Java

Microsoft & .NET

Mobile

Open Source

Cloud & Web Services

Database

Architecture & Design

Other

NEW: Android

NEW: Cloud Gallery

August 8, 2012

Hot Topics:

Android Java Microsoft & .NET Cloud Open Source

Free Newsletters : Enterprise Development Update

RSS

Developer.com

Security

Read More in Security

Cloud 101: The Fundamentals. This Knowledge path introduces cloud computing concepts and the cloud service models Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Sponsored

Learn New Skills That Could Help You Build Your Career. Find a tech program that could teach the skills you may need to achieve your next career goal. Go >>> Sponsored By Computer Training Schools

Introduction to Securing Web Applications with JBoss and LDAP

Septem ber 15, 2003 By Luc Russell Bio Send Em ail More Articles

Introduction Goals
After reading this tutorial you should be able to:

Configure JBoss to authenticate users against an LDAP server (or other types of user information repository) 2 Design pluggable user information repositories using the Abstract Factory and tweets Data Access Object patterns retw eet Control the presentation of a web application with role-based presentation Protect your EJB methods by confirming calls are authorized This article gives an introduction to configuring security on JBoss and implementing an LDAP-based user information repository. The sample application described here demonstrates using LDAP with the JBoss Security Extension (JBossSX), and describes a simple API for managing users, roles, and groups in LDAP. In addition, this article demonstrates the use of the Abstract Factory pattern to implement pluggable persistence. An Abstract Factory is used to decouple the LDAP access classes in order that LDAP can easily be replaced with another type of storage. This is useful if you are building multiple web applications for different clients, some requiring LDAP storage, and others requiring a database.

Requirements
You'll need the following software set up on your machine to run the sample:

Most Popular Developer Stories

Today
This Week All-Time

1
LDAP server (eg OpenLDAP) JBoss Ant

Using JDBC with MySQL, Getting Started Working with Images in Google's Android An Introduction to Java Annotations Server.Transfer Vs. Response.Redirect Creating Use Case Diagrams

2 3 4 5

The sample code has been tested with OpenLdap 2.0.19 built for Windows [2], jboss-3.0.4_tomcat4.1.12 [8], and Ant 1.5.1 [9] on Windows 2000. For information on exactly how to build and deploy the sample code, please see the included readme file.

Role Based Access Control

According to the principles of Role Based Access Control (RBAC), users are granted membership into roles based on their competencies and responsibilities in the organization. The operations that a user is permitted to perform are based on the user's role. Membership of roles can be easily withdrawn and new memberships established as the organization evolves. Role associations can be established when new operations are added, simplifying the administration and management of privileges; roles can be updated without updating the privileges for every user on an individual basis. The principle of least privilege is fundamental to RBAC; this requires identifying the user's job functions, determining the minimum set of privileges required to perform that function, and restricting the user to a domain with those privileges and nothing more. In less precisely controlled systems, this is often difficult to achieve.

Sample Schema Design

developer.com/security//Introduction-to-Securing-Web-Applications-with-JBoss-and-LDAP.htm 1/6

The sample LDAP schema used here is built around the following entities: Users, Groups and Roles. In this approach, Users are Post a com m ent assigned to Groups, and Groups are given Roles. The following Em ail Article example shows how this kind of design can be useful: Imagine two users, Jane and Bob. Jane is in the group user_admins, which has the Print Article user_management role. This means Jane is able to add and remove Share Articles users from the system, update passwords, etc. Bob is in the group finance_admins, which has the finance_management role. This means Bob is able to view salary details, update salaries, etc. In this situation the information is kept secure, and is available only to the minimum number of people who need to have access to it (the principle of least privilege outlined above). Jane will not have any access to salary details, and Bob will not be able to accidentally remove users from the system. If it is necessary for one individual to be able to do both jobs, this is also possible; imagine a user called Superman, who is in both the user_admins group and the finance_admins group. This user will have both the finance_management and the user_management roles, and will have access to both types of information. The advantage of including the concept of groups in the schema is that it simplifies updating the access rights of collections of users, without requiring individual updates to each user. An entry for a user in LDIF (LDAP Data Interchange Format) format for the sample schema looks like this:

