The prince who relies upon their words, without having otherwise provided for his security, is ruined— Niccoló Machiavelli (The Prince).
Today, networks provide a potential avenue of attack to any computer hooked to them and thus, security is a fundamental part of any Enterprise application. The Java platform was designed from the ground up with a strong emphasis on security. Its security APIs span a wide range of areas—interfaces for performing authentication and access control that protect applications against unauthorized access to protected resources, and cryptographic infrastructures that supply the underlying basis for developing secure applications.
A necessary preamble of this chapter will be an introduction to the Java Security API and how these interfaces are implemented in JBoss Security Extension (JBossSX). Then, in the core section of the chapter, we will deliver:
Java EE security services provide a robust and easily configured security mechanism for authenticating users and authorizing access to application functions and associated data.
Authentication is the process by which the user of an application (any type of Java program, including EJB, servlets, and so forth) is verified.
Authorization is about managing access to protected system resources based on the rights of a user or class of users. Authorization, therefore, assumes that authentication has occurred; otherwise it would be impossible to grant any access control if you don't know who the user is.
In Java EE, the component containers are responsible for providing application security. A container, basically, provides two types of security— declarative and programmatic. Let's see them:
For example, Enterprise JavaBeans components use an EJB deployment descriptor that must be named ejb-jar.xml
and placed in the META-INF
folder of the EJB JAR file.
Web components use a web application deployment descriptor named web.xml
located in the WEB-INF
directory.
Web Services components use a jaxrpc-mapping-info.xml
deployment descriptor defined in JSR 109. This deployment descriptor provides deployment time mapping functionality between Java and WSDL and needs to be placed in the META-INF
folder of your JAR file.
Since Java EE 1.5 you can apply declarative security by means of annotations. Annotations are specified within a class file and, when the application is deployed, this information is translated internally by the Application Server.
By using annotations, you are exempted from writing boilerplate useless code, as this can be generated by external tools from the source code. This leads to a declarative programming style, where the programmer says what should be done and tools emit the code to do it. It also eliminates the need for maintaining side files that must be kept up-to-date with changes in source files. Instead, the information is maintained in the source file.
isUserInRole()
for servlets, JSPsisCallerInRole()
for EJBsAdditionally, there are other API calls that provide access to the user's identity:
getUserPrincipal()
for Servlets, JSPsgetCallerPrincipal()
for EJBsUsing these APIs, you can develop arbitrarily complex authorization models.
The framework that provides an API for the authentication and authorization of users is called Java Authentication and Authorization Service (JAAS).
JAAS uses a service provider approach for its authentication features, meaning that it is possible to configure different login modules for an application without changing any code. The application remains unaware of the underlying authentication logic. It's even possible for an application to contain multiple login modules, somewhat like a stack of authentication procedures.
The Login Module is the key element of JAAS authentication, which is based on information provided through CallbackHandler
. Custom login modules must implement the methods defined by the javax.security.auth.spi.LoginModule
interface.
Clients interact with JAAS through a LoginContext
object that provides a way to develop applications independent of the underlying authentication technology. The LoginContext
class describes the methods used to authenticate subjects. A Subject is an identity in a system that you want to authenticate and assign access rights to.
In the following example, a LoginContext
is created by using the login module name as the first argument of the constructor and the callback handler as the second argument for passing login information to the Login Module.
Each CallbackHandler implements a handle
method that transfers the required information to the Login Module. The login
method in the LoginContext
is used to start the login process. Following is a sample servlet that challenges the JAAS authentication process:
public class LoginServlet extends HttpServlet { public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { PrintWriter out = res.getWriter(); LoginContext ctx = null; try { ctx = new LoginContext("SampleLogin", new MyCallbackHandler()); } catch(LoginException le) { throw new RuntimeException("Login failed!"); } try { ctx.login(); } catch(LoginException le) { throw new RuntimeException("Authentication failed!"); } out.println("Authentication succeeded."); }
After its successful completion, LoginModules add instances of java.security.Principal
to the Subject, and the application can retrieve the Subject from the LoginContext
using the getSubject()
method.
18.117.129.172