| |
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> |
| <HTML> |
| <HEAD> |
| <!-- $PAGETITLE --> |
| <TITLE>OpenEJB - Security</TITLE> |
| <LINK href="http://openejb.apache.org/default.css" rel="stylesheet" type="text/css"> |
| <LINK href="http://openejb.apache.org/style.css" rel="stylesheet" type="text/css"> |
| <LINK rel="SHORTCUT ICON" href="http://openejb.apache.org/images/favicon.ico"> |
| <SCRIPT language="JavaScript" src="http://cwiki.apache.org/confluence/pages/viewpage.action?spaceKey=OPENEJB&title=functions.js" type="text/javascript"></SCRIPT> |
| <META http-equiv="Content-Type" content="text/html;charset=UTF-8"></HEAD> |
| <BODY bgcolor="#ffffff" link="#6763a9" vlink="#6763a9" topmargin="0" bottommargin="0" leftmargin="0" marginheight="0" marginwidth="0"> |
| |
| <!-- Delay the loading of the external javascript file needed for labels (as it takes too long to load and visibly holds loading of the page body) --> |
| <!-- To do this without javascript errors over undefined functions, we need to declare stubs here (that are overrided later by the proper implementations) --> |
| <SCRIPT language="JavaScript" type="text/javascript"> |
| function doAddLabel(hideTextfieldAfterAddParam) |
| { |
| // stub |
| } |
| |
| function onAddLabel() |
| { |
| // stub |
| } |
| |
| function showLabelsInput() |
| { |
| // stub |
| } |
| </SCRIPT> |
| |
| <A name="top"></A> |
| <TABLE border="0" cellpadding="0" cellspacing="0" width="100%" height="400"> |
| <TR> |
| <TD width="20" valign="top" align="left" bgcolor="#7270c2"><IMG src="http://openejb.apache.org/images/dotTrans.gif" width="1" height="1" border="0"></TD> |
| <TD width="95" valign="top" align="left" bgcolor="#7270c2"><IMG src="http://openejb.apache.org/images/dotTrans.gif" width="1" height="1" border="0"></TD> |
| <TD width="7" valign="top" align="left"><IMG src="http://openejb.apache.org/images/dotTrans.gif" border="0" width="1" height="1"></TD> |
| <TD width="40" valign="top" align="left"><IMG src="http://openejb.apache.org/images/dotTrans.gif" width="40" height="6" border="0"></TD> |
| <TD width="100%" valign="top" align="left" bgcolor="#5A5CB8"><IMG src="http://openejb.apache.org/images/top_2.gif" width="430" height="6" border="0"></TD> |
| <TD width="120" valign="top" align="left" bgcolor="#E24717"><IMG src="http://openejb.apache.org/images/top_3.gif" width="120" height="6" border="0"></TD> |
| </TR> |
| <TR> |
| <TD width="20" bgcolor="#7270c2" valign="top" align="left"><IMG src="http://openejb.apache.org/images/dotTrans.gif" border="0" width="1" height="1"></TD> |
| <TD width="95" bgcolor="#7270c2" valign="top" align="left"><IMG src="http://openejb.apache.org/images/dotTrans.gif" border="0" width="1" height="1"></TD> |
| <TD width="7" bgcolor="#ffffff" valign="top" align="left"></TD> |
| <TD width="40" valign="top" align="left"><IMG src="http://openejb.apache.org/images/dotTrans.gif" width="1" height="1" border="0"></TD> |
| <TD id="breadcrumbs" width="100%" valign="middle" align="left"> |
| <!-- $TOP_NAV_BAR --> |
| <SPAN id="Content"> |
| |
| |
| |
| |
| |
| <A href="index.html" title="Index">Index</A> | <A href="news.html" title="News">News</A> | <A href="faq.html" title="FAQ">FAQ</A> | <A href="download.html" title="Download">Download</A> | <A href="mailing-lists.html" title="Mailing Lists">Lists</A> | <SPAN class="nobr"><A href="http://issues.apache.org/jira/browse/OPENEJB" title="Visit page outside Confluence" rel="nofollow">Issues<SUP><IMG class="rendericon" src="http://cwiki.apache.org/confluence/images/icons/linkext7.gif" height="7" width="7" align="absmiddle" alt="" border="0"></SUP></A></SPAN> |
| </SPAN> |
| <IMG src="http://openejb.apache.org/images/dotTrans.gif" width="1" height="2" border="0"></TD> |
| <TD width="120" height="20" valign="top" align="left"> </TD> |
| </TR> |
| <TR> |
