JEUS Security Guide 

JEUS 8

Restricted Rights Legend

All TmaxSoft Software (JEUS®) and documents are protected by copyright laws and international convention. TmaxSoft software and documents are made available under the terms of the TmaxSoft License Agreement and this document may only be distributed or copied in accordance with the terms of this agreement. No part of this document may be transmitted, copied, deployed, or reproduced in any form or by any means, electronic, mechanical, or optical, without the prior written consent of TmaxSoft Co., Ltd. Nothing in this software document and agreement constitutes a transfer of intellectual property rights regardless of whether or not such rights are registered) or any rights to TmaxSoft trademarks, logos, or any other brand features.

This document is for information purposes only. The company assumes no direct or indirect responsibilities for the contents of this document, and does not guarantee that the information contained in this document satisfies certain legal or commercial conditions. The information contained in this document is subject to change without prior notice due to product upgrades or updates. The company assumes no liability for any errors in this document.

Trademarks

JEUS® is registered trademark of TmaxSoft Co., Ltd.

Java and Solaris are registered trademarks of Oracle Corporation and its subsidiaries and affiliates.

Microsoft, Windows, and Windows NT are registered trademarks or trademarks of Microsoft Corporation.

HP-UX is a registered trademark of Hewlett Packard Enterprise Company.

AIX is a registered trademark of International Business Machines Corporation.

UNIX is a registered trademark of X/Open Company, Ltd.

Linux is a registered trademark of Linus Torvalds.

Other products and company names are trademarks or registered trademarks of their respective owners.

The names of companies, systems, and products mentioned in this manual may not necessarily be indicated with a trademark symbol (TM, ®).

Open Source Software Notice

Some modules or files of this product are subject to the terms of the following licenses. : APACHE2.0, CDDL1.0, EDL1.0, OPEN SYMPHONY SOFTWARE1.1, TRILEAD-SSH2, Bouncy Castle, BSD, MIT, SIL OPEN FONT1.1

Detailed Information related to the license can be found in the following directory : ${INSTALL_PATH}/lib/licenses

Document Information

Title: JEUS Security Guide 

Publication Date: 2018-01-31

Software Version: JEUS 8

Edition: v2.1.1


Table of Contents

About This Document
1. Introduction to the Security System
1.1. Overview
1.2. Key Features
1.3. Architecture
1.4. Core Concepts
1.4.1. Login
1.4.2. Authentication
1.4.3. Authorization
1.4.4. Auditing
1.4.5. Services and SPI
1.4.6. Domain
1.5. Improving Performance and Security Level
1.5.1. Tuning the Security System
1.5.2. Improving Security Level
2. Configuring the Security System
2.1. Overview
2.2. Configuring the Security System Domain
2.2.1. Using WebAdmin
2.2.2. Configuring XML
2.2.3. Configuring User Accounts and Security Policies
2.3. Configuring Security Domain Components
2.3.1. Using WebAdmin
2.3.2. Editing XML
2.4. Configuring Security Services
2.4.1. Using WebAdmin
2.4.2. Configuring the XML File
2.5. Configuring the Security System User Information
2.5.1. Using WebAdmin
2.5.2. Configuring XML
2.5.3. Using Database
2.5.4. Configuring Password Security
2.5.5. Caching Login Information
2.6. Configuring Security System Policies
2.6.1. Using WebAdmin
2.6.2. Editing the XML File
2.6.3. Using Database
2.7. Configuring Additional Settings
2.7.1. Configuring Java SE SecurityManager
2.7.2. Configuring JACC Provider
2.7.3. Configuring information to Grant Identity
2.7.4. Configuring Identity Certificate Information
3. Configuring Security for Applications and Modules
3.1. Overview
3.1.1. Module Deployment and Application Deployment
3.1.2. Role-to-Resource Mapping
3.1.3. Principal-to-Role Mapping
3.1.4. User Configurations
3.2. Configuring EJB Module Security
3.2.1. Configuring ejb-jar.xml
3.2.2. Configuring jeus-ejb-dd.xml
3.3. Configuring Web Module Security
3.3.1. Configuring web.xml
3.3.2. Configuring jeus-web-dd.xml
3.4. Configuring J2EE Application Security
3.4.1. Configuring application.xml
3.4.2. Configuring jeus-application-dd.xml
3.5. Examples
4. Programming with the Security System API
4.1. Overview
4.2. Configuring Java SE Permissions
4.3. Basic API
4.4. Resource API
4.5. SPI Class
4.6. Example
5. Developing Customized Security Services
5.1. Overview
5.2. Service Class
5.3. The Basic Pattern of Implementing Custom Security Services
5.4. SPI Class
5.4.1. SubjectValidationService SPI
5.4.2. SubjectFactoryService SPI
5.4.3. AuthenticationService SPI
5.4.4. AuthenticationRepositoryService SPI
5.4.5. IdentityAssertionService SPI
5.4.6. CredentialMappingService SPI
5.4.7. CredentialVerificationService SPI
5.4.8. AuthorizationService SPI
5.4.9. AuthorizationRepositoryService SPI
5.4.10. EventHandlingService SPI
5.4.11. Dependencies between SPI Implementations
5.5. Security Services Configurations
6. Using JACC Provider
6.1. Overview
6.2. Introducing JACC Protocol
6.2.1. Provider Configuration Protocol
6.2.2. Policy Configuration Protocol
6.2.3. Policy Decision and Execution Protocol
6.3. Developing JACC Provider
6.3.1. Implementing JACC Provider
6.3.2. Packaging JACC Provider
6.3.3. Default JACC Provider
6.4. Integrating JACC Providers with the JEUS Security System
7. Using JAAS
7.1. Overview
7.2. Implementing LoginModule to Integrate JEUS with LDAP
7.3. Configuring LDAP JAAS LoginModule Service
7.4. Implementing LoginModule to Integrate with Database
7.5. Configuring LoginModule Service
A. Security Event Service
A.1. Overview
A.2. Event
B. JEUS Server Permissions
B.1. Overview
B.2. JEUS System Resource Name
B.3. jeusadmin Command Permission Configurations
Index

