The security service is used by the ejb, web, ws services to provide security for Java EE components. The ejb service provides security in two forms: declarative security and programmatic security that is described in the EJB Programmer's Guide: Security Management .
The security service exploits security roles and method permissions located in the Java EE deployment descriptors.
A main concept in security is Authentication which is the mechanism telling the container the identity of the user making the current request.
A caller is a client that may be a servlet client or a container client. Usually a client proves its identity by a couple user/password or a certificate (credential). Once the identification is correct JOnAS must build a security context that will be propagated with requests and be used by the container to verify that the user exists and has permissions sufficient to make the request.
JAAS is a standard framework for authenticating users. It defines
configuration files (jaas.config) and interfaces like
the LoginModule interface that may be used in
JOnAS to
perform authentication tasks.
Lightweight authentication mechanism using JACC may be used to authenticate servlet client.
In the Tomcat documentation we can find this definition: “A Realm is a "database" of usernames and passwords that identify valid users of a web application (or set of web applications), plus an enum eration of the list of roles associated with each valid user.”
In both authentication mechanisms the container use a realm
to verify validity of users. In JOnAS the
realm may be a database accessed via JDBC (Database
realm), a LDAP directory (LDAP realm) or a flat file (Memory realm). The
type of realm to use is specified in
$JONAS_BASE/conf/jonas-realm.xml.
The file $JONAS_BASE/conf/jonas-realm.xml file
describes:
-
the content of flat file memory realm
-
how to access a database realm
-
how to access a LDAP realm
The memoryrealm must be named and defines users, groups and roles in the section <jonas-memoryrealm>
<jonas-memoryrealm> <memoryrealm name="memrlm_1"><roles> <role name="jonas-admin" description="JonasAdmin role" />
<role name="tomcat" description="Used in examples" /> </roles> <groups> <group name="jonas" roles="jonas-admin,tomcat,jaas,ws-security" description="All authorization" />
</groups> <users> <user name="tomcat" password="tomcat" roles="tomcat,jonas-admin,manager" />
<user name="jetty" password="jetty" roles="jetty" /> <!-- Example of a crypt password : password for jadmin is : jonas --> <user name="jadmin" password="{MD5}nF3dVBB3NPfRgzWlJFwoaw==" roles="jonas-admin" />
<user name="jps_admin" password="admin" roles="administrator" /> <user name="supplier" password="supplier" roles="administrator" /> <!-- Another crypt example in another format : password is jonas --> <!-- JonasAdmin uses name="jonas" password="jonas" --> <user name="jonas" password="SHA:NaLG+uYfgHeqth+qQBlyKr8FCTw=" groups="jonas" />
<user name="principal1" password="password1" roles="role1" /> <user name="principal2" password="password2" roles="role2" /> </users> </memoryrealm> </jonas-memoryrealm>
|
memoryrealm must be named. This name will be used in the web container configuration file |
|
definition of a security role |
|
definition of a group of roles |
|
definition of a user with non encrypted password and a list of roles |
|
definition of a user with encrypted password (format MD5) |
|
definition of a user with encrypted password (format SHA) |
Users, groups, and roles information are stored in a database; the configuration for accessing the corresponding database is described in the section <jonas-dsrealm>
The configuration requires the name of a datasource, the tables used, and the names of the columns.
<jonas-dsrealm> <dsrealm name="dsrlm_1"
|
dsrealm must be named |
|
JNDI name of the |
|
defines the name of the user table and the name of the columns for username/password |
|
defines the name of the role table and the name of the columns for username/rolename |
to use this database a Datasource
configuration with the right JNDI name for the dbm
service must be set in the jonas.properties
file.
Users, groups, and roles information are stored in an LDAP directory. This is described in the section <jonas-ldaprealm>
There are some optional parameters. If they are not specified,
some of the parameters are set to a default value. For example if the
providerUrl element is not set, the default value is
ldap://localhost:389. The jonas-realm_1_0.dtd
DTD file show the default values.