| <TD width="20" bgcolor="#7270c2" valign="top" align="left"><IMG src="http://openejb.apache.org/images/dotTrans.gif" width="20" height="3" border="0"></TD> |
| <TD width="95" bgcolor="#7270c2" valign="top" align="left"><IMG src="http://openejb.apache.org/images/line_sm.gif" width="105" height="3" border="0"></TD> |
| <TD width="7" bgcolor="#a9a5de" valign="top" align="left"><IMG src="http://openejb.apache.org/images/line_sm.gif" width="7" height="3" border="0"></TD> |
| <TD width="40" valign="top" align="left"><IMG src="http://openejb.apache.org/images/line_light.gif" width="40" height="3" border="0"></TD> |
| <TD width="100%" valign="top" align="left"><IMG src="http://openejb.apache.org/images/line_light.gif" width="430" height="3" border="0"></TD> |
| <TD width="120" valign="top" align="left"><IMG src="http://openejb.apache.org/images/dotTrans.gif" border="0" width="1" height="1"></TD> |
| </TR> |
| <TR> |
| <TD bgcolor="#7270c2" valign="top" align="left"><IMG src="http://openejb.apache.org/images/dotTrans.gif" width="20" height="10" border="0"></TD> |
| <TD id="leftColumn" valign="top" style="padding-top: 0px;"> |
| <SPAN id="Content"> |
| |
| |
| |
| |
| |
| <H3><A name="Navigation-Overview"></A>Overview</H3> |
| |
| <UL class="alternate" type="square"> |
| <LI><A href="index.html" title="Index">Home</A></LI> |
| <LI><A href="news.html" title="News">News</A></LI> |
| <LI><A href="faq.html" title="FAQ">FAQ</A></LI> |
| <LI><A href="download.html" title="Download">Download</A></LI> |
| <LI><A href="examples.html" title="Examples">Examples</A></LI> |
| <LI><A href="mailing-lists.html" title="Mailing Lists">Mailing Lists</A></LI> |
| <LI><A href="source-code.html" title="Source Code">Source Code</A></LI> |
| </UL> |
| |
| |
| <H3><A name="Navigation-General"></A>General</H3> |
| |
| <UL class="alternate" type="square"> |
| <LI><A href="deploy-tool.html" title="Deploy Tool">Deployment</A></LI> |
| <LI><A href="http://cwiki.apache.org/confluence/display/OPENEJBx30/Startup" title="Startup">OPENEJBx30:Startup</A></LI> |
| <LI><A href="validation-tool.html" title="Validation Tool">Validation</A></LI> |
| <LI><A href="webadmin.html" title="Webadmin">Webadmin</A></LI> |
| </UL> |
| |
| |
| <H3><A name="Navigation-Configuration"></A>Configuration</H3> |
| |
| <UL class="alternate" type="square"> |
| <LI><A href="configuration.html" title="Configuration">General</A></LI> |
| <LI><A href="http://cwiki.apache.org/confluence/display/OPENEJBx30/Deployments" title="Deployments">Deployments</A></LI> |
| <LI><A href="containers.html" title="Containers">Containers</A></LI> |
| </UL> |
| |
| |
| <H3><A name="Navigation-Servers"></A>Servers</H3> |
| |
| <UL class="alternate" type="square"> |
| <LI><A href="local-server.html" title="Local Server">Local</A></LI> |
| <LI><A href="remote-server.html" title="Remote Server">Remote</A></LI> |
| </UL> |
| |
| |
| <H3><A name="Navigation-Integrations"></A>Integrations</H3> |
| |
| <UL class="alternate" type="square"> |
| <LI><A href="tomcat.html" title="Tomcat">Tomcat</A></LI> |
| <LI><A href="geronimo.html" title="Geronimo">Geronimo</A></LI> |
| <LI><A href="webobjects.html" title="WebObjects">WebObjects</A></LI> |
| </UL> |
| |
| |
| <H3><A name="Navigation-Community"></A>Community</H3> |
| |
| <UL class="alternate" type="square"> |
| <LI><A href="team.html" title="Team">Team</A></LI> |
| <LI><A href="articles.html" title="Articles">Articles</A></LI> |
| <LI><A href="annoyances.html" title="Annoyances">Annoyances</A></LI> |
| <LI><SPAN class="nobr"><A href="index.html" title="Visit page outside Confluence" rel="nofollow">Wiki<SUP><IMG class="rendericon" src="http://cwiki.apache.org/confluence/images/icons/linkext7.gif" height="7" width="7" align="absmiddle" alt="" border="0"></SUP></A></SPAN></LI> |
