Documente Academic
Documente Profesional
Documente Cultură
Security Policy
Contains policy permissions
http://java.sun.com/j2se/1.5.0/docs/guide/security/index.html
grant codebase "file:/opt/jboss3.2.7/" {
permission java.security.AllPermission;
};
grant codebase "file:/opt/myapp/" {
permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getPrincipalInfo";
permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setPrincipalInfo";
permission java.util.PropertyPermission "*", "read";
permission java.net.SocketPermission "*", "resolve,connect";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
...
permission java.io.FilePermission "/opt/myapp/data/", "read,write";
permission java.io.FilePermission "/opt/jboss3.2.7/lib/", "read";
permission java.io.FilePermission "/opt/jboss3.2.7/server/default/lib/", "read";
};
http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html
<applicationpolicy name = "myapp">
<authentication>
<loginmodule code="org.jboss.security.auth.spi.ProxyLoginModule" flag="required">
<moduleoption name="moduleName">
org.jboss.security.auth.spi.DatabaseServerLoginModule
</moduleoption>
<moduleoption name="dsJndiName">java:/MyDataSource</moduleoption>
<moduleoption name="principalsQuery">
select password from myapp_user
where email_address = ?
</moduleoption>
<moduleoption name="rolesQuery">
select role_name, role_group
from myapp_user, myapp_user_role
where myapp_user.user_id = myapp_user_role.user_id
and myapp_user.email_address = ?
</moduleoption>
</loginmodule>
</authentication>
</applicationpolicy>
<applicationpolicy name = "myapp">
<authentication>
<loginmodule code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<moduleoption name="java.naming.factory.initial">
com.sun.jndi.ldap.LdapCtxFactory
</moduleoption>
<moduleoption name="java.naming.provider.url">
ldap://ldap.mydomain.com.sg:389
</moduleoption>
<moduleoption name="java.naming.security.authentication">
simple
</moduleoption>
<moduleoption name="principalDNPrefix">uid=</moduleoption>
<moduleoption name="principalDNSuffix">,ou=people,dc=mydomain,dc=com,dc=sg</moduleoption>
<moduleoption name="roleAttributeIsDN">false</moduleoption>
<moduleoption name="searchTimeLimit">5000</moduleoption>
<moduleoption name="searchScope">ONELEVEL_SCOPE</moduleoption>
</loginmodule>
</authentication>
</applicationpolicy>
/* role */
create table myapp_user_role (
user_role_id bigint not null auto_increment,
user_id bigint not null,
role_name varchar(60) not null,
role_group varchar(60) not null,
primary key (user_role_id),
foreign key (user_id) references myapp_user (user_id)
);
insert into myapp_user (user_id, full_name, email_address, password, created, updated)
values (2, 'admin', 'admin', 'changeme', utc_date, utc_date);
insert into myapp_user (user_id, full_name, email_address, password, created, updated)
values (2, 'Scott', 'scott@example.com', 'tiger', utc_date, utc_date);
insert into jobs_user_role (user_role_id, user_id, role_name, role_group)
values (1, 1, 'anonymous', 'Roles');
insert into jobs_user_role (user_role_id, user_id, role_name, role_group)
values (2, 2, 'admin', 'Roles');
insert into jobs_user_role (user_role_id, user_id, role_name, role_group)
values (3, 3, 'member', 'Roles');
<?xml version="1.0" encoding="UTF8"?>
<jboss>
<securitydomain>java:/jaas/myapp</securitydomain>
<unauthenticatedprincipal>anonymous</unauthenticatedprincipal>
...
</jboss>
public class JAASLoginFilter implements Filter
{
private final static Logger log =
Logger.getLogger(JAASLoginFilter.class.getName());
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException
{
login(request);
chain.doFilter(request, response);
logout(request);
}
...
public void init(FilterConfig filterConfig) {}
public void destroy() {}
}
protected LoginCallback(String username, String password)
{
this.username = username;
this.password = password;
}
public void handle(Callback[] callbacks)
{
for(int i=0; i < callbacks.length; i++) {
if(callbacks[i] instanceof NameCallback) {
NameCallback nameCallback =
(NameCallback)callbacks[i];
nameCallback.setName(username);
} else if(callbacks[i] instanceof PasswordCallback) {
PasswordCallback passwordCallback =
(PasswordCallback)callbacks[i];
passwordCallback.setPassword(password.toCharArray());
}
}
}
}
// Get username and password from the session
String username = (String)session.getAttribute("username");
String password = (String)session.getAttribute("password");
// Don't login if the username or password isn't set
if(username == null || password == null) return;
// Login
CallbackHandler handler = new LoginCallback(username, password);
LoginContext lc = null;
try {
lc = new LoginContext("clientlogin", handler);
lc.login();
request.setAttribute("jaaslogincontext", lc);
request.setAttribute("jaasusername", username);
} catch (LoginException e) {
log.warning("error logging in, username=" + username + " : " + e.getMessage());
}
}
// Logout
try {
lc.logout();
} catch (LoginException e) {
log.warning("error logging out, username=" + username + " : " + e.getMessage());
}
}