-
Language:
English
-
Language:
English
Red Hat Training
A Red Hat training course is available for JBoss Enterprise Application Platform Common Criteria Certification
4.2. The JaasSecurityManagerService MBean
The
JaasSecurityManagerService
MBean service manages security managers. Although its name begins with Jaas, the security managers it handles need not use JAAS in their implementation. The name arose from the fact that the default security manager implementation is the JaasSecurityManager
. The primary role of the JaasSecurityManagerService
is to externalize the security manager implementation. You can change the security manager implementation by providing an alternate implementation of the AuthenticationManager
and RealmMapping
interfaces.
The second fundamental role of the
JaasSecurityManagerService
is to provide a JNDI javax.naming.spi.ObjectFactory
implementation to allow for simple code-free management of the JNDI name to security manager implementation mapping. Security is enabled by specifying the JNDI name of the security manager implementation via the <security-domain> deployment descriptor element.
When you specify a JNDI name, there has to be an object-binding there to use. To simplify the setup of the JNDI name to security manager bindings, the
JaasSecurityManagerService
manages the association of security manager instances to names by binding a next naming system reference with itself as the JNDI ObjectFactory under the name java:/jaas
. This permits a naming convention of the form java:/jaas/XYZ
as the value for the <security-domain> element, and the security manager instance for the XYZ
security domain will be created as needed.
The security manager for the domain
XYZ
is created on the first lookup against the java:/jaas/XYZ
binding by creating an instance of the class specified by the SecurityManagerClassName
attribute using a constructor that takes the name of the security domain.
Important
In Enterprise Application Platform versions prior to v5.0, the "
java:/jaas
prefix in each <security-domain>
deployment descriptor element was required to correctly bind the JNDI name of a security domain to the security manager bindings.
As of JBoss Enterprise Application Platform 5, the
java:/jaas
prefix is not required for security domain declaration. The java:/jaas
prefix is still supported, and remains for backward compatibility.
For example, consider the following container security configuration snippet:
<jboss> <!-- Configure all containers to be secured under the "customer" security domain --> <security-domain>customer</security-domain> <!-- ... --> </jboss>
Any lookup of the name
customer
will return a security manager instance that has been associated with the security domain named customer
. This security manager will implement the AuthenticationManager and RealmMapping security interfaces and will be of the type specified by the JaasSecurityManagerService
SecurityManagerClassName
attribute.
The
JaasSecurityManagerService
MBean is configured by default for use in the standard JBoss distribution, and you can often use the default configuration as is. The configurable attributes of the JaasSecurityManagerService
include:
- SecurityManagerClassName
- The name of the class that provides the security manager implementation. The implementation must support both the
org.jboss.security.AuthenticationManager
andorg.jboss.security.RealmMapping
interfaces. If not specified this defaults to the JAAS-basedorg.jboss.security.plugins.JaasSecurityManager
. - CallbackHandlerClassName
- The name of the class that provides the
javax.security.auth.callback.CallbackHandler
implementation used by theJaasSecurityManager
.Note
You can override the handler used by theJaasSecurityManager
if the default implementation (org.jboss.security.auth.callback.SecurityAssociationHandler
) does not meet your needs. Most implementations will find the default handler is sufficient. - SecurityProxyFactoryClassName
- The name of the class that provides the
org.jboss.security.SecurityProxyFactory
implementation. If not specified this defaults toorg.jboss.security.SubjectSecurityProxyFactory
. - AuthenticationCacheJndiName
- Specifies the location of the security credential cache policy. This is first treated as an
ObjectFactory
location capable of returningCachePolicy
instances on a per-<security-domain> basis. This is done by appending the name of the security domain to this name when looking up theCachePolicy
for a domain. If this fails, the location is treated as a singleCachePolicy
for all security domains. As a default, a timed cache policy is used. - DefaultCacheTimeout
- Specifies the default timed cache policy timeout in seconds. The default value is 1800 seconds (30 minutes). The value you use for the timeout is a trade-off between frequent authentication operations and how long credential information may be out of sync with respect to the security information store. If you want to disable caching of security credentials, set this to 0 to force authentication to occur every time. This has no affect if the
AuthenticationCacheJndiName
has been changed from the default value. - DefaultCacheResolution
- Specifies the default timed cache policy resolution in seconds. This controls the interval at which the cache current time stamp is updated and should be less than the
DefaultCacheTimeout
in order for the timeout to be meaningful. The default resolution is 60 seconds (1 minute). This has no affect if theAuthenticationCacheJndiName
has been changed from the default value. - DefaultUnauthenticatedPrincipal
- Specifies the principal to use for unauthenticated users. This setting makes it possible to set default permissions for users who have not been authenticated.
The
JaasSecurityManagerService
also supports a number of useful operations. These include flushing any security domain authentication cache at runtime, getting the list of active users in a security domain authentication cache, and any of the security manager interface methods.
Flushing a security domain authentication cache can be used to drop all cached credentials when the underlying store has been updated and you want the store state to be used immediately. The MBean operation signature is:
public void flushAuthenticationCache(String securityDomain)
.
This can be invoked programmatically using the following code snippet:
MBeanServer server = ...; String jaasMgrName = "jboss.security:service=JaasSecurityManager"; ObjectName jaasMgr = new ObjectName(jaasMgrName); Object[] params = {domainName}; String[] signature = {"java.lang.String"}; server.invoke(jaasMgr, "flushAuthenticationCache", params, signature);
Getting the list of active users provides a snapshot of the
Principals
keys in a security domain authentication cache that are not expired. The MBean operation signature is: public List getAuthenticationCachePrincipals(String securityDomain)
.
This can be invoked programmatically using the following code snippet:
MBeanServer server = ...; String jaasMgrName = "jboss.security:service=JaasSecurityManager"; ObjectName jaasMgr = new ObjectName(jaasMgrName); Object[] params = {domainName}; String[] signature = {"java.lang.String"}; List users = (List) server.invoke(jaasMgr, "getAuthenticationCachePrincipals", params, signature);
The security manager has a few additional access methods.
public boolean isValid(String securityDomain, Principal principal, Object credential); public Principal getPrincipal(String securityDomain, Principal principal); public boolean doesUserHaveRole(String securityDomain, Principal principal, Object credential, Set roles); public Set getUserRoles(String securityDomain, Principal principal, Object credential);
They provide access to the corresponding
AuthenticationManager
and RealmMapping
interface method of the associated security domain named by the securityDomain
argument.