| <LI><SPAN class="nobr"><A href="irc://irc.freenode.net/#openejb" title="Visit page outside Confluence" rel="nofollow">IRC<SUP><IMG class="rendericon" src="http://cwiki.apache.org/confluence/images/icons/linkext7.gif" height="7" width="7" align="absmiddle" alt="" border="0"></SUP></A></SPAN></LI> |
| </UL> |
| </SPAN> |
| |
| <H3 class="heading3">Feeds</H3> |
| <TABLE border="0" cellspacing="4px"> |
| <TR> |
| <TD align="right"> |
| <A href="http://cwiki.apache.org/confluence/spaces/rss.action?key=OPENEJB&newPages=false"><IMG src="http://openejb.apache.org/images/rss.gif" border="0"></A><BR> |
| </TD> |
| <TD align="left"> |
| <A href="http://cwiki.apache.org/confluence/spaces/rss.action?key=OPENEJB&newPages=false">Site</A> |
| </TD> |
| </TR> |
| <TR> |
| <TD align="right"> |
| <A href="http://cwiki.apache.org/confluence/spaces/blogrss.action?key=OPENEJB"><IMG src="http://openejb.apache.org/images/rss.gif" border="0"></A> |
| </TD> |
| <TD align="left"> |
| <A href="http://cwiki.apache.org/confluence/spaces/blogrss.action?key=OPENEJB">News</A> |
| </TD> |
| </TR> |
| </TABLE> |
| </TD> |
| <TD width="7" bgcolor="#a9a5de" valign="top" align="left"> </TD> |
| <TD width="40" valign="top" align="left"> </TD> |
| <TD rowspan="4" width="100%" valign="top"> |
| <TABLE cols="1" rows="2" border="0" cellpadding="0" cellspacing="0" width="100%"> |
| <TR> |
| <TD valign="top" align="left"><BR> |
| <TABLE cols="3" rows="1" border="0" cellpadding="0" cellspacing="0" width="100%"> |
| <TR> |
| <TD valign="top" width="200" align="left"> |
| <A href="http://openejb.org/"> |
| <IMG border="0" hspace="0" src="http://openejb.apache.org/images/logo_openejb.gif" vspace="0"> |
| </A> |
| </TD> |
| <TD align="right" valign="middle" style="padding:0px;margin:0px;"> |
| <TABLE style="padding:0px;margin:0px;"> |
| <TR> |
| <TD> |
| <A href="http://www.apache.org/"> |
| <IMG src="http://www.apache.org/images/asf-logo.gif" border="0" width="258" height="66"> |
| </A> |
| </TD> |
| <TR> |
| <!-- |
| <tr> |
| <td align="right" valign="top" style="font- size:12px;color:#777777"> |
| [OpenEJB is a Podling in the Apache Incubator] |
| </td> |
| </tr> |
| --> |
| </TABLE> |
| </TD> |
| </TR> |
| </TABLE> |
| <BR> |
| </TD> |
| </TR> |
| <TR> |
| <TD valign="top" align="left"> |
| <IMG border="0" height="7" hspace="0" src="http://openejb.apache.org/images/dotTrans.gif"><BR> |
| <DIV id="page_title"> |
| <TABLE width="100%"> |
| <TR> |
| <TD> |
| <!-- $TITLE --> |
| Security |
| </TD> |
| |
| <!-- Google CSE Search Box Begins --> |
| <TD align="right"> |
| <FORM id="searchbox_010475492895890475512:_t4iqjrgx90" action="http://www.google.com/cse"> |
| <INPUT type="hidden" name="cx" value="010475492895890475512:_t4iqjrgx90"> |
| <INPUT type="hidden" name="cof" value="FORID:0"> |
| <INPUT name="q" type="text" size="25"> |
| <INPUT type="submit" name="sa" value="Search"> |
| </FORM> |
| <SCRIPT type="text/javascript" src="http://www.google.com/coop/cse/brand?form=searchbox_010475492895890475512:_t4iqjrgx90"></SCRIPT> |
| </TD> |
| <!-- Google CSE Search Box Ends --> |
| |
| <TD align="right" style="padding-left:0px;"><A style="color:#999;font-size:small;font-weight:normal;" href="http://cwiki.apache.org/confluence/pages/editpage.action?spaceKey=OPENEJB&title=Security">[ edit ]</A></TD> |
| <TD align="right" width="25"> |
| |
| <SCRIPT type="text/javascript" language="javascript"> |
| document.write('<a href="http://cwiki.apache.org/confluence/pages/viewpage'); |
| document.write('.action?pageId=60839&decorator=printable">'); |
| </SCRIPT> |
| <IMG src="http://cwiki.apache.org/confluence/images/icons/print_16.gif" height="16" width="16" border="0" align="absmiddle" title="Print"></A> |
| |
| </TD> |
| </TR> |
| </TABLE> |
| </DIV> |
| <IMG border="0" height="1" hspace="0" src="http://openejb.apache.org/images/dotTrans.gif"></TD> |
| </TR> |
| </TABLE> |
| <P> |
| <!-- $BODY --> |
| <DIV id="PageContent"> |
| |
| <DIV class="pagecontent"> |