Most Commented On
This Week
This Month All-Time

d n :u i d = j b l o g g s , o u = P e o p l e , d c = s a m p l e , d c = c o m o b j e c t C l a s s :t o p o b j e c t C l a s s :p e r s o n o b j e c t C l a s s :o r g a n i z a t i o n a l P e r s o n o b j e c t C l a s s :i n e t O r g P e r s o n s n :B l o g g s c n :J o e u i d :j b l o g g s u s e r p a s s w o r d :n o 3 X J A Z e e b 9 A K b G N Y 6 5 / m a s W p Z E = m a i l :j b l o g g s @ s a m p l e . c o m The DN (Distinguished Name) entry is equivalent to a unique identifier for this entry; it states exactly where this user is positioned in the directory structure. Graphically, the sample schema looks like this:

More for Developers

CodeGuru Developer.com Java Section Jars Discussions VBforums DevX DatabaseJournal

On the Codeguru Forums

Latest
Most Views

Visit the Forums

Most Replies

1 2 3 4 5

Scope, memory usage and goto

A professional GUI design toolkit for creating exotic and great user interfaces MFC UpdateWindow()???

Issue when using SQLExecDirect against Oracle DSN clicking a html button programatically by vb.net

Key IT Solutions Security JBoss Authentication

The authentication process can be triggered by a call to the standard servlet login mechanism specified in the servlet specification, ie a form submitting to the action j_security_check. The first step is therefore to create a login page, containing a form like this:
Microsoft Visual Studio 2010 Showcase MSDN Spotlight Internet.com Cloud Computing Showcase Microsoft RIA Development Center PHP for Windows Showcase

< f o r ma c t i o n = " j _ s e c u r i t y _ c h e c k "m e t h o d = " p o s t " > Microsoft TechNet Spotlight U s e r n a m e :< i n p u tt y p e = " t e x t "n a m e = " j _ u s e r n a m e "s i z e = " 2 2 " / > P a s s w o r d :< i n p u tt y p e = " p a s s w o r d "n a m e = " j _ p a s s w o r d "s i z e = " 2 2 " / > < i n p u tt y p e = " s u b m i t "v a l u e = " L o g i n "/ > < / f o r m >

The username and password will be intercepted by the JBoss SecurityInterceptor and passed to the JAASSecurityManager class as Principal and Credential objects. It is worth noting here that if a user bookmarks a login page, or uses the browser back button to reach the page, they will see an error. This is a feature of the Tomcat implementation of the j_security_check mechanism. The next step is to set up the web.xml file as follows:

< l o g i n c o n f i g > < a u t h m e t h o d > F O R M < / a u t h m e t h o d > < f o r m l o g i n c o n f i g > < f o r m l o g i n p a g e > / l o g i n . j s p < / f o r m l o g i n p a g e > < f o r m e r r o r p a g e > / l o g i n _ e r r o r . h t m l < / f o r m e r r o r p a g e > < / f o r m l o g i n c o n f i g > < / l o g i n c o n f i g >

Next, the login-config.xml file must be set up to specify that this security domain requires a certain set of LoginModules:

developer.com/security//Introduction-to-Securing-Web-Applications-with-JBoss-and-LDAP.htm

2/6

< a p p l i c a t i o n p o l i c yn a m e = " s a m p l e _ w e b _ c l i e n t _ s e c u r i t y " > < a u t h e n t i c a t i o n >< l o g i n m o d u l ec o d e = " o r g . j b o s s . s e c u r i t y . C l i e n t L o g i n M o d u l e " f l a g = " r e q u i r e d " / > < l o g i n m o d u l ec o d e = " c o m . s a m p l e . s e c u r i t y . G e n e r i c J b o s s L o g i n M o d u l e " f l a g = " r e q u i r e d " / > < / a u t h e n t i c a t i o n > < / a p p l i c a t i o n p o l i c y >

Login modules within an application policy are chained . the .flag. value specifies whether they are required to succeed or not. The ClientLoginModule should be specified if you wish to use EJB security it passes the username and credentials obtained during login to the org.jboss.security.SecurityAssociation class so that each EJB method invocation is associated with the given username and credentials. See below for details on how custom login modules work On login, the JAASSecurityManager will create a LoginContext for the security domain specified and attempt to authenticate the specified Principal by calling the login modules configured for that domain. Internally, this looks something like the following: S t r i n gn a m e=g e t S e c u r i t y D o m a i n ( ) ; C a l l b a c k H a n d l e rh a n d l e r=n e wo r g . j b o s s . s e c u r i t y . p l u g i n s . S e c u r i t y A s s o c i a t i o n H a n d l e r ( ) ; h a n d l e r . s e t S e c u r i t y I n f o ( p r i n c i p a l ,c r e d e n t i a l ) ; L o g i n C o n t e x tl c=n e wL o g i n C o n t e x t ( n a m e ,h a n d l e r ) ; l c . l o g i n ( ) ;

