Welcome to the jGuard's wiki » jGuard Documentation » Secure JMX connections with JGuard in standalone application

Secure JMX connections with JGuard in standalone application

Last modified by RaffaelloPelagalli on 2006/12/16 01:26

Secure JMX connections with JGuard in standalone application

In order to use the JGuard policy, we must configure the authentication part and the authorization part. The authentication part do not use full JGuard implementation. We keep the Sun Configuration implementation to define the LoginModules. We will use a JGuard LoginModule to set the principals through a xml file. On the other hand, the authorization part is full JGuard.

XmlLoginModule configuration.

  • create a java.login.config file containing the following entries :
~~your_application_name{
    net.sf.jguard.authentication.loginmodules.XmlLoginModule REQUIRED fileLocation="path_to/jGuardUsersPrincipals.xml" debug=true ;
};~~
Pay attention to the position of the semicolons. Go to javax.security.auth.login.Configuration Javadoc for more information about configuration file.
  • open java.security in ${java.home}/jre/lib/security/. (default location).
    • verify that login.configuration.provider is set to com.sun.security.auth.login.ConfigFile.
    • move to login.url.n property and set it to the filepath your created in the first step
  • create the file "JGuardUsersPrincipals.xml" you defined in fileLocation options in java.login.config
Here is a short example :
<usersPrincipals>
<principals>
  <principal>
        <name>admin</name>
        <applicationName>your_application_name</applicationName>
      </principal>
      <principal>
        <name>guest</name>
        <applicationName>your_application_name</applicationName>
      </principal>
  </principals>
  <users>
      <userTemplate>
	      <privateRequiredCredentials>
		      <credTemplateId>login</credTemplateId>
		      <credTemplateId>password</credTemplateId>
	      </privateRequiredCredentials>
	      <publicRequiredCredentials>
	      </publicRequiredCredentials>
	      <privateOptionalCredentials>
	      </privateOptionalCredentials>
	      <publicOptionalCredentials>
	      </publicOptionalCredentials>
	      <genericPrincipals>
	         <principalRef name="admin"/>
               <principalRef name="guest"/>
	      </genericPrincipals>
	      <specificPrincipalFactories></specificPrincipalFactories>
      </userTemplate>
      <user>
     <privateCredentials>
       <credential>
          <id>login</id>
          <value>admin</value>
       </credential>
       <credential>
          <id>password</id>
          <value>admin</value>
       </credential>
     </privateCredentials>

     <publicCredentials>
     </publicCredentials>

     <principalsRef>
          <principalRef name="admin"/>
     </principalsRef>
   </user>

   <user>
   <privateCredentials>
   <credential>
        <id>login</id>
        <value>guest</value>
   </credential>
   <credential>
        <id>password</id>
        <value>guest</value>
   </credential>
   </privateCredentials>
     <publicCredentials>
     </publicCredentials>
        <principalsRef>
          <principalRef name="guest"/>
        </principalsRef>
   </user>
  </users>
</usersPrincipals>
In this minimal example, we define 2 users : one admin(log/pass: admin/admin), one guest(log/pass: guest/guest). For instance, if a user connects with the log/pass, he will be logged with the Jguard principal admin. Notice that principals are related to application names. For example you could define in the same file two admin principal, one for an application and one for another. The authentication configuration part is done.

Configuring the Authorization part.

  • modify java.security.file in ${java.home}/jre/lib/security/. (default location). Change "policy.provider" from "sun.security.provider.PolicyFile" (default Policy implementation) to "net.sf.jguard.authorization.policy.SingleAppPolicy"
  • define the JGuardPolicy.xml to configure an policy based on xml
Here is an example :
~~<configuration>
<authorization>
  <authorizationManager>
     net.sf.jguard.authorization.XmlAuthorizationManager
  </authorizationManager>	
  <authorizationManagerOptions>
    <option>
      <name>fileLocation</name>
      <value>path_to/jGuardPrincipalsPermissions.xml</value>
    </option>
    <option>
      <name>debug</name>
      <value>true</value>
    </option>
  </authorizationManagerOptions>
</authorization>
</configuration>~~
  • In fileLocation, we set the file path of the xml file used to assign permissions to principals.
Here is a short example of a jGuardPrincipalsPermissions.xml
~~<configuration>
  <permissions>
    <domain>
      <name>full</name>
      <permission>
        <name>Grants all permissions</name>
        <class>java.security.AllPermission</class>
        <actions></actions>
      </permission>
    </domain>
    <domain>
      <name>restricted</name>
      ............
    </domain>
  </permissions>
  <principals>
    <principal>
      <name>admin</name>
      <class>net.sf.jguard.principals.RolePrincipal</class>
      <permissionsRef>
        <domainRef name="fullAccess"/>
      </permissionsRef>
    </principal>
    <principal>
      <name>guest</name>
      <class>net.sf.jguard.principals.RolePrincipal</class>
      <permissionsRef>
        <domainRef name="restrictedAccess"/>
      </permissionsRef>
    </principal>
</principals>
</configuration>~~

How to start JMXServer with Jaas

In your application, at the MBeanServer creation :

  • create the MBeanServer
  • create the JMXServiceURL of the MBeanServer
  • create an options Map :
Map opt=new HashMap();
opt.put(JMXConnectorServer.AUTHENTICATOR,new JGuardJMXAuthenticator());
  • create the connector server passing the url, the options and the mbeanserver as parameters. Then starts the server
JMXConnectorServer connectorServer=JMXConnectorServerFactory.newJMXConnectorServer(url,opt,mbs);
connectorServer.start();

How to start the application :

This paragraph explains how to configure the VM. The needed property can be separated into 3 parts :

  • First the bootclasspath definition, then the Jaas and JMX property and finally the jguard properties.
The -Xbootclasspath properties define which libraries must be loaded by the bootclasspath. We need to give JGuard core library and every other libraries used by JGuard during SingleAppPolicy and XmlLoginModule execution.
~~-Xbootclasspath/a:jguard-core.jar
-Xbootclasspath/a:commons-logging_1.1.0.jar
-Xbootclasspath/a:commons-lang-2.1.jar
-Xbootclasspath/a:dom4j-1.6.1.jar
-Xbootclasspath/a:jaxen-1.1-beta-6.jar~~
  • Then
~~-Djava.security.manager				// activate java security
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.port=9004
-Dcom.sun.management.jmxremote.password=false
-Dcom.sun.management.jmxremote.login.config=your_application_name~~
The com.sun.management.jmxremote.login.config property defines the application name you used in your configuration files. It will be used to retrieve which login modules to use in the java.config.file and which principals are concerned by our application in JGuardUsersPrincipals.xml

-Dnet.sf.jguard.policy.configuration.file=JGuardPolicy.xml
This sets the file path of the Policy configuration file.
Tags:
Created by diabolo512 on 2006/12/16 01:15

jGuard team copyright 2004-2009
3.1.1