Undertow Security Configuration

Version 4

    This article is to capture various aspects of security configuration for web applications deployed to Undertow.

     

    SSL

    • Relationship with Client Cert
    • Transport guarantee enforcement.

     

    Kerberos

    • Identity Definition
    • Host specific identity resolver

     

    Standard Authentication Mechanisms

    • BASIC
    • DIGEST
    • CLIENT CERT
    • FORM

    Non-Standard (But Shipped)

    • SPNEGO

     

    Mechanism Enhancement

    • Basic
      • Silent Mode
    • Digest
      • Hash Algorithm(s)
      • Nonce Handling
      • Message Integrity
      • Relationship with transport guarantee.

     

    Features

    • Multiple Mechanism Definitions
    • Identity Manager
    • Improved Audting
    • Custom mechanisms
    • Configuration
      • Web app level
        • Descriptors?
        • Annotations?
      • Subsystem level.
    • SSO
    • Role Mapping
    • Factory to register mechanisms?

     

     

    Early Discussion

    The following is a discussion started earlier this year regarding how to solve the configuration problem: -

    Firstly my apologies for sending to three lists but this is a topic that has a lot of interested parties so I wanted to make sure all were covered.

     

    We are currently working on what is needed for Undertow to be integrated within AS8 - making good progress with the standard mechanisms as specified by the servlet specification but now reaching the more complex configuration scenarios which I wanted to discuss in this e-mail.

     

    The core of Undertow supports multiple authentication mechanisms being active for a given web application concurrently e.g. Client Cert, Digest and SPNEGO all at the same time. Some of this is enabled for domain management already but for web app deployments the initial behaviour is that a single mechanism is associated based on the web.xml.

     

    So the configuration I am now looking at obtaining some feedback for is: -

      - Defining new authentication mechanisms.

      - Defining a set of these mechanisms.

      - Where these definitions should live, webapp? subsystem? both?

     

    Initially the integration will be with the existing JAAS domains as that is what exists today, once we have PicketLink available in a subsystem and the work David is working on regarding identity/request association then we will also migrate to those as well.

     

    For the moment a web application is also associated with a single security domain - once we migrate to PicketLink it will be associated with a single defintion there.

     

    * Historic Configuration *

     

    Up until JBoss AS 6 it was possible for single authentication mechanisms to be defined within the JBoss Web configuration, within the web.xml the custom auth-method could then be referenced to enable the new mechanism.

     

    From JBoss AS 7 the authentication mechanisms were defined by defining the mechanism as a valve within the jboss-web.xml - the presence of the mechanism was then detected during deployment causing the addition of a mechanism based on the auth-method to be skipped.

     

    In both cases the jboss-web.xml descriptor is used to associate the web application with the security domain.

     

    * AS8 Configuration *

     

    Users are already used to providing a lot of their configuration within the deployments - maybe even including PicketLink definitions where they do not want to use definitions defined within the AS config.

     

    However I have also seen demand from users to be able to take a ready built war and deploy it to development or production and have appropriate security settings defined in each environment.

     

    So for this reason I think we should take the approach of allowing full security configuration within the deployment but allowing for subsystem defined overrides to override the defined configuration at deployment time.

     

    I think this leads us to three areas of configuration: -

     

    1 - Mechanism Definition

     

    This would be something simple along the lines of: -

      <mechanism auth-method="..." module="..." class="...">

     

    2 - Security Compound

     

    This needs a good name to be selected but the idea is the compound is an ordered set of authentication mechanisms associated with a domain e.g.

     

    <security-compound name="..." domain="...">

      <mechanism auth-method="..." />

      <mechanism module="..." class="..." />

    </security-compound>

     

    These mechanisms can either be a reference to previously defined mechanisms or can be a new definition that applies only to that compound.

     

    So far #1 and #2 can either be defined in a subsystem to be referenced subsequently or if these are defined within the jboss-web.xml descriptor they will apply to the web application being deployed.

     

    For #1 we will have defined internally the set of standard mechanisms and maybe a couple of additional mechanisms - the configuration can then be used to completely replace them with alternative implementations.

     

    3 - Security Overrides

     

    This is something I am considering to live just within a subsystem, one or more fields are defined to match against web applications as they are being deployed and if there is a match the specified security-compound is applied to the web application instead of the definition within it's deployment descriptors.

     

    <security-override auth-method="..." war-name="..."

    security-domain="..." security-override="..." />

     

    The idea being if auth-method, war-name or security-domain match the values currently defined for the web app being deployed then the security settings are replaced with the specified security-compound.

     

    A couple of areas that I still need to look into in more details are how is additional configuration passed to the individual mechanisms including possible service injection and additional areas to override from the web.xml such as FORM or role mapping definitions but initially I want to focus on how the mechanisms are specified and associated and then build from there to add the additional settings.

     

    * Legacy Valve Support *

     

    I am also working on wrapping existing valves so that they can be used within Undertow when deployments are deployed to AS8 - however I see this as an alternative to the mechanisms supported by Undertow.

     

    As a valve would be used for legacy compatibility this would mean that previous functionality can be retained but moving forwards for better integration the valve would need to be migrated.

     

    Regards,

    Darran Lofthouse.

     

    Another idea raised for custom mechanism definitions: -

    That maps to the login-config element in web.xml. I was just thinking about how we could allow this to configure custom authenticators. A class name by itself is not enough, as you need some way of configuring the authenticator.

     

    I was thinking we introduce:

     

    interface AuthenticationMechanismFactory {

      AuthenticationMechanism create(final Map<String, String> properties);

    }

     

    And then allow a syntax like so:

     

    <auth-method>com.acme.MyAuthMechanismFactory?prop1=val1,prop2=val2</auth-method>

     

    Thoughts?

     

    Stuart