JEUS Security Guide 

JEUS v7.0 Fix#3

Document Information

Document Name: JEUS Security Guide 

Document Created: 2014-08-29

Software Version: JEUS v7.0 Fix#3

Document Version: v2.1.5


Table of Contents

About This Document
1. Introducing the Security System
1.1. Overview
1.2. Key Features
1.3. System Architecture
1.4. Core Concepts
1.4.1. Login
1.4.2. Authentication
1.4.3. Authorization
1.4.4. Auditing
1.4.5. Services and SPI
1.4.6. Domain
1.5. Improving Performance and Security Level
1.5.1. Tuning the Security System
1.5.2. Improving Security Level
2. Configuring the Security System
2.1. Overview
2.2. Configuring the Security System Domain
2.2.1. Using WebAdmin
2.2.2. Configuring XML
2.2.3. Configuring User Accounts and Security Policies
2.3. Configuring Security Domain Components
2.3.1. Using WebAdmin
2.3.2. Editing XML
2.4. Configuring Security Services
2.4.1. Using WebAdmin
2.4.2. Configuring XML
2.5. Configuring the Security System User Information
2.5.1. Using WebAdmin
2.5.2. Configuring XML
2.5.3. Using Database
2.5.4. Configuring Password Security
2.5.5. Caching Login Information
2.6. Configuring Security System Policies
2.6.1. Using WebAdmin
2.6.2. Editing XML
2.6.3. Using Database
2.7. Configuring Additional Settings
2.7.1. Configuring Java SE SecurityManager
2.7.2. Configuring JACC Provider
2.7.3. Configuring information to Grant Identity
2.7.4. Configuring Identity Certificate Information
3. Configuring Security for Applications and Modules
3.1. Overview
3.1.1. Module Deployment and Application Deployment
3.1.2. Role-to-Resource Mapping
3.1.3. Principal-to-Role Mapping
3.1.4. User Configurations
3.2. Configuring EJB Module Security
3.2.1. Configuring ejb-jar.xml
3.2.2. Configuring jeus-ejb-dd.xml
3.3. Configuring Web Module Security
3.3.1. Configuring web.xml
3.3.2. Configuring jeus-web-dd.xml
3.4. Configuring J2EE Application Security
3.4.1. Configuring application.xml
3.4.2. Configuring jeus-application-dd.xml
3.5. Examples
4. Programming with the Security System API
4.1. Overview
4.2. Java SE Permission Configurations
4.3. Basic API
4.4. Resource API
4.5. SPI Class
4.6. Example
5. Developing Customized Security Services
5.1. Overview
5.2. Service Class
5.3. The Basic Pattern of Implementing Custom Security Services
5.4. SPI Class
5.4.1. SubjectValidationService SPI
5.4.2. SubjectFactoryService SPI
5.4.3. AuthenticationService SPI
5.4.4. AuthenticationRepositoryService SPI
5.4.5. IdentityAssertionService SPI
5.4.6. CredentialMappingService SPI
5.4.7. CredentialVerificationService SPI
5.4.8. AuthorizationService SPI
5.4.9. AuthorizationRepositoryService SPI
5.4.10. EventHandlingService SPI
5.4.11. Dependencies between SPI Implementations
5.5. Security Services Configurations
6. Using JACC Provider
6.1. Overview
6.2. Introducing JACC Protocol
6.2.1. Provider Configuration Protocol
6.2.2. Policy Configuration Protocol
6.2.3. Policy Decision and Execution Protocol
6.3. Developing JACC Provider
6.3.1. Implementing JACC Provider
6.3.2. Packaging JACC Provider
6.3.3. Default JACC Provider
6.4. Integrating JACC Providers with the JEUS Security System
7. Using JAAS
7.1. Overview
7.2. Implementing LoginModule to Integrate JEUS with LDAP
7.3. Configuring LDAP JAAS LoginModule Service
7.4. Implementing LoginModule to Integrate with Database
7.5. Configuring LoginModule Service
A. Security Event Service
A.1. Overview
A.2. Event
B. JEUS Server Permissions
B.1. Overview
B.2. JEUS System Resource Name
B.3. jeusadmin Command Permission Configurations
Index