The security domain should be specified in the jboss-web.xml and jboss.xml files, with a declaration like this: < s e c u r i t y d o m a i n > j a v a : / j a a s / s e c u r i t y e x a m p l e < / s e c u r i t y d o m a i n > The JAASSecurityManager will then get a a javax.security.Subject from the LoginContext, which will contain a Principal called username and a javax.security.Group called Roles (containing an array of this user's roles) will be created. This is what allows methods like isUserInRole and getCallerPrincipal in the servlet and EJB containers to verify the current user.

Custom Login Modules

JBoss comes with a number of login modules out of the box, including an LDAPLoginModule that can be configured in the login-config.xml file. Developing custom login modules is however very simple, and the sample contains a custom login module for illustrative purposes. Custom login modules should extend the JBoss AbstractServerLoginModule class, overriding the validatePassword and getRoleSets methods. The GenericJbossLoginModule in the sample code delegates to a factory class in the deployed EAR file so it can obtain the list of roles and groups from the current repository, without having to be aware of the type of repository. The password validation itself is contracted out to the UserDAO implementation. In this case, the BaseLdapDAO class validates a user by attempting to connect to LDAP as that user:

p r o p s . s e t P r o p e r t y ( C o n t e x t . S E C U R I T Y _ P R I N C I P A L , t h i s . g e t D N ( u s e r ) ) ; p r o p s . s e t P r o p e r t y ( C o n t e x t . S E C U R I T Y _ C R E D E N T I A L S ,E n c r y p t U t i l s . e n c r y p t S H A ( u s e r . g e t P a s s w o r d ( ) ) ) ; . . . D i r C o n t e x td i r=n e wI n i t i a l D i r C o n t e x t ( p r o p s ) ;

A more advanced implementation could use a secure authentication mechanism; LDAP v3 supports SASL (Simple Authentication and Security Layer) to allow specifying the exact authorization mechanism, and the type of encryption to use. For additional security, it is also possible to connect to the LDAP server over SSL rather than with plain sockets. Here, we're just encrypting passwords with the SHA-1 one-way hash algorithm before storage (this code is in the EncryptUtils class).

Authorization
In this sample, authorization is implemented on three levels; web-resource protection, role-based presentation, and EJB method-level security. Web Resource Protection You can specify protected resources using a security constraint in the web.xml file: < s e c u r i t y c o n s t r a i n t > < w e b r e s o u r c e c o l l e c t i o n > < w e b r e s o u r c e n a m e > S a m p l eA p p l i c a t i o n < / w e b r e s o u r c e n a m e > < d e s c r i p t i o n > R e q u i r eu s e r st oa u t h e n t i c a t e < / d e s c r i p t i o n > < u r l p a t t e r n > * . j s p < / u r l p a t t e r n > < h t t p m e t h o d > P O S T < / h t t p m e t h o d > < h t t p m e t h o d > G E T < / h t t p m e t h o d > < / w e b r e s o u r c e c o l l e c t i o n > < a u t h c o n s t r a i n t > < d e s c r i p t i o n > O n l ya l l o wA u t h e n t i c a t e d _ u s e r sr o l e < / d e s c r i p t i o n > < r o l e n a m e > A u t h e n t i c a t e d _ u s e r s < / r o l e n a m e > < / a u t h c o n s t r a i n t > < u s e r d a t a c o n s t r a i n t > < d e s c r i p t i o n > E n c r y p t i o ni sn o tr e q u i r e df o rt h ea p p l i c a t i o ni ng e n e r a l .< / d e s c r i p t i o n > < t r a n s p o r t g u a r a n t e e > N O N E < / t r a n s p o r t g u a r a n t e e > < / u s e r d a t a c o n s t r a i n t > < / s e c u r i t y c o n s t r a i n t >

developer.com/security//Introduction-to-Securing-Web-Applications-with-JBoss-and-LDAP.htm

