-
Language:
English
-
Language:
English
Red Hat Training
A Red Hat training course is available for JBoss Enterprise Application Platform Common Criteria Certification
Chapter 8. Authorization
jboss-web-policy
and jboss-ejb-policy
authorization configured in jboss-as/server/$PROFILE/deploy/security/security-policies-jboss-beans.xml
is used.
security-policies-jboss-beans.xml
.
jboss.xml
(for EJBs) and jboss-web.xml
(for WAR).
Procedure 8.1. Set authorization policies for all EJB and WAR components
jboss-web-policy
, and jboss-ejb-policy
.
Open the security policy bean
Navigate to$JBOSS_HOME/server/$PROFILE/deploy/security
Open thesecurity-policies-jboss-beans.xml
file.By default, thesecurity-policies-jboss-beans.xml
file contains the configuration in Example 8.1, “security-policies-jboss-beans.xml”.Example 8.1. security-policies-jboss-beans.xml
<?xml version="1.0" encoding="UTF-8"?> <deployment xmlns="urn:jboss:bean-deployer:2.0"> <application-policy xmlns="urn:jboss:security-beans:1.0" name="jboss-web-policy" extends="other"> <authorization> <policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/> </authorization> </application-policy> <application-policy xmlns="urn:jboss:security-beans:1.0" name="jboss-ejb-policy" extends="other"> <authorization> <policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/> </authorization> </application-policy> </deployment>
Change the application-policy definitions
To set a single authorization policy for each component using JACC, amend each<policy-module>
code
attribute with the name of the JACC authorization module.<?xml version="1.0" encoding="UTF-8"?> <deployment xmlns="urn:jboss:bean-deployer:2.0"> <application-policy xmlns="urn:jboss:security-beans:1.0" name="jboss-web-policy" extends="other"> <authorization> <policy-module code="org.jboss.security.authorization.modules.JACCAuthorizationModule" flag="required"/> </authorization> </application-policy> <application-policy xmlns="urn:jboss:security-beans:1.0" name="jboss-ejb-policy" extends="other"> <authorization> <policy-module code="org.jboss.security.authorization.modules.JACCAuthorizationModule" flag="required"/> </authorization> </application-policy> <application-policy xmlns="urn:jboss:security-beans:1.0" name="jacc-test" extends="other"> <authorization> <policy-module code="org.jboss.security.authorization.modules.JACCAuthorizationModule" flag="required"/> </authorization> </application-policy> </deployment>
Restart server
You have now configured thesecurity-policy-jboss-beans.xml
file with JACC authorization enabled for each application policy.Restart the server to ensure the new security policy takes effect.
If applications require more granular security policies, you can declare multiple authorization security policies for each application policy. New security domains can inherit base settings from another security domains, and override specific settings such as the authorization policy module.
Procedure 8.2. Set authorization policies for specific security domains
test-domain
security domain uses the UsersRolesLoginModule
login module and uses JACC authorization. The test-domain-inherited
security domain inherits the login module information from test-domain
, and specifies XACML authorization must be used.
Open the security policy
You can specify the security domain settings in thejboss-as/server/$PROFILE/conf/login-config.xml
file, or create a deployment descriptor file containing the settings. Choose the deployment descriptor if you want to package the security domain settings with your application.Locate and open login-config.xml
Navigate to thelogin-config.xml
file for the server profile you are using and open the file for editing.$JBOSS_HOME/jboss-as/server/$PROFILE/conf/login-config.xml
Create a jboss-beans.xml descriptor
Create a[prefix]-jboss-beans.xml
descriptor, replacing [prefix] with a meaningful name (for example,test-war-jboss-beans.xml
)Save this file in the/deploy
directory of the server profile you are configuring.jboss-as/server/$PROFILE/deploy/[prefix]-jboss-beans.xml
Specify the test-domain security domain
In the target file chosen in step 1, specify thetest-domain
security domain. This domain contains the authentication information, including the <login-module> definition, and the JACC authorization policy module definition.<?xml version="1.0" encoding="UTF-8"?> <deployment xmlns="urn:jboss:bean-deployer:2.0"> <application-policy xmlns="urn:jboss:security-beans:1.0" name="test-domain"> <authentication> <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">anonymous</module-option> <module-option name="usersProperties">u.properties</module-option> <module-option name="rolesProperties">r.properties</module-option> </login-module> </authentication> <authorization> <policy-module code="org.jboss.security.authorization.modules.JACCAuthorizationModule" flag="required"/> </authorization> </application-policy> </deployment>
Append the test-domain-inherited security domain
Append thetest-domain-inherited
application policy definition after thetest-domain
application policy.Set theextends
attribute toother
, so the login module information is inherited.Specify the XACML authorization module in the<policy-module>
element.<?xml version="1.0" encoding="UTF-8"?> <deployment xmlns="urn:jboss:bean-deployer:2.0"> <application-policy xmlns="urn:jboss:security-beans:1.0" name="test-domain"> <authentication> <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">anonymous</module-option> <module-option name="usersProperties">u.properties</module-option> <module-option name="rolesProperties">r.properties</module-option> </login-module> </authentication> <authorization> <policy-module code="org.jboss.security.authorization.modules.JACCAuthorizationModule" flag="required"/> </authorization> </application-policy> <application-policy xmlns="urn:jboss:security-beans:1.0" name="test-domain-inherited" extends="other"> <authorization> <policy-module code="org.jboss.security.authorization.modules.XACMLAuthorizationModule" flag="required"/> </authorization> </application-policy> </deployment>
Restart server
You have now configured the target file with two security domains that use different authorization methods.Restart the server to ensure the new security policy takes effect.
8.1. Module Delegation
*-jboss-beans.xml
) to specify different authorization policies to the standard authentication in your implementation.
org.jboss.security.authorization.modules.AuthorizationModuleDelegate
class provides a number of subclasses that allow you to implement module delegation:
AbstractJACCModuleDelegate
WebPolicyModuleDelegate
EJBPolicyModuleDelegate
WebXACMLPolicyModuleDelegate
WebJACCPolicyModuleDelegate
EJBXACMLPolicyModuleDelegate
EJBJACCPolicyModuleDelegate
org.jboss.security.authorization.modules.AuthorizationModuleDelegate
class.
Example 8.2. Delegation Module Declaration
<application-policy xmlns="urn:jboss:security-beans:1.0" name="test-domain" extends="other"> <authorization> <policy-module code="xxx.yyy.MyAuthorizationModule" flag="required"> <module-option name="delegateMap">web=xxx.yyy.mywebauthorizationdelegate,ejb=xxx.yyy.myejbauthorizationdelegate</module-option> </policy-module> </authorization> </application-policy>