Red Hat Training

A Red Hat training course is available for JBoss Enterprise SOA Platform

Chapter 17. Advanced Security Options

17.1. Security Propagation

The term "security propagation" refers to the process of passing security information to an external system. For example, you might want to use the same credentials to call both the Enterprise Service Bus and an Enterprise Java Beans method.

17.2. SecurityContextPropagator

The SecurityContextPropagator class passes the security context to the destination environment.

17.3. SecurityContextPropagator Implementations

Table 17.1. Implementations of SecurityContextPropagator

Class Description
Package: org.jboss.internal.soa.esb.services.security
Class: JBossASContextPropagator
This propagator will send security credentials to the ESB. If you need to write your own implementation you only have to write a class that implements org.jboss.internal.soa.esb.services.security.SecurityContextPropagator and then either specify that implementation in jbossesb-properties.xml or jboss-esb.xml.

17.4. Add a Custom Log-In Module

Procedure 17.1. Task

  1. Open the log-in configuration file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/conf/login-config.xml
  2. Add the details of your custom log-in module.
  3. Save the file and exit.
  4. Since different log-in modules require different information, you must specify the CallbackHandler attribute to be used. Open the specific security configuration for that service.
  5. Make sure that the CallbackHandler specifies a fully-qualified classname for the class which implements the EsbCallbackHandler interface. This code shows you how to do so:
    public interface EsbCallbackHandler extends CallbackHandler
    {
      void setAuthenticationRequest(final AuthenticationRequest authRequest);
      void setSecurityConfig(final SecurityConfig config);
    }
    
  6. Add both the "principle" and the credentials needed to authenticate a caller to the AuthenticationRequest class.
Result

JaasSecurityService is replaced with your custom security implementation.

17.5. Certificate Log-In Module

The Certificate Log-in Module performs authentication by verifying the certificate that is passed with the call to the Enterprise Service Bus against a certificate held in a local key-store. The certificate's common name creates a "principle".

17.6. Certificate Log-In Module Properties

<security moduleName="CertLogin" rolesAllowed="worker"
  callbackHandler="org.jboss.soa.esb.services.security.auth.loginUserPass
CallbackHandler">
  <property name="alias" value="certtest"/>
</security>

Table 17.2. Properties

Property Description
moduleName
This identifies the JAAS Login module to use. This module will be specified in JBossAS login-config.xml.
rolesAllow
This is a comma-separated list of the roles that are allowed to execute this service.
alias
This is the alias which is used to look up the local key-store and which will be used to verify the caller's certificate.

17.7. Certificate Log-In Module Configuration File Properties

<application-policy name="CertLogin">
<authentication>
  <login-module
code="org.jboss.soa.esb.services.security.auth.login.CertificateLoginModule"
flag = "required" >
  <module-option name="keyStoreURL">
    file://pathToKeyStore
  </module-option>
  <module-option name="keyStorePassword">storepassword</module-option>
  <module-option name="rolesPropertiesFile">
    file://pathToRolesFile
  </module-option>
  </login-module>
</authentication>
</application-policy>

Table 17.3. Certificate Log-In Module Configuration File Properties

Property Description
keyStoreURL
This is the path to the key-store used to verify the certificates. It can be a file on the local file system or on the class-path.
keyStorePassword
This is the password for the key-store above.
rolesPropertiesFile
This is optional. It is the path to a file containing role mappings. Refer to the “Role Mapping” section of the Getting Started Guide for more details about this.

17.8. Callback Handler

A callback handler is a type of library used in back-end operations. It allows applications to "talk" to each other through security services and can be used to confirm authentication data.

17.9. Role Mapping

Role mapping is a way of sharing data between secure hosts. A file containing a list of trusted hosts is created, with each host assigned several role mappings. Mapping occurs when you accesses data from one of the hosts. The sender's roles are mapped onto the receiver's roles to allow for authentication and data sharing. Types of roles include user roles, application roles and so forth. This is an optional feature and is not enabled by default.

17.10. Enable Role Mapping

Procedure 17.2. Task

  1. Open the log-in configuration file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/conf/login-config.xml
  2. Set the rolesPropertiesFile property. (This property can point to a file located on either the local file system or the class-path).
  3. Map users to roles. This example code shows how to do so:
    # user=role1,role2,...
    guest=guest
    esbuser=esbrole
    # The current implementation will use the Common Name(CN) specified
    # for the certificate as the user name.
    # The unicode escape is needed only if your CN contains a space
    Andy\u0020Anderson=esbrole,worker
    
  4. Save the file and exit.

17.11. security_cert Quickstart

The security_cert quickstart demonstrates the JBoss Enterprise SOA Platform's role-mapping functionality.

17.12. Security Service

The SecurityService interface is the Enterprise Service Bus' central security component.

17.13. Customize the Security Service Interface

Procedure 17.3. Task

  1. Implement the SecurityService interface:
    public interface SecurityService
    {
        void configure() throws ConfigurationException;
    
        void authenticate(
            final SecurityConfig securityConfig, 
            final SecurityContext securityContext, 
            final AuthenticationRequest authRequest) 
            throws SecurityServiceException;
    
        boolean checkRolesAllowed(
            final List<String> rolesAllowed, 
            final SecurityContext securityContext);
    
        boolean isCallerInRole(
            final Subject subject, 
            final Principle role);
    
        void logout(final SecurityConfig securityConfig);
    
        void refreshSecurityConfig();
    }
    
  2. Open the global configuration file in a text editor: vi SOA_ROOT/jboss-as/server/PROFILE/deployers/esb.deployer/jbossesb-properties.xml.
  3. Configure the file to use the customized SecurityService
  4. Save the file and exit.

17.14. Remote Invocation Class

As its name implies, a remote invocation class is a class that can be called from a remote machine. This can be useful for developers but can also lead to potential security risks.

17.15. Secure Non-Remote Method Invocation Classes on Port 8083

Client applications can, by default, utilize Remote Method Invocation to download Enterprise Java Bean classes through port 8083. However, you can also configure the system's Remote Method Invocation settings to allow client applications to download any deployed resources you desire.

Procedure 17.4. Task

  1. Edit the Settings in the jboss-service.xml File

    Open the file in a text editor: vi SOA_ROOT/server/PROFILE/conf/jboss-service.xml
  2. Configure the Settings in the File

    Here is an example:
    <attribute name="DownloadServerClasses">false</attribute>
    
    Set this value to false to ensure that client applications can only download Enterprise Java Bean classes.

    Important

    By default, this value is set to false in the SOA Platform's 'production' profile. The value is set to true in all other cases, including the SOA Standalone version's default profile. Note that this is not a secure configuration and should only be used in development environments.