IDTrust: Security for Java Applications

    Please use Project PicketBox


    and disregard the content below.  ( <=    ATTENTION)

     

     

     

     

     

     

     

     

     

     

    IDTrust

     

    Typically, applications running in a Java environment need to perform security functions such as Authentication, Authorization and Auditing.

     

    Requirements/Background:

    You need security libraries that run in a Java environment. You say, "I have a Java program. I can download some libraries. I do not need Tomcat or JBoss AS or any containers. Just plain Java. Anything for me?".  If this is the case, please read on.

     

    Installation

     

    Version: 2.0.2.CR1

     

    Grab the following jar:

    IDTrust:  http://repository.jboss.org/maven2/org/jboss/security/jboss-idtrust/2.0.2.CR1/jboss-idtrust-2.0.2.CR1.jar

     

    Dependencies:

    SPI Bare, Identity SPI, Authorization SPI and JBossSX Bare.

     

    JBossSecuritySPI Bare: http://repository.jboss.org/maven2/org/jboss/security/jboss-security-spi-bare/2.0.2.SP6/jboss-security-spi-bare-2.0.2.SP6.jar

    Identity SPI: http://repository.jboss.org/maven2/org/jboss/security/identity-spi/2.0.2.SP6/identity-spi-2.0.2.SP6.jar

    Authorization SPI: http://repository.jboss.org/maven2/org/jboss/security/authorization-spi/2.0.2.SP6/authorization-spi-2.0.2.SP6.jar

    JBossSX Bare: http://repository.jboss.org/maven2/org/jboss/security/jbosssx-bare/2.0.2.SP6/jbosssx-bare-2.0.2.SP6.jar

     

    Other dependencies :

     

    Stax API, JAXBv2 . These are provided by JDK6 onwards. If you are running on JDK5, then pick (http://repository.jboss.org/maven2/stax/stax-api/1.0.1/stax-api-1.0.1.jar) and JAXBv2 api/impl(http://repository.jboss.org/maven2/sun-jaxb/jaxb-api/2.1.9/jaxb-api-2.1.9.jar) (http://repository.jboss.org/maven2/sun-jaxb/jaxb-impl/2.1.9/jaxb-impl-2.1.9.jar)

     

    Authentication

     

    Authentication involves verification of a Principal against some credential. JAAS is the preferred mechanism in the Java world for implementing authentication. Now if your authentication has to work with a DB or a LDAP as the store for information about the actor (user, program etc), then you will need to write the login module.

     

    JBoss IDTrust provides the same login modules available in your favorite version of the JBoss Application Server, to run in any standalone environment.

     

    Let us see some code examples for authentication:

     

    import java.security.Principal;
    import javax.security.auth.Subject;
    import org.jboss.security.AuthenticationManager;
    import org.jboss.security.config.IDTrustConfiguration;
    import org.jboss.security.idtrust.api.factories.SecurityFactory;
    
    private final String securityDomainName = "test";
    
    //Specify the configuration file
    String configFile = "config/authentication.conf";
    IDTrustConfiguration idtrustConfig = new IDTrustConfiguration();
    idtrustConfig.config(configFile);
    //Get the AuthenticationManager from the factory
    AuthenticationManager am =
         SecurityFactory.getAuthenticationManager(securityDomainName);
    assertNotNull(am);
         
    Subject subject = new Subject();
    Principal principal = getPrincipal("anil");
    Object credential = new String("pass");
         
    boolean result = am.isValid(principal, credential); 
    assertTrue("Valid Auth", result);
    result = am.isValid(principal, credential, subject);
    assertTrue("Valid Auth", result);
    assertTrue("Subject has principals",
       !subject.getPrincipals().isEmpty());
    

     

    The key here is to have a configuration file (this is the authentication.conf)

    as follows available on the classpath:

    <?xml version='1.0'?> 
     
    <policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
             xsi:schemaLocation="urn:jboss:security-config:5.0"
             xmlns="urn:jboss:security-config:5.0"
             xmlns:jbxb="urn:jboss:security-config:5.0">
       <application-policy name = "test"> 
           <authentication>
              <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
                 flag = "required">  
              </login-module> 
           </authentication> 
        </application-policy>  
    </policy>
    

     

    Authorization

     

    Authorization is the tricky part. Authentication process is finite with fixed type of parameters (username/password, X509 Certificates) etc involved in the decision making. But the authorization space is quite infinite that any number of disparate parameters can be involved in the decision making.