List of Figures

[Figure 1.1] Security System Architecture
[Figure 1.2] Stack-based Login Mechanism
[Figure 1.3] Subject UML Diagram
[Figure 1.4] Role-based Permission Authorization
[Figure 1.5] Role at 01:30AM
[Figure 1.6] Role at 10:30 AM
[Figure 1.7] UML Diagram of Policy and PermissionMap
[Figure 1.8] Example of Policy with One Principal-to-Role mapping and Two Role-to-Resource mappings
[Figure 1.9] Two Types of Service
[Figure 1.10] Service Class and SPI Sub-classes
[Figure 1.11] Two Domains using Different Application and Subject Repository
[Figure 2.1] Security Manager Main Screen
[Figure 2.2] Security Domain Configurations
[Figure 2.3] [Security Service] - [Cache Config]
[Figure 2.4] [Security Manager] - [Key Store]
[Figure 2.5] [Security Manager] - [Custom Service]
[Figure 2.6] [Security Service] - [Authentication]
[Figure 2.7] [Security Service] - [Authentication] - [Repository Service]
[Figure 2.8] [Security Service] - [Authentication] - [Jaas Login Config]
[Figure 2.9] [Security Service] - [Authentication] - [Custom Authentication Service]
[Figure 2.10] [Security Service] - [Authorization] - [Basic]
[Figure 2.11] [Security Service] - [Authorization] - [Custom Authorization Service]
[Figure 2.12] [Security Service] - [Identity Assertion]
[Figure 2.13] [Security Service] - [Credential Mapping]
[Figure 2.14] [Security Service] - [Credential Verification]
[Figure 2.15] [Security Service] - [Audit]
[Figure 2.16] [Security Service] - [Subject Validation]
[Figure 2.17] Accounts Configuration Screen
[Figure 2.18] Accounts - User Registration
[Figure 2.19] Accounts - Password Configurations
[Figure 2.20] Accounts - Password Algorithm
[Figure 2.21] Database Table Structure that Stores the User Information for Subjects
[Figure 2.22] Policy Configuration Main Screen
[Figure 2.23] Policy Configurations - Role Permission Registration
[Figure 2.24] Policy Configurations - Resource Permission Registration (1)
[Figure 2.25] Policy Configurations - Resource Permission Registrations (2)
[Figure 2.26] Policy Configurations - Resource Permission Registration (3)
[Figure 2.27] Database Table Structure to Save Policies
[Figure 3.1] Principal-to-Role Mapping
[Figure 3.2] Login Page
[Figure 3.3] Main Page
[Figure 5.1] Service Class Diagram
[Figure 5.2] The State-Chart of the Service Class
[Figure 5.3] Dependencies Between Default SPI Implementation Classes in the Default Security System
[Figure 6.1] JACC Provider Class

List of Tables

[Table 1.1] Examples of Authorization Queries and the Outcomes
[Table 5.1] The standard SPI classes defined in the package jeus.security.spi

List of Examples

[Example 2.1] <<JEUS_HOME/domains/<domain name>/config/domain.xml>>
[Example 2.2] Security System Service Configurations: <<domain.xml>>
[Example 2.3] Security System Service Configurations: <<domain.xml>>
[Example 2.4] Security System User Information Configuration: <<accounts.xml>>
[Example 2.5] Configuring Users Using Database: <<domain.xml>>
[Example 2.6] Without Using JEUS JDBC: <<domain.xml>>
[Example 2.7] Stored Login Information: <<.jeuspassword>>
[Example 2.8] Security System Policy Configurations: <<policies.xml>>
[Example 2.9] Custom Permission Class: <<TimeConstrainedRolePermission.java>>
[Example 2.10] Custom Permission Class: <<policies.xml>>
[Example 2.11] Configuring Policies Using Database: <<domain.xml>>
[Example 2.12] Java SE SecurityManager Configurations: <<policy>>
[Example 2.13] Configuring Information to Grant Identity: <<cert-user-map.xml>>
[Example 2.14] Configuring the Certificate Information for Identity: <<user-cert-map.xml>>
[Example 3.1] Security Constraints Configured in EJB Module: <<ejb-jar.xml>>
[Example 3.2] Principal-to-Role Mapping: <<jeus-ejb-dd.xml>>
[Example 3.3] Security Configurations: <<ejb-jar.xml>>
[Example 3.4] Security Configurations: <<jeus-ejb-dd.xml>>
[Example 3.5] Web Module Security Configurations: <<web.xml>>
[Example 3.6] Web Module Security Configurations: <<jeus-web-dd.xml>>
[Example 3.7] J2EE Application Security Configuration: <<application.xml>>
[Example 3.8] J2EE Application Security Configurations: <<jeus-application-dd.xml>>
[Example 6.1] JACC Security Configuration File: <<domain.xml>>
[Example 6.2] Java System Property Configuration for JACC <<domain.xml>>
[Example 7.1] <<jeus.security.impl.login.LdapLoginModule>>
[Example 7.2] Domain Service Configuration: <<domain.xml>>
[Example 7.3] <<jeus.security.impl.login.DBRealmLoginModule>>
[Example 7.4] Domain Service Configuration: <<domain.xml>>
[Example B.1] Security System Policy Configuration: <<policies.xml>>