13 Replies Latest reply on Dec 20, 2001 7:13 AM by arthurg

    Custom Security Managers

    Patrick Lightbody Newbie

      Hi, I'm working with the Open Symphony group (www.opensymphony.com) on a project called OSUser. Basically, our goal is to create a user & group management module that has providers for all major app servers. We've got one for orion in place already and it is working (get it in CVS). My task is to write a similar set of providers for JBoss, but I'm not very familar with how jboss handles all the user/group/role management. Can anyone give me any starting points (I'm an Orion guy, sorry)? Thanks!

        • 1. Re: Custom Security Managers
          Luke Taylor Novice

          Hi,

          This will depend largely on what kind of JAAS login module you use with JBoss, so I'm not sure exactly what you're after here... are you just asking what is the default database structure which is used by the basic database login module, so that you can write EJBs to manage security database information based on this?

          Luke.

          • 2. Re: Custom Security Managers
            Scott Stark Master

            The best place to start is to get the JBoss 2.4.x ebook and read the JBossSX security chapter.
            See http://www.flashline.com/components/productsbyvendor.jsp?&vendorid=1376&affiliateid=260343

            • 3. Re: Custom Security Managers
              Patrick Lightbody Newbie

              I have two components that I need to write (if both are possible):

              - implements existing JBoss security interfaces and/or extend existing code such that my own security classes can talk to our OSUser modules. That way JBoss isn't directly talking to LDAP/JAAS/whatever. Instead it is talking to OSUser, which in turn is talking to said authentication source. This is the more important of the two needs.

              - Write an OSUser module that talks to a generic JBoss security manager and leaves the implementation (LDAP/JASS/whatever) up to the JBoss security adapter. Essentially, this is the "reverse order" of above, and isn't as useful (to me at least). However, to offer a complete package, I'd like to do both.

              I read the JBoss docs on security, and I couldn't gather that much. The docs seem pretty limited right now, does that eBook contain any extra info?

              I'll be digging around with this stuff for the next couple hours. Hopefully I'll get somewhere with this... :)

              -Pat

              • 4. Re: Custom Security Managers
                Luke Taylor Novice

                Ah, OK, from your original post it sounded like you were just wanting to manage user and role data in a format that could be used by JBoss, but you actually want to write authentication and access control modules which can be plugged into the server and access your data. I get it now.

                In the first case, it sounds like you want to write a custom login module which accesses your setup. You would be best to look at the existing example modules in JBossSX - AbstractServerLoginModule, UsernamePasswordLoginModule and DatabaseServerLoginModule. If you extend one of these then you should be OK.

                I don't really see the point of your second task (the plugin in reverse). Is this so that you can plug JBoss security into another server implementation?

                The book has an in-depth discussion of most aspects of JBoss - down to imlpementation code level, not just user level so it's is well worth getting. There is an explanation of how to write a customized security module in there too.

                • 5. Re: Custom Security Managers
                  Patrick Lightbody Newbie

                  I did end up buying the book and found that extending UsernamePasswordLoginModule will do the trick.

                  As for "the reverse", basically I'm just wondering if there is a way, say from a JSP, to make a JNDI lookup to a jboss user manager and make calls such as "add new user X" or "make user Y part of role B". Orion has something like that, but I couldn't find anything for JBoss. Not really a big deal, in my opinion, but it couldn't hurt to cover all our bases. :)

                  -Pat

                  • 6. Re: Custom Security Managers
                    Luke Taylor Novice

                    > Orion has something like that, but I couldn't find
                    > anything for JBoss.

                    That's because there isn't anything like that for JBoss :).

                    User management is really outwith the responsibility of a J2EE server and the security information is very dependent on the operating environment.

                    • 7. Re: Custom Security Managers
                      Patrick Lightbody Newbie

                      OK, no biggie...

                      I actually got this bad boy almost working (had to spend quite a bit of time getting xdoclet to work with my build scripts so that jboss was supported).

                      I'm trying a web app as a test for my custom LoginModule now, but not only can I not get jboss to talk to my code (yes, I do have security-domain in my jboss-web.xml), I can't even get tomcat to prompt for a BASIC authentication box. I even tried not using my login module and instead java:/jaas/simple, but still no popup. What gives?

                      • 8. Re: Custom Security Managers
                        Patrick Lightbody Newbie

                        BTW: this is happening in JBoss 2.4.3 + Tomcat 4.0. I tried JBoss 2.4.4 + Tomcat 4.0.1, but my sample app isn't deploying correctly (EJBs aren't working). I also tried it JBoss 2.4.3 + Tomcat 3 but the JSPs wouldn't compile (couldn't find classes in the EJBs).