| <DIV class="wiki-content"> |
| <H2><A name="Security-SecurityHowTo."></A>Security - How To.</H2> |
| |
| <P>We've got basic username and password login which can be done with either the org.apache.openejb.client.LocalInitialContextFactory or org.apache.openejb.client.RemoteInitialContextFactory. You simply construct your InitialContext with the standard javax.naming.Context properties for user/pass info, which is:</P> |
| <DIV class="code"><DIV class="codeContent"> |
| <PRE class="code-java">Properties props = <SPAN class="code-keyword">new</SPAN> Properties(); |
| props.setProperty(Context.SECURITY_PRINCIPAL, <SPAN class="code-quote">"someuser"</SPAN>); |
| props.setProperty(Context.SECURITY_CREDENTIALS, <SPAN class="code-quote">"thepass"</SPAN>); |
| InitialContext ctx = <SPAN class="code-keyword">new</SPAN> InitialContext(props); |
| ctx.lookup(...);</PRE> |
| </DIV></DIV> |
| <P>That will get you logged in and all your calls from that context should execute as you.</P> |
| |
| <P>There are three new security related files:</P> |
| <OL> |
| <LI>${openejb.base}/conf/login.config</LI> |
| <LI>${openejb.base}/conf/users.properties</LI> |
| <LI>${openejb.base}/conf/groups.properties</LI> |
| </OL> |
| |
| |
| <P> <BR> |
| <B>login.config:</B> is a JAAS config file which <INS>configures our</INS> <INS>PropertiesLoginModule</INS> as the login module to be used for authenticating clients. We don't have any other kind of login modules yet, but that would be nice to support.</P> |
| |
| <P><B>users.properties</B> and <B>groups.properties</B> are for <INS>configuring users and groups</INS> using a properties file approach which is somewhat unix-like in nature. These are used by the PropertiesLoginModule and are read in on every<BR> |
| login so <INS>you can update them</INS> on a running system and those users will "show up" immediately <INS>without the need for a restart</INS> of any kind.</P> |
| |
| <H2><A name="Security-PLUGPOINTS"></A>PLUG POINTS</H2> |
| |
| <P>There are four-five different plug points where you could customize the functionality. From largest to smallest:</P> |
| <UL class="alternate" type="square"> |
| <LI><B>The SecurityService interface</B>: As before all security work (authentication and authorization) is behind this interface, only the methods on it have been updated. If you want to do something really "out there" or need total control, this is where you go. Plugging in your own SecurityService should really be a last resort. We still have our "do nothing" SecurityService implementation just as before, but it is no longer the default. <INS>You can add a new SecurityService impl by creating a service-jar.xml and packing it in your jar</INS>. You can configure OpenEJB to use a different SecurityService via the openejb.xml.</LI> |
| </UL> |
| |
| |
| <UL class="alternate" type="square"> |
| <LI><B>JaccProvider super class</B>: If you want to plug in your own JACC implementation to perform custom authorization (maybe do some fancy auditing), this is one way to do it without really having to understand JACC too much. We will plug your provider in to all the places required by JACC if you simply <INS>set the system property</INS> "<B>org.apache.openejb.core.security.JaccProvider</B>" with the name of your JaccProvider impl.</LI> |
| </UL> |
| |
| |
| <UL class="alternate" type="square"> |
| <LI><B>Regular JACC</B>. The JaccProvider is simply a wrapper around the many things you have to do to create and plugin a JACC provider, but you can still plugin a JACC provider in the standard ways. Read the JACC spec for that info.</LI> |
| </UL> |
| |
| |
| <UL class="alternate" type="square"> |