     

    You can get access to the AuthorizationManager via the SecurityFactory class. You also need to familiarize with the concept of a Resource.

     

    import java.security.Principal;
    import java.util.HashMap;
    import java.util.Map;
    
    import javax.security.auth.Subject;
    
    import junit.framework.TestCase;
    
    import org.jboss.security.AuthenticationManager;
    import org.jboss.security.AuthorizationManager;
    import org.jboss.security.authorization.AuthorizationContext;
    import org.jboss.security.authorization.Resource;
    import org.jboss.security.authorization.ResourceType;
    import org.jboss.security.config.IDTrustConfiguration;
    import org.jboss.security.idtrust.api.factories.SecurityFactory;
    
    //Let us define a security domain - for more info look at config file
    private final String securityDomainName = "test";
    
    //Define a configuration file available on the classpath
    private final String configFile = "config/authorization.conf";
    
    //Read in the configuration
    IDTrustConfiguration idtrustConfig = new IDTrustConfiguration();
    idtrustConfig.config(configFile);
    
    AuthenticationManager am = SecurityFactory.getAuthenticationManager(securityDomainName);
    assertNotNull(am);
         
    Subject subject = new Subject();
    Principal principal = getPrincipal("anil");
    Object credential = new String("pass");
         
    boolean result = am.isValid(principal, credential, subject);
    assertTrue("Valid Auth", result);
    assertTrue("Subject has principals", !subject.getPrincipals().isEmpty());
         
    AuthorizationManager authzM = SecurityFactory.getAuthorizationManager(securityDomainName);
    assertNotNull(authzM);
    Resource resource = getResource();
    int decision = authzM.authorize(resource, subject);
    assertTrue(decision == AuthorizationContext.PERMIT);
    

     

    The getResource() method is as follows:

    private Resource getResource()
    {
       return new Resource()
       {
           public ResourceType getLayer()
           {
              return ResourceType.IDTRUST;
           }
    
           public Map<String, Object> getMap()
           {
              return new HashMap<String,Object>();
           }
          };
    }
    

    You will probably implement your implementation of the org.jboss.security.authorization.Resource interface.

     

    The authorization.conf configuration file looks as follows:

    <?xml version='1.0'?> 
     
    <policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
             xsi:schemaLocation="urn:jboss:security-config:5.0"
             xmlns="urn:jboss:security-config:5.0"
             xmlns:jbxb="urn:jboss:security-config:5.0">
       <application-policy name = "test"> 
           <authentication>
              <login-module code =
          "org.jboss.security.auth.spi.UsersRolesLoginModule"
                 flag = "required"> 
                 <module-option name = "name">1.1</module-option>
                 <module-option name = "succeed">true</module-option>
                 <module-option name = "throwEx">false</module-option> 
              </login-module> 
           </authentication> 
           <authorization>
              <policy-module 
                code=
    "org.jboss.security.idtrust.impl.plugins.authorization.
    IDTrustAuthorizationModule">
                <module-option name="roles">validuser</module-option>
              </policy-module>
           </authorization>
        </application-policy>  
    </policy>
    

     

    This configuration file defines both the authentication as well as the authorization modules.

     

    The IDTrustAuthorizationModule verifies that the Subject has a rolegroup called as "Roles" and in it contains

    the configured roles (in this example, the subject should have the "validUser" role).

    Source: http://anonsvn.jboss.org/repos/jbossas/projects/security/security-standalone/trunk/idtrust-impl/src/main/java/org/jboss/security/idtrust/impl/plugins/authorization/IDTrustAuthorizationModule.java

     

    Please feel free to write your own AuthorizationModule implementation.

