, we need to lock his account.
Whether JBoss' DatabaseServerLoginModule or any other loginmodule is providing this functionality? If not, how to achieve?
 
I'd appreciate it if you pronounced my name correctly. Pinhead, with a silent "H". Petite ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic