JBoss Enterprise Application Platform 5

Security Guide

for use with JBoss Enterprise Application Platform 5

Edition 5.2.0

Anil Saldhana

Jaikiran Pai

Jared Morgan

Joshua Wulf

Marcus Moyses

Peter Skopek

Stephan Mueller

Edited by

Eva Kopalova

Edited by

Petr Penicka

Edited by

Russell Dickenson

Edited by

Scott Mumford

Legal Notice

Copyright © 2012 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack Logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.


The Security Guide is aimed at System Administrators and Developers, and explains how to implement security in JBoss Enterprise Application Platform 5 and its patch releases. The guide covers Java EE Declarative Security; an introduction to Java Authentication and Authorization Service; the Security Model, and Extension Architecture; managing and configuring Security Domains; replacing clear text passwords with masks in configuration files, and using SSL to secure Remote Method Invocation of EJBs.
1. Document Conventions
1.1. Typographic Conventions
1.2. Pull-quote Conventions
1.3. Notes and Warnings
2. Getting Help and Giving Feedback
2.1. Do You Need Help?
2.2. Give us Feedback
I. Security Overview
1. Java EE Declarative Security Overview
1.1. Security References
1.2. Security Identity
1.3. Security Roles
1.4. EJB method permissions
1.5. Enterprise Bean Security Annotations
1.6. Web Content Security Constraints
1.7. Enabling Form-based Authentication
1.8. Enabling Declarative Security
2. Introduction to JAAS
2.1. JAAS Core Classes
2.1.1. Subject and Principal Classes
2.1.2. Subject Authentication
3. JBoss Security Model
3.1. Enabling Declarative Security Revisited
4. The JBoss Security Extension Architecture
4.1. How the JaasSecurityManager Uses JAAS
4.2. The JaasSecurityManagerService MBean
4.3. The JaasSecurityDomain MBean
II. Application Security
5. Overview
6. Security Domain Schema
6.1. Security Domain Elements
6.1.1. <authentication>
6.1.2. <authorization>
6.1.3. <mapping>
7. Authentication
7.1. Custom Callback Handlers
8. Authorization
8.1. Module Delegation
9. Mapping
10. Auditing
11. Deploying Security Domains
12. Login Modules
12.1. Using Modules
12.1.1. LdapLoginModule
12.1.2. LdapExtLoginModule
12.1.3. Password Stacking
12.1.4. Password Hashing
12.1.5. Unauthenticated Identity
12.1.6. UsersRolesLoginModule
12.1.7. DatabaseServerLoginModule
12.1.8. BaseCertLoginModule
12.1.9. IdentityLoginModule
12.1.10. RunAsLoginModule
12.1.11. RunAsIdentity Creation
12.1.12. ClientLoginModule
12.1.13. SPNEGOLoginModule
12.1.14. RoleMappingLoginModule
12.2. Custom Modules
12.2.1. Subject Usage Pattern Support
12.2.2. Custom LoginModule Example
III. Encryption and Security
13. Secure Remote Password Protocol
13.1. Understanding the Algorithm
13.2. Configure Secure Remote Password Information
13.3. Secure Remote Password Example
14. Java Security Manager
14.1. Using the Security Manager
14.2. Debugging Security Policy Issues
14.2.1. Debugging Security Manager
14.3. Writing Security Policy for JBoss Enterprise Application Platform
15. Securing the EJB RMI transport layer
15.1. SSL Encryption overview
15.1.1. Key pairs and Certificates
15.2. Generate encryption keys and certificate
15.2.1. Generate a self-signed certificate with keytool
15.2.2. Configure a client to accept a self-signed server certificate
15.3. EJB3 RMI + SSL Configuration
15.4. EJB3 RMI via HTTPS Configuration
15.5. EJB2 RMI + SSL Configuration
16. Masking Passwords in XML Configuration
16.1. Password Masking Overview
16.2. Generate a key store and a masked password
16.3. Encrypt the key store password
16.4. Create password masks
16.5. Replace clear text passwords with their password masks
16.6. Changing the password masking defaults
17. Encrypting Data Source Passwords
17.1. Secured Identity
17.1.1. Encrypt the data source password
17.1.2. Create an application authentication policy with the encrypted password
17.1.3. Configure the data source to use the application authentication policy
17.2. Configured Identity with Password Based Encryption (PBE)
18. Encrypting the Keystore Password in a Tomcat Connector
18.1. Medium Security Usecase
19. Using LdapExtLoginModule with JaasSecurityDomain
20. Firewalls
21. Securing the Administrative Access Points
21.1. JMX Console
21.2. Admin Console
21.3. Web Console
21.4. HTTP Invoker
21.5. JMX Invoker
21.6. Remote Access to Services, Detached Invokers
21.6.1. A Detached Invoker Example, the MBeanServer Invoker Adaptor Service
21.7. Disabling Authentication
21.7.1. JMX Console
21.7.2. Web Console
21.7.3. JMX Invoker
21.7.4. JMX Invoker
21.7.5. ProfileService
21.7.6. JBossWS
A. Setting the default JDK with the /usr/sbin/alternatives Utility
B. Revision History