Secure JMX connections with JGuard in standalone application
In order to use the JGuard policy, we must configure the authentication part and the authorization part. The authentication part do not use full JGuard implementation. We keep the Sun Configuration implementation to define the LoginModules. We will use a JGuard LoginModule to set the principals through a xml file. On the other hand, the authorization part is full JGuard.XmlLoginModule configuration.
- create a java.login.config file containing the following entries :
~~your_application_name{
net.sf.jguard.authentication.loginmodules.XmlLoginModule REQUIRED fileLocation="path_to/jGuardUsersPrincipals.xml" debug=true ;
};~~- open java.security in ${java.home}/jre/lib/security/. (default location).
- verify that login.configuration.provider is set to com.sun.security.auth.login.ConfigFile.
- move to login.url.n property and set it to the filepath your created in the first step
- create the file "JGuardUsersPrincipals.xml" you defined in fileLocation options in java.login.config
<usersPrincipals>
<principals>
<principal>
<name>admin</name>
<applicationName>your_application_name</applicationName>
</principal>
<principal>
<name>guest</name>
<applicationName>your_application_name</applicationName>
</principal>
</principals>
<users>
<userTemplate>
<privateRequiredCredentials>
<credTemplateId>login</credTemplateId>
<credTemplateId>password</credTemplateId>
</privateRequiredCredentials>
<publicRequiredCredentials>
</publicRequiredCredentials>
<privateOptionalCredentials>
</privateOptionalCredentials>
<publicOptionalCredentials>
</publicOptionalCredentials>
<genericPrincipals>
<principalRef name="admin"/>
<principalRef name="guest"/>
</genericPrincipals>
<specificPrincipalFactories></specificPrincipalFactories>
</userTemplate>
<user>
<privateCredentials>
<credential>
<id>login</id>
<value>admin</value>
</credential>
<credential>
<id>password</id>
<value>admin</value>
</credential>
</privateCredentials>
<publicCredentials>
</publicCredentials>
<principalsRef>
<principalRef name="admin"/>
</principalsRef>
</user>
<user>
<privateCredentials>
<credential>
<id>login</id>
<value>guest</value>
</credential>
<credential>
<id>password</id>
<value>guest</value>
</credential>
</privateCredentials>
<publicCredentials>
</publicCredentials>
<principalsRef>
<principalRef name="guest"/>
</principalsRef>
</user>
</users>
</usersPrincipals>
In this minimal example, we define 2 users : one admin(log/pass: admin/admin), one guest(log/pass: guest/guest). For instance, if a user connects with the log/pass, he will be logged with the Jguard principal admin.
Notice that principals are related to application names. For example you could define in the same file two admin principal, one for an application and one for another.
The authentication configuration part is done.
Configuring the Authorization part.
- modify java.security.file in ${java.home}/jre/lib/security/. (default location). Change "policy.provider" from "sun.security.provider.PolicyFile" (default Policy implementation) to "net.sf.jguard.authorization.policy.SingleAppPolicy"
- define the JGuardPolicy.xml to configure an policy based on xml
~~<configuration> <authorization> <authorizationManager> net.sf.jguard.authorization.XmlAuthorizationManager </authorizationManager> <authorizationManagerOptions> <option> <name>fileLocation</name> <value>path_to/jGuardPrincipalsPermissions.xml</value> </option> <option> <name>debug</name> <value>true</value> </option> </authorizationManagerOptions> </authorization> </configuration>~~
- In fileLocation, we set the file path of the xml file used to assign permissions to principals.
~~<configuration> <permissions> <domain> <name>full</name> <permission> <name>Grants all permissions</name> <class>java.security.AllPermission</class> <actions></actions> </permission> </domain> <domain> <name>restricted</name> ............ </domain> </permissions> <principals> <principal> <name>admin</name> <class>net.sf.jguard.principals.RolePrincipal</class> <permissionsRef> <domainRef name="fullAccess"/> </permissionsRef> </principal> <principal> <name>guest</name> <class>net.sf.jguard.principals.RolePrincipal</class> <permissionsRef> <domainRef name="restrictedAccess"/> </permissionsRef> </principal> </principals> </configuration>~~
How to start JMXServer with Jaas
In your application, at the MBeanServer creation :- create the MBeanServer
- create the JMXServiceURL of the MBeanServer
- create an options Map :
Map opt=new HashMap(); opt.put(JMXConnectorServer.AUTHENTICATOR,new JGuardJMXAuthenticator());
- create the connector server passing the url, the options and the mbeanserver as parameters. Then starts the server
JMXConnectorServer connectorServer=JMXConnectorServerFactory.newJMXConnectorServer(url,opt,mbs); connectorServer.start();
How to start the application :
This paragraph explains how to configure the VM. The needed property can be separated into 3 parts :- First the bootclasspath definition, then the Jaas and JMX property and finally the jguard properties.
~~-Xbootclasspath/a:jguard-core.jar -Xbootclasspath/a:commons-logging_1.1.0.jar -Xbootclasspath/a:commons-lang-2.1.jar -Xbootclasspath/a:dom4j-1.6.1.jar -Xbootclasspath/a:jaxen-1.1-beta-6.jar~~
- Then
~~-Djava.security.manager // activate java security -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.port=9004 -Dcom.sun.management.jmxremote.password=false -Dcom.sun.management.jmxremote.login.config=your_application_name~~
-Dnet.sf.jguard.policy.configuration.file=JGuardPolicy.xml
Version 1.5 last modified by Charles Gay on 16/12/2006 at 01:26
Document data
Attachments:
No attachments for this document
Comments: 0