                        Basically, my app only seems to deploy correctly (and work for the most part) with JBoss 2.4.3 + Tomcat 4.0, except for the BASIC authentication. I saw some posts saying that BASIC auth is buggy with this distribution. Any tips?

                        • 9. Re: Custom Security Managers
                          Luke Taylor Novice

                          I haven't tried any of the Catalina integration stuff so can't help you there.

                          It's virtually impossible to say, because you have a lot of stuff in there.

                          Did you get it all working fine with a simple client before you moved on to using a web application?

                          • 10. Re: Custom Security Managers
                            Patrick Lightbody Newbie

                            Thanks for following up. I actually got things working perfectly under JBoss 2.4.4 + Tomcat 4.0.1-beta. The only catch was that the crimson.jar included doesn't work with OSUser (yet) and so you need to grab a crimson.jar from an older version of JBoss (2.4.3 works great).

                            I highly recommend you check our project out. It is in working state for both Orion and JBoss, with Weblogic, JRun, and Websphere support coming very soon.

                            I do have a few issues with the our current OSUserLoginModule (extends UsernamePasswordLoginModule):
                            1) There seems to be some sort of caching mechanism going on in one of the jboss-jaas classes. Basically, when a user is added to a role in in OSUser, and then tries to access restricted content, he is let in correctly. But while jboss is still running and that user is then removed from the role, he can still access the content. The change doesn't come up until jboss is restarted. Is there a way to avoid this or provide callbacks to nofity the caching mechanism to get updated?

                            2) UsernamePasswordLoginModule requires the abstract class getPassword, but OSUser doesn't have getPassword interface (it does temporarily). I'd like to see in the future an Abstract class that provides an abstract authenticate(String username, String password) method instead.

                            If the caching is due to one of the parent classes, could you provide an imeplementation that didn't cache?

                            Oh, and if you want to check out the early version of OSUser, get it from CVS at www.opensymphony.com or www.sf.net/projects/opensymphony. Besides crimson.jar, to get this to work with JBoss you need to add an entry to auth.conf for the osuser security-domain that uses the ProxyLoginModule and uses moduleName=com.opensyphony.module.user.provider.jboss.OSUserLoginModule

                            -Pat

                            • 11. Re: Custom Security Managers
                              arthurg Newbie

                              > I do have a few issues with the our current
                              > OSUserLoginModule (extends
                              > UsernamePasswordLoginModule):
                              > 1) There seems to be some sort of caching mechanism
                              > going on in one of the jboss-jaas classes. Basically,
                              > when a user is added to a role in in OSUser, and then
                              > tries to access restricted content, he is let in
                              > correctly. But while jboss is still running and that
                              > user is then removed from the role, he can still
                              > access the content. The change doesn't come up until
                              > jboss is restarted. Is there a way to avoid this or
                              > provide callbacks to nofity the caching mechanism to
                              > get updated?

                              You are correct, it does cache the roles associated with a user. JBoss uses a timed cache implementation in which it caches the roles for a particular user for a default time of 30 mins after it is created. If the cache is hit after the 30 mins, it will ask the LoginModule for the roles again, and cache them again, etc. You can't control the time externally, however you can change the cache policy that JBoss uses.

                              The JaasSecurityManager can be configured to use a different cache policy. The only requirement is that the class implements the org.jboss.util.CachePolicy interface.

                              You do this by configuring the JaasSecurityManager MBean in jboss.jcml like so :

                              <!-- JAAS security manager and realm mapping -->

                              org.jboss.security.plugins.JaasSecurityManager
                              java:/CustomCachePolicy


                              The AuthenticationCacheJndiName specifies the jndi name of a CachePolicy instance to use. The only way to put a cache policy in JNDI is through your own MBean before the JaasSecurityManager MBean is deployed.

                              By default, JBoss uses the org.jboss.util.TimedCachePolicy class which has the default times hard-coded into it, so what I have done is created an MBean that customises the cache time and places it into JNDI.

                              Hope that helps,
                              Arthur.

                              • 12. Re: Custom Security Managers
                                Joel Peach Newbie

                                Arthur,

                                Are you able/willing to share your MBean and CachePolicy code with us? :)

                                Thanks,

                                -Joel

                                • 13. Re: Custom Security Managers
                                  arthurg Newbie

                                  If you are interested in finding out how the code works, please send an email to ag001@hotmail.com.

                                  arthur.