GlassFish Security. open source community experience distilled. security measures. Secure your GlassFish installation, Web applications,

Transcription

1 GlassFish Security Secure your GlassFish installation, Web applications, EJB applications, application client module, and Web Services using Java EE and GlassFish security measures Masoud Kalali PUBLISHING BIRMINGHAM - MUMBAI open source community experience distilled

2 Preface 1 Chapter 1: Java EE Security Model 7 Overview of Java EE architecture 8 Understanding a typical Java EE application 8 Accessing protected resource inside a Web module 11 Deployment descriptors 13 Understanding Java EE security terms 13 Defining constraints on resources 15 Authenticating and authorizing users 16 Adding authentication to a web application 17 Authorizing using deployment descriptor 19 Managing session information 19 Adding transport security 21 Using programmatic security in web applications 23 Using security annotations 25 Understanding the EJB modules 26 Securing EJB modules using annotations 30 Mapping roles to principals and groups 33 Accessing the security context programmatically 33 Using EJB interceptors for auditing and security purposes 34 Enforcing authentication in EJB modules 35 Understanding the application client module 37 Declaring security roles in Application level 39 Summary 40 Chapter 2: GlassFish Security Realms Security realms 42 Authenticating using security realms 42 Reusing security assets 43 41^

3 GlassFish security realms 43 Administrating security realms 44 Creating a file realm 45 Creating the JDBC realm 50 Using the LDAP realm to secure web applications 55 Downloading and installing OpenDS Creating the LDAP realm 58 Creating the certificate realm 61 Public key cryptography 62 Digital signature 63 Key stores and trust stores 63 Managing certificates 64 Creating the Solaris realm 71 Developing custom realms 71 Developing the custom realm 71 Installing and configuring 74 Adding a custom authentication method to GlassFish 75 Summary 76 Chapter 3: Designing and Developing Secure Java EE Applications 77 Understanding the sample application 78 Analyzing sample application business logic 78 Implementing the Business and Persistence layers 79 Implementing the Persistence layer 80 Developing the Presentation layer 83 Implementing the Conversion GUI 84 Implementing the Converter servlet 85 Implementing the authentication frontend 87 Configuring deployment descriptors 89 Specifying the security realm 91 Deploying the application client module in the Application Client Container 92 Configuring Application Client Container security 97 Summary 100 Chapter 4: Securing GlassFish Environment 101 Securing a host operating system 102 Defining security at the OS level 102 Creating the installation directory 105 Creating the GlassFish user 105 Logging in as a GlassFish user 106 Restricting access to the filesystem 106 Restricting access to network interfaces 106 Restricting access to ports 107

4 Enforcing storage usage limitation 107 Implementing restrictions in the application server level 112 Securing the Java Runtime environment from unprivileged access 112 Implementing the policy manager 113 Securing the GlassFish using security manager 116 Alternative container policy providers 120 Estimating security risks: Auditing 121 Enabling the default auditing module 122 Developing custom auditing modules 123 Summary 124 Chapter 5: Securing GlassFish 125 Administrating GlassFish 125 Using CLI for administration tasks 126 Implementing security in CLI 128 Securing different network listeners 135 Securing HTTP listeners 136 Securing ORB listeners 139 Securing JMX listeners 140 Hosting multiple domains using one IP 141 Sharing security context between different applications using SSO 144 Enabling SSO in virtual server 145 Summary 146 Chapter 6: Introducing OpenDS: Open Source Directory Service 147 Storing hierarchical information: Directory services 148 Connecting directory services to software systems 149 Introducing OpenDS 150 Understanding OpenDS backend and services 153 Installing and administrating OpenDS 154 Installing OpenDS and DSML gateway 154 Understanding the system requirements 154 Downloading and installing OpenDS server 154 Studying the OpenDS directory structure 158 Installing and configuring the DSML gateway 158 Administrating and managing OpenDS 160 Importing and exporting data 161 Importing LDIF files 162 Exporting database content into LDIF file 163 Backing up and restoring data 163 Creating a backup of OpenDS data 164 Restoring server state using backups 166 Enabling JMX Connection Handler 167 Embedding OpenDS 170 [iii]

5 Benefits of embedded mode capability of OpenDS 170 Preparing the environment 171 Replicating Directory Information Tree (DIT) 173 OpenDS replication mechanism 174 Setting up an Asynchronous replication infrastructure 175 Summary 177 Chapter 7: OpenSSO, the Single sign-on Solution 179 WhatisSSO 180 What is OpenSSO 181 OpenSSO functionalities 183 Controlling user access 183 Federation Management 185 Identity Web Services 186 OpenSSO architecture 188 OpenSSO realms 190 Installing OpenSSO in GlassFish 190 Configuring OpenSSO for authentication and authorization 194 Authentication chaining 196 Realm Authentication 198 User Authentication 199 Securing our applications using OpenSSO 199 Authenticating users by the RESTful interface 200 Authorizing using REST 202 SSO using REST 204 Summary 210 Chapter 8: Securing Java EE Applications using OpenSSO 211 Understanding Policy Agents 212 Specifying access privileges by defining policies 213 Protecting diverse types of containers using Policy Agents 214 Working of OpenSSO agents 215 Protecting different types of resources 216 Exploring outstanding features of Policy Agents 217 Managing Centralized Agent Configuration 217 Managing agents in groups 218 Applying agents configuration on-the-fly 218 Having more control over the installation process 218 Installing J2EE Agent 3.0 for GlassFish 218 Placing the sample application under OpenSSO protection 224 Changing sample application descriptor files 225 Configuring the agent to protect the sample application 226 Defining access rules 229 Summary 233

6 Chapter 9: Securing Web Services by OpenSSO 235 Java EE and Web Services security 236 Securing Web Services in a Web module 236 Web Services security in EJB modules 236 EJB-based Web Services authentication in GlassFish 237 Understanding Web Services security 239 Understanding SOAP message structure 244 Developing secure Web Services 245 Downloading and installing Web Services security agents 248 Creating a Web Service Client profile 250 Creating a Web Service Provider profile 251 Securing the Echo Web Service 253 Developing an Echo Service Consumer 253 Authenticating a service call using WSP 255 Configuring WSP for enforcing authentication 256 Configuring WSC to support authentication 258 Summary 259 Index 261