     

    You can also make use of the ACL framework that is provided as part of JBoss Security libraries that exist as dependencies of IDTrust. They are available via the AuthorizationManager.getEntitlements method. Only thing you have to remember is that you will be bringing a lot more run time dependencies such as JPA, Hibernate etc.

     

    Auditing

     

    Auditing is key to security operations. You want to be able to audit security events.

     

    You can use the "org.jboss.security.audit.providers.LogAuditProvider" to log audit events in the log4j log.

     

    Some code:

    import java.security.Principal;
    import java.util.HashMap;
    import java.util.Map;
    
    import javax.security.auth.Subject;
    
    import junit.framework.TestCase;
    
    import org.jboss.security.AuthenticationManager;
    import org.jboss.security.audit.AuditEvent;
    import org.jboss.security.audit.AuditLevel;
    import org.jboss.security.audit.AuditManager;
    import org.jboss.security.config.IDTrustConfiguration;
    import org.jboss.security.idtrust.api.factories.SecurityFactory;
    import org.jboss.security.audit.providers.LogAuditProvider;
    
    private final String securityDomainName = "test";
    
    //Read in the configuration
    String configFile = "config/audit.conf";
    IDTrustConfiguration idtrustConfig = new IDTrustConfiguration();
    idtrustConfig.config(configFile);
    //Get the AuthenticationManager from the SecurityFactory
    AuthenticationManager am =
       SecurityFactory.getAuthenticationManager(securityDomainName);
    assertNotNull(am);
         
    Subject subject = new Subject();
    Principal principal = getPrincipal("anil");
    Object credential = new String("pass");
          
    boolean result = am.isValid(principal, credential, subject);
    assertTrue("Valid Auth", result);
    assertTrue("Subject has principals", !subject.getPrincipals().isEmpty());
         
    Map<String,Object> contextMap = new HashMap<String,Object>();
    
    //Create an audit event indicating success
    AuditEvent auditEvent = new AuditEvent(AuditLevel.SUCCESS,contextMap);
    
    //Get the audit manager from the SecurityFactory
    AuditManager auditManager =
       SecurityFactory.getAuditManager(securityDomainName);
    
    //Now audit the event
    auditManager.audit(auditEvent);
    

     

    The audit.conf configuration file would look as follows:

    <?xml version='1.0'?> 
     
    <policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
             xsi:schemaLocation="urn:jboss:security-config:5.0"
             xmlns="urn:jboss:security-config:5.0"
             xmlns:jbxb="urn:jboss:security-config:5.0">
       <application-policy name = "test"> 
           <authentication>
              <login-module code =
       "org.jboss.security.auth.spi.UsersRolesLoginModule"
                 flag = "required">  
              </login-module> 
           </authentication>
           <audit>
              <provider-module code=
          "org.jboss.security.audit.providers.LogAuditProvider"/>
           </audit> 
        </application-policy>  
    </policy>
    

     

    Advantages

    If you develop on IDTrust, then you should be able to move seamlessly into JBoss AS5 where the dependent security libraries are available. You will just need the IDTrust jar.

     

    TBD

    Migration of IDTrust applications to JBoss4.x.  JBoss security team needs to work further on the dependent libraries that are suitable for JBoss4x.

     

    Frequently Asked Questions

     

    1. I am seeing an NoClassDefFound Error (NCDF) or ClassNotFoundException (CNFE) involving org.jboss.logging package.

    Try grabbing the following jars if running in a standalone environment. The jar is not needed for JBAS.

    http://repository.jboss.org/maven2/org/jboss/jboss-common-core/2.2.11.GA/jboss-common-core-2.2.11.GA.jar

    http://repository.jboss.org/maven2/org/jboss/logging/jboss-logging-spi/2.0.5.GA/jboss-logging-spi-2.0.5.GA.jar

     

    2. Can you make it easier to integrate in a standalone environment or a JBAS environment?

    Yes, we are planning to get IDTrust in 3 flavors - Apache Tomcat Version (Standalone), JBoss AS 4.2.x Version and JBoss AS5.x to handle the dependencies better and provide you one zip for each of these runtime environment.

     

     

     

    User Forum: http://www.jboss.org/index.html?module=bb&op=viewforum&f=49