Depending on the servlet container used, configuration differs.
Tomcat configuration:
Tomcat embedded in the JOnAS distribution is configured in
$JONAS_BASE/conf/tomcat6-server.xml
to use the
memory realm named memrlm_1
<Server> [...] <Realm className="org.ow2.jonas.web.tomcat6.security.Realm" resourceName="memrlm_1" /> [...] </Server>
The authentication mechanism implemented by the class
org.ow2.jonas.web.tomcat6.security.Realm
is
able to work with database or LDAP realm configured in
jonas-realm.xml.
The value of resourceName
attribute identifies the realm to be used in
jonas-realm.xml.
In the web.xml
of the web application a
basic authentication or a Form based
authentication may be used
<web-app> <login-config> <auth-method>BASIC</auth-method> <realm-name>Example Basic Authentication Area</realm-name> </login-config> </web-app>
or
<web-app> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>login.jsp</form-login-page> <form-error-page>error.jsp</form-error-page> </form-login-config> </login-config> </web-app>
Like basic authentication, form-based authentication is not secure, since the content of the user dialog is sent as plain text, and the target server is not authenticated.
To overcome this vulnerability the authentication protocol may be run over a SSL session that ensures that all message contents are protected for confidentiality.
In this case, users will not have to enter a login/password. They will just present their certificates and authentication is performed transparently by the browser (after the user has imported his certificate into it). Therefore, the identity presented to the server is not a login, but a Distinguished Name(DN).
The name identifying the person to whom the certificate belongs looks like the following: CN=Someone Unknown, OU=ObjectWeb, O=JOnAS, C=ORG with:
CN : Common Name
OU : Organizational Unit
O : Organization
C : Country Name
E : Email Address
L : Locality
ST :State or Province Name
The Subject in a certificate contains the main attributes and may include additional ones, such as Title, Street Address, Postal Code, Phone Number.
In the jonas-realm.xml a user with password looks like:
<user name="jps_admin" password="admin" roles="administrator"/>
A certificate-based user must have its DN preceded by the String: ##DN## example:
<user name="##DN##CN=whale, OU=ObjectWeb, O=JOnAS, L=JOnAS, ST=JOnAS, C=ORG" password="" roles="jadmin" />
Tomcat Realm configuration:
The current Realm in $JONAS_BASE/conf/tomcat6-server.xml must be replaced by:
<Server> [...] <Realm className="org.ow2.jonas.web.tomcat6.security.Realm" /> [...] </Server>
The class specified uses the JAAS model to authenticate the users. Thus, to choose the correct realm to be used for authentication, JAAS must be configured see in Section 2.5.4, “JAAS configuration”.
Tomcat SSL configuration:
The following example of <connector> element must be uncommented in $JONAS_BASE/conf/tomcat6-server.xml and customized (if necessary):
<Server> [...] <!-- Define a SSL Coyote HTTP/1.1 Connector on port 9043 --> <!-- <Connector port="9043" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> --> [...] </Server>
A complete description of SSL configuration can be found in SSL Configuration HOW-TO
In the web.xml
of the web application a
Client Certificate Authentication Configuration
must be set, a security-constraint may be used if
needed; example:
<web-app> <login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>Example Authentication Area</realm-name> </login-config> <security-constraint> .. <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> </web-app>
Jetty configuration
A web-jetty.xml file must be provided in the WEB-INF
directory in the .war
file in which a security
interceptor
org.ow2.jonas.web.jetty6.security.Realm
form
is specified instead of the default one:
<Configure class="org.mortbay.jetty.webapp.WebAppContext"> <Call name="setRealmName"> <Arg>Example Basic Authentication Area</Arg> </Call> <Call name="setRealm"> <Arg> <New class="org.ow2.jonas.web.jetty6.security.Realm"> <Arg>Example Basic Authentication Area</Arg> <Arg>memrlm_1</Arg> </New> </Arg> </Call> </Configure>
webapp configuration:
is similar to the webapp configuration with Tomcat see ???.
Jetty Realm configuration:
Edit the web-jetty.xml file under WEB-INF directory in the .war file to declare a Realm name and a Realm:
<Configure class="org.mortbay.jetty.webapp.WebAppContext"> ... !-- Set the same realm name as the one specified in <realm-name> in <login-config> in the web.xml file of your web application --> <Call name="setRealmName"> <Arg>Example Authentication Area</Arg> </Call> <!-- Set the class Jetty has to use to authenticate the user and a title name for the pop-up window --> <Call name="setRealm"> <Arg> <New class="org.ow2.jonas.web.jetty6.security.Realm"> <Arg>JAAS on Jetty</Arg> </New> </Arg> </Call> ... </Configure>
The class specified uses the JAAS model to authenticate the users. Thus, to choose the correct realm to be used for authentication, JAAS must be configured, see in Section 2.5.4, “JAAS configuration”.
Jetty SSL configuration:
In the global deployment descriptor of Jetty (the jetty6.xml file), located in the $JONAS_BASE/conf directory, uncomment this part:
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --> <!-- Add a HTTPS SSL listener on port 9043 --> <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --> <!-- UNCOMMENT TO ACTIVATE <Call name="addListener"> <Arg> <New class="org.mortbay.http.SunJsseListener"> <Set name="Port">9043</Set> <Set name="MinThreads">5</Set> <Set name="MaxThreads">100</Set> <Set name="MaxIdleTimeMs">30000</Set> <Set name="LowResourcePersistTimeMs">2000</Set> <Set name="Keystore"><SystemProperty name="jetty.home" default="."/>/etc/demokeystore</Set> <Set name="Password">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set> <Set name="KeyPassword">OBF:1u2u1wml1z7s1z7a1wnl1u2g</Set> </New> </Arg> </Call> -->
A complete description of howto configure SSL for Jetty may be founf here
webapp configuration
is similar to the webapp configuration with Tomcat
jonas-realm configuration
is similar to the jonas-realm configuration with Tomcat