List of Figures

[Figure 1.1] Architecture of the Security System
[Figure 1.2] Stack-based Login Mechanism
[Figure 1.3] Subject UML Diagram
[Figure 1.4] Role-based Permission Authorization
[Figure 1.5] Role at 01:30 AM
[Figure 1.6] Role at 10:30 AM
[Figure 1.7] UML Diagram of Policy and PermissionMap
[Figure 1.8] Example of Policy with One Principal-to-Role mapping and Two Role-to-Resource mappings
[Figure 1.9] Two Types of Service
[Figure 1.10] Two Domains using Different Application and Subject Repository
[Figure 2.1] Security Manager Main Screen
[Figure 2.2] Security Domain Configurations
[Figure 2.3] [Security Service] - [Cache Config]
[Figure 2.4] [Security Manager] - [Key Store]
[Figure 2.5] [Security Manager] - [Custom Services]
[Figure 2.6] [Security Service] - [Authentication]
[Figure 2.7] [Security Service] - [Authentication] - [Repository Service]
[Figure 2.8] [Security Service] - [Authentication] - [JAAS Login Config]
[Figure 2.9] [Security Service] - [Authentication] - [Custom Authentication Service]
[Figure 2.10] [Security Service] - [Authorization] - [Basic]
[Figure 2.11] [Security Service] - [Authorization] - [Custom Authorization Service]
[Figure 2.12] [Security Service] - [Identity Assertion]
[Figure 2.13] [Security Service] - [Credential Mapping]
[Figure 2.14] [Security Service] - [Credential Verification]
[Figure 2.15] [Security Service] - Audit
[Figure 2.16] [Security Service] - [Subject Validation]
[Figure 2.17] Accounts Configuration Page
[Figure 2.18] Accounts - User Registration
[Figure 2.19] Accounts - Password Configurations
[Figure 2.20] Accounts - Password Algorithm
[Figure 2.21] Database Table Structure that Stores the User Information for Subjects
[Figure 2.22] Default Password Validator Configuration Page on WebAdmin
[Figure 2.23] Custom Password Validator Configuration Page on WebAdmin
[Figure 2.24] Policy Configuration Main Page
[Figure 2.25] Policy Configurations - Role Permission Registration
[Figure 2.26] Policy Configurations - Resource Permission Registration (1)
[Figure 2.27] Policy Configurations - Resource Permission Registrations (2)
[Figure 2.28] Policy Configurations - Resource Permission Registration (3)
[Figure 2.29] Database Table Structure to Save Policies
[Figure 3.1] Principal-to-Role Mapping
[Figure 3.2] Login Page
[Figure 3.3] Main Page
[Figure 5.1] Service Class Diagram
[Figure 5.2] The State-Chart of the Service Class
[Figure 5.3] Dependencies Between Default SPI Implementation Classes in the Default Security System
[Figure 6.1] JACC Provider Class

List of Examples

[Example 2.1] <<JEUS_HOME/domains/<domain name>/config/domain.xml>>
[Example 2.2] Security System Service Configurations - <<domain.xml>>
[Example 2.3] Security System Service Configurations: <<domain.xml>>
[Example 2.4] Security System User Information Configuration: <<accounts.xml>>
[Example 2.5] Configuring Users Using Database: <<domain.xml>>
[Example 2.6] Without Using JEUS JDBC: <<domain.xml>>
[Example 2.7] Configurations for Default Password Validator: <<domain.xml>>
[Example 2.8] Configurations for Default Password Validator: <<domain.xml>>
[Example 2.9] Stored Login Information: <<.jeuspassword>>
[Example 2.10] Security System Policy Configurations: <<policies.xml>>
[Example 2.11] Custom Permission Class: <<TimeConstrainedRolePermission.java>>
[Example 2.12] Custom Permission Class: <<policies.xml>>
[Example 2.13] Configuring Policies Using Database: <<domain.xml>>
[Example 2.14] Java SE SecurityManager Configurations: <<policy>>
[Example 2.15] Configuring Information to Grant Identity: <<cert-user-map.xml>>
[Example 2.16] Configuring the Certificate Information for Identity: <<user-cert-map.xml>>
[Example 3.1] Security Constraints Configured in EJB Module: <<ejb-jar.xml>>
[Example 3.2] Principal-to-Role Mapping: <<jeus-ejb-dd.xml>>
[Example 3.3] Security Configurations: <<ejb-jar.xml>>
[Example 3.4] Security Configurations: <<jeus-ejb-dd.xml>>
[Example 3.5] Web Module Security Configurations: <<web.xml>>
[Example 3.6] Web Module Security Configurations: <<jeus-web-dd.xml>>
[Example 3.7] J2EE Application Security Configuration: <<application.xml>>
[Example 3.8] J2EE Application Security Configurations: <<jeus-application-dd.xml>>
[Example 6.1] JACC Security Configuration File: <<domain.xml>>
[Example 6.2] Java System Property Configuration for JACC <<domain.xml>>
[Example 7.1] <<jeus.security.impl.login.LdapLoginModule>>
[Example 7.2] Domain Service Configuration: <<domain.xml>>
[Example 7.3] <<jeus.security.impl.login.DBRealmLoginModule>>
[Example 7.4] Domain Service Configuration: <<domain.xml>>
[Example B.1] Security System Policy Configuration: <<policies.xml>>