3/6

In addition to specifying protected URL patterns in the web.xml file, it is also possible to place all JSP files under the web-inf directory and make them accessible only through servlets. Role-Based Presentation You can control presentation in a JSP based on a user's role by using the HttpServletRequest.isUserInRole method: < % i f ( r e q u e s t . i s U s e r I n R o l e ( " M e m b e r _ a d m i n " ) ) { % > . . . < % } % > < % e l s e { % > . . . < % } % >

Some tag libraries (eg Struts 1.1) provide tags encapsulating this functionality. Method-Level Security The JBoss authentication process will propagate the user's roles to the EJB container, allowing the standard J2EE declarative security to be specified in the ejb-jar.xml file. You first need to establish a <security-role-ref> specifying the local role-name, then link this to the role specified in LDAP (the names have been kept the same here for simplicity): < s e c u r i t y r o l e r e f > < r o l e n a m e > M e m b e r _ a d m i n < / r o l e n a m e > < r o l e l i n k > M e m b e r _ a d m i n < / r o l e l i n k > < / s e c u r i t y r o l e r e f > Then, in the assembly descriptor section, use the local name to protect individual methods like this: < s e c u r i t y r o l e > < r o l e n a m e > M e m b e r _ a d m i n < / r o l e n a m e > < / s e c u r i t y r o l e > < m e t h o d p e r m i s s i o n > < r o l e n a m e > M e m b e r _ a d m i n < / r o l e n a m e > < m e t h o d > < e j b n a m e > M e m b e r S e r v i c e < / e j b n a m e > < m e t h o d n a m e > s e c u r e M e t h o d < / m e t h o d n a m e > < / m e t h o d > < / m e t h o d p e r m i s s i o n > To test this in action, log in to the sample application as fsmith/fsmith and try submitting directly to the SampleServlet URL (eg http://localhost:8080/security-sample/SampleServlet?method=secure). You should see a stack trace as fsmith is not in the Member_admin role.

Configuration Summary
To summarise, the steps you need to follow to secure a web application are: 1. 2. 3. 4. 5. 6. Create a login page Set up the web.xml file Set up the login-config.xml file Modify the jboss-web.xml and jboss.xml files to include the security domain Place any custom login modules in the lib directory Add security to your EJB methods

Persistence Layer Architecture

Following the preceding steps should give you the foundations for a secure web application on JBoss. The remainder of this article gives a briefly describes a possible architecture for a user information repository. In a production system, you might choose to replace much of the JNDI-specific code here with a dedicated LDAP API, such as JLDAP, or the Netscape Directory API. The example code here uses JNDI for simplicity, but there are some advantages to using a dedicated API. The structure of the persistence layer is as follows:

UserDAO, GroupDAO and RoleDAO Interfaces

These specify the contract that must be implemented by Data Access Objects for a given type of repository; in this example, the implementation classes are LdapUserDAO, LdapGroupDAO and LdapRoleDAO.

Abstract Factory
The DAOFactory class is subclassed to return a concrete factory (LdapDAOFactory in this case), which will be used to retrieve concrete instances of the UserDAO, GroupDAO and RoleDAO instances. The sample EJB is hard-wired to use the LDAP DAO factory class. You can change this to return a different Factory class if necessary.

Session Facade
In this architecture, the UserManagement EJB classes act as a fagade layer in front of the persistence classes . this can be used to coordinate calls to more than one repository. For example, while some user details (eg password) are stored in LDAP, others might be stored in a database (eg customer ID); the fagade layer can take a UserTO object and redirect as appropriate. The Session Fagade is a useful

developer.com/security//Introduction-to-Securing-Web-Applications-with-JBoss-and-LDAP.htm

4/6

pattern from the perspective of security, as it centralizes security management; it is relatively easy to implement security on the course-grained methods at this level, rather than deeper inside the system where there may be more methods to protect.

LdapConfiguration
This is a singleton class which reads in details of the current LDAP schema from a properties file. The LDAP schema used here is simple, so this class is trivial, but in a more complex system, it might be necessary to read in all of the schema details in order to remain flexible.

Data Transfer Objects

The UserTO, GroupTO, and RoleTO classes are simple value objects used to reduce network traffic and minimise method calls across the network.

