Security - JAAS and Authorization

Security: jBoss JAAS/Authorization

Objectives

We will see how to authenticate to jBoss and how to use Authorization at the method level using JAAS (Java Authentication and Authorization Module). We will also use jBoss's Security Proxy to implement "Custom Authorization".
We are going to implement an Authentication module for a standalone client and an Authorization module for a Session Bean.

CartBean Stateful Session Bean

CartBean is a simple Session Bean with a few business methods.

Users and roles

Our application defines users as well as roles
We have 3 users in our users.properties file in ejb-module/META-INF:

'janaudy' with password 'j'
'claire' with password 'c'
'lucy' with password 'l'

We have 2 roles in our roles.properties file in ejb-module/META-INF:

janaudy=consultant
claire=directeur
lucy=consultant

Authentification

The user enters a 'login' and a 'password' (like 'janaudy' and 'j'). The Authentication module will gather this information and send it to the application server.
We just have to code a Java class that implements the javax.security.auth.callback.CallbackHandler interface.
See UPCallbackHandler.java.
Then, in order to use this class, you have to instantiate it in the client code and use it like this:: JbossCartClient.java

Authorization: jBoss Security Proxy

We now have to specify which "role" is authorized to invoke such or such method. We will use XDoclet for this:
The tag is @ejb.permission / role-name.
Check out CartBean.java

Custom Authorization: jBoss Security Proxy

There are several ways to implement Custom Authorization:

1. A static approach where business methods are redefined in the security proxy class
2. A dynamic approach where jBoss uses "Reflection" (The one I have choosen)
3. Aspect Oriented Programming, AOP

Can you think about why we would need a custom authorization model?
We are going to use the approach number 2.
We have to develop a class that implements the org.jboss.security.SecurityProxy interface.
Check out CartBeanSecurityProxy.java. Declare the XDoclet tag @jboss.security-proxy / name in the CartBean.java class

Build

There is a small difference in the build.xml file:


<jboss version="3.0"
       securityDomain="java:/jaas/other"
       unauthenticatedPrincipal="nobody"
       xmlencoding="UTF-8"
       destdir="${ejb-meta-inf}"
       validatexml="true"
       preferredrelationmapping="relation-table"/>

Client policy


grant {
  permission java.security.AllPermission;
};

Batch to run the client


set vmargs=-Djava.security.auth.login.config=$jbosshome/client/auth.conf

java -Djava.security.manager -Djava.security.policy=client.policy {$vmargs} \
     -cp {$localcp}:CartClient.jar \
     org.jyperion.j2ee.sample.sfsb.client.JbossCartClient $1 $2 $3 $4

et voila!