2.5.2. Servlet Authentication
Prev  2.5. Configuring Security  Next

2.5.2. Servlet Authentication

Depending on the servlet container used, configuration differs.

2.5.2.1. Authentication with User/password and Tomcat 6

  • Tomcat configuration:

    Tomcat embedded in the JOnAS distribution is configured in $JONAS_BASE/conf/tomcat6-server.xml to use the memory realm named memrlm_1

    <Server>
[...]
<Realm className="org.ow2.jonas.web.tomcat6.security.Realm" resourceName="memrlm_1" />
[...]
</Server>

    The authentication mechanism implemented by the class org.ow2.jonas.web.tomcat6.security.Realm is able to work with database or LDAP realm configured in jonas-realm.xml. The value of resourceName attribute identifies the realm to be used in jonas-realm.xml.

  • webapp configuration:

    In the web.xml of the web application a basic authentication or a Form based authentication may be used

    <web-app>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Example Basic Authentication Area</realm-name>
  </login-config>
</web-app>

    or

    <web-app>
 <login-config>
   <auth-method>FORM</auth-method>
   <form-login-config>
   <form-login-page>login.jsp</form-login-page>
   <form-error-page>error.jsp</form-error-page>
   </form-login-config>
   </login-config>
</web-app>

    Like basic authentication, form-based authentication is not secure, since the content of the user dialog is sent as plain text, and the target server is not authenticated.

    To overcome this vulnerability the authentication protocol may be run over a SSL session that ensures that all message contents are protected for confidentiality.

2.5.2.2. Authentication with certificate and Tomcat 6

In this case, users will not have to enter a login/password. They will just present their certificates and authentication is performed transparently by the browser (after the user has imported his certificate into it). Therefore, the identity presented to the server is not a login, but a Distinguished Name(DN).

  • jonas-realm configuration:

    The name identifying the person to whom the certificate belongs looks like the following: CN=Someone Unknown, OU=ObjectWeb, O=JOnAS, C=ORG with:

    CN : Common Name

    OU : Organizational Unit

    O : Organization

    C : Country Name

    E : Email Address

    L : Locality

    ST :State or Province Name

    The Subject in a certificate contains the main attributes and may include additional ones, such as Title, Street Address, Postal Code, Phone Number.

    In the jonas-realm.xml a user with password looks like:

    <user name="jps_admin" password="admin" roles="administrator"/>

    A certificate-based user must have its DN preceded by the String: ##DN## example:

    <user name="##DN##CN=whale, OU=ObjectWeb, O=JOnAS, L=JOnAS, ST=JOnAS, C=ORG"
      password="" roles="jadmin" />

  • Tomcat Realm configuration:

    The current Realm in $JONAS_BASE/conf/tomcat6-server.xml must be replaced by:

    <Server>
[...]
<Realm className="org.ow2.jonas.web.tomcat6.security.Realm" />
[...]
</Server>

    The class specified uses the JAAS model to authenticate the users. Thus, to choose the correct realm to be used for authentication, JAAS must be configured see in Section 2.5.4, “JAAS configuration”.

  • Tomcat SSL configuration:

    The following example of <connector> element must be uncommented in $JONAS_BASE/conf/tomcat6-server.xml and customized (if necessary):

    <Server>
[...]
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 9043 -->
    <!--
    <Connector port="9043" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->
[...]
</Server>

    A complete description of SSL configuration can be found in SSL Configuration HOW-TO

  • Webapp configuration:

    In the web.xmlof the web application a Client Certificate Authentication Configuration must be set, a security-constraint may be used if needed; example:

    <web-app>
   <login-config>
        <auth-method>CLIENT-CERT</auth-method>
        <realm-name>Example Authentication Area</realm-name>
   </login-config>

   <security-constraint>
   ..
     <user-data-constraint>
     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
   </security-constraint>
</web-app>

2.5.2.3. Servlet Authentication with User/password and Jetty 6.x

  • Jetty configuration

    A web-jetty.xml file must be provided in the WEB-INF directory in the .war file in which a security interceptor org.ow2.jonas.web.jetty6.security.Realm form is specified instead of the default one:

    <Configure class="org.mortbay.jetty.webapp.WebAppContext">
  <Call name="setRealmName">
    <Arg>Example Basic Authentication Area</Arg>
  </Call>
  <Call name="setRealm">
    <Arg>
      <New class="org.ow2.jonas.web.jetty6.security.Realm">
        <Arg>Example Basic Authentication Area</Arg>
        <Arg>memrlm_1</Arg>
      </New>
    </Arg>
  </Call>
</Configure>

  • webapp configuration:

    is similar to the webapp configuration with Tomcat see ???.

2.5.2.4. Authentication with certificate and Jetty 6.x

  • Jetty Realm configuration:

    Edit the web-jetty.xml file under WEB-INF directory in the .war file to declare a Realm name and a Realm:

    <Configure class="org.mortbay.jetty.webapp.WebAppContext">
...
!-- Set the same realm name as the one specified in <realm-name> in <login-config>
    in the web.xml file of your web application -->
<Call name="setRealmName">
  <Arg>Example Authentication Area</Arg>
</Call>
<!-- Set the class Jetty has to use to authenticate the user and a title name for
     the pop-up window -->
<Call name="setRealm">
  <Arg>
    <New class="org.ow2.jonas.web.jetty6.security.Realm">
      <Arg>JAAS on Jetty</Arg>
    </New>
  </Arg>
</Call>
...
</Configure>

    The class specified uses the JAAS model to authenticate the users. Thus, to choose the correct realm to be used for authentication, JAAS must be configured, see in Section 2.5.4, “JAAS configuration”.

  • Jetty SSL configuration:

    In the global deployment descriptor of Jetty (the jetty6.xml file), located in the $JONAS_BASE/conf directory, uncomment this part:

     <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
  <!-- Add a HTTPS SSL listener on port 9043                           -->
  <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
  <!-- UNCOMMENT TO ACTIVATE
  <Call name="addListener">
    <Arg>
      <New class="org.mortbay.http.SunJsseListener">
        <Set name="Port">9043</Set>
        <Set name="MinThreads">5</Set>
        <Set name="MaxThreads">100</Set>
        <Set name="MaxIdleTimeMs">30000</Set>
        <Set name="LowResourcePersistTimeMs">2000</Set>
        <Set name="Keystore"><SystemProperty name="jetty.home" default="."/>/etc/demokeystore</Set>
  <Set name="Password">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
  <Set name="KeyPassword">OBF:1u2u1wml1z7s1z7a1wnl1u2g</Set>
      </New>
    </Arg>
  </Call>
  -->

    A complete description of howto configure SSL for Jetty may be founf here

  • webapp configuration

    is similar to the webapp configuration with Tomcat

  • jonas-realm configuration

    is similar to the jonas-realm configuration with Tomcat

Prev  Up  Next
2.5. Configuring Security  Home  2.5.3. Client container Authentication