LDAP DAO Classes

The BaseLdapDAO class is responsible for common functionality, including methods for creating, updating and removing entries. Functionality specific to Users, Groups and Roles are in the LdapUser, LdapGroup and LdapRole classes. There are detailed tutorials on JNDI elsewhere on the web (see [5] for example), so we will just give a brief overview of some common tasks. For example, inserting an entry into the LDAP repository with JNDI is done with the createSubcontext method. Here, we call the create method on the LdapUserDAO class, passing in the UserTO object we want to insert. This calls the create method on the superclass, BaseLdapDAO; to determine the details of the entity to be added, BaseLdapDAO then calls the getDN and getAttributes methods on the LdapUserDAO:

c r e a t e S u b c o n t e x t ( g e t D N ( e n t i t y ) ,g e t A t t r i b u t e s ( e n t i t y ) ) ;

Similarly, entities are removed with the DirectoryContext.destroySubcontext method, passing in the Distinguished Name (DN) of the entity to be removed: c t x . d e s t r o y S u b c o n t e x t ( g e t D N ( e n t i t y ) ) ;

An entry.s attributes can be modified by creating an array of ModificationItems containing the Attribute to be modified: M o d i f i c a t i o n I t e m [ ]m o d s=n e wM o d i f i c a t i o n I t e m [ 1 ] ; A t t r i b u t em o d=n e wB a s i c A t t r i b u t e ( " u s e r P a s s w o r d " ,n e w P a s s ) ; m o d s [ 0 ]=n e wM o d i f i c a t i o n I t e m ( D i r C o n t e x t . R E P L A C E _ A T T R I B U T E ,m o d ) ; . . . g e t I n i t i a l L d a p C o n t e x t ( ) . m o d i f y A t t r i b u t e s ( d n ,m o d s ) ;

This is a just a brief overview of some of the functionality possible when using JNDI with LDAP; the example classes include some more sample code that is not described here.

Summary
To summarise, we first covered a possible design for an LDAP schema that would allow implementation of Role Based Access Control; this schema was comprised of Users, Groups and Roles. We then covered the configuration of JBoss security, including building custom login modules. Finally, we saw a design for the persistence layer of a user information repository, using the Abstract Factory, Session Facade, and Data Access Objects patterns, and looked briefly at some JNDI code for adding, removing and updating entries in LDAP.

References
The OpenLDAP Project (http://www.openldap.org/) OpenLdap for Windows (http://www.fivesight.com/downloads/openldap.asp) Sun LDAP tutorial (http://java.sun.com/products/jndi/tutorial/ldap/) Sun JNDI tutorial (http://java.sun.com/products/jndi/tutorial/) JLDAP project (http://www.openldap.org/jldap/) Netscape Directory API (http://www.mozilla.org/directory/javasdk.html) Core J2EE Patterns Catalogue (http://java.sun.com/blueprints/corej2eepatterns/Patterns/index.html) The Jakarta Struts Framework (http://jakarta.apache.org/struts/) JBoss Group (http://www.jboss.org/) Apache Ant (http://ant.apache.org/)

Downloads
Download source - 43 Kb

0 Comments (click to add your com m ent)

Comment and Contribute

developer.com/security//Introduction-to-Securing-Web-Applications-with-JBoss-and-LDAP.htm 5/6

Your name/nickname Your email Subject

(Maximum characters: 1200). You have 1200

characters left.

Escribe las dos palabras:

Submit Your Comment

Free Trial: Quickly Find and Fix Problems in Your Mixed IT Infrastructure
Sponsored by Hitachi

Managing a mixed IT infrastructure is always a challenge. The challenge is compounded for mid-sized companies where you don't have the staff resources of larger firms. A variety of systems and equipment creates a complex infrastructure where finding and solving performance and network glitches is really difficult. Learn how Hitachi IT Operations Analyzer can help.

Networking Solutions
FormSuite v4 SDK bundle releases simplified forms processing application development. Cloud Skills Building Extend your understanding of Cloud and take your skill set to the next level.

Sitemap | Contact Us

Copyright 2012 QuinStreet Inc. All Rights Reserved. Terms of Service | Licensing & Permissions | Privacy Policy About the Developer.com Network | Advertise

developer.com/security//Introduction-to-Securing-Web-Applications-with-JBoss-and-LDAP.htm

6/6