| <LI><B>JAAS LoginModule</B>. You can setup a different JAAS LoginModule to do all your authentication by simply editing the conf/login.config file which is a plain JAAS config file. At the moment we only support username/password based login modules. At some point it would be nice to support any kind of input for a JAAS LoginModule, but username/password at least covers the majority. It actually <B>is</B> possible to support any LoginModule, but you would have to supply your clients with your own way to authenticate to it and write a strategy for telling the OpenEJB client what data to send to the server with each invocation request.</LI> |
| </UL> |
| |
| |
| <UL class="alternate" type="square"> |
| <LI><B>Client IdentityResolver</B>. This is the just mentioned interface you would have to implement to supply the OpenEJB client with alternate data to send to the server with each invocation request. If you're plugging in a new version of this it is likely that you may also want to plugin in your own SecurityService implementation. Reason being, the object returned from IdentiyResolve.getIdentity() is sent across the wire and straight in to the<BR> |
| SecurityService.associate(Object) method.</LI> |
| </UL> |
| |
| </DIV> |
| </DIV> |
| </DIV> |
| </P> |
| </TD> |
| |
| |
| |
| |
| </TR> |
| <TR height="5"> |
| <TD width="20" height="5" bgcolor="#7270c2" valign="top" align="left"> </TD> |
| <TD width="95" height="5" bgcolor="#7270c2" valign="top"> </TD> |
| <TD width="7" height="5" bgcolor="#a9a5de" valign="top" align="left"> </TD> |
| <TD width="40" height="5" valign="top" align="left"> </TD> |
| <TD width="120" height="5" valign="top" align="left"> </TD> |
| </TR> |
| <TR> |
| <TD width="20" height="5" bgcolor="#7270c2" valign="top" align="left"> </TD> |
| <TD width="95" bgcolor="#7270c2" valign="BOTTOM" align="left"> </TD> |
| <TD width="7" bgcolor="#a9a5de" valign="top" align="left"><IMG src="http://openejb.apache.org/images/dotTrans.gif" width="1" height="25" border="0"></TD> |
| <TD width="40" valign="top" align="left"><IMG src="http://openejb.apache.org/images/dotTrans.gif" width="1" height="25" border="0"></TD> |
| <TD width="120" valign="top" align="left"> </TD> |
| </TR> |
| <TR> |
| <TD width="20" height="5" bgcolor="#7270c2" valign="top" align="left"> </TD> |
| <TD width="95" bgcolor="#7270c2" valign="BOTTOM" align="left"> </TD> |
| <TD width="7" bgcolor="#a9a5de" valign="top" align="left"><IMG src="http://openejb.apache.org/images/dotTrans.gif" width="1" height="25" border="0"></TD> |
| <TD width="40" valign="top" align="left"><IMG src="http://openejb.apache.org/images/dotTrans.gif" width="1" height="25" border="0"></TD> |
| <TD width="120" valign="top" align="left"> </TD> |
| </TR> |
| <TR height="5"> |
| <TD width="20" rowspan="2" height="100%" bgcolor="#7270c2" valign="bottom" align="left"><IMG src="http://openejb.apache.org/images/stripes1.gif" width="20" height="125" border="0"></TD> |
| <TD width="95" rowspan="2" height="100%" bgcolor="#7270c2" valign="bottom" align="left"><IMG src="http://openejb.apache.org/images/stripe105.gif" width="105" height="125" border="0"></TD> |
| <TD width="7" rowspan="2" height="100%" bgcolor="#a9a5de" valign="top" align="left"> </TD> |
| <TD width="40" height="100%" valign="top" align="left"> </TD> |
| <TD width="120" height="100%" valign="top" align="left"> </TD> |
| </TR> |
| <TR height="5"> |
| <TD width="40" height="25" valign="top" align="left"> </TD> |
| <TD width="100%" height="25" valign="bottom" align="left"><BR> |
| <BR> |
| <IMG src="http://openejb.apache.org/images/line_light.gif" border="0" width="430" height="3"><BR> |
| <P> |
| </P> |
| <SPAN class="bodyGrey"> |
| <SMALL><NOTICE><!-- $FOOTER --> |
| Apache OpenEJB is an project of The Apache Software Foundation (ASF) |
| </NOTICE> <BR> |
| <BR> |
| Powered by <A href="http://atlassian.com/">Atlassian</A> <A href="http://atlassian.com/confluence/">Confluence</A>. |
| </SMALL> |
| </SPAN> |
| <P> |
| </P> |
| </TD> |
| <TD width="120" height="25" valign="top" align="left"> </TD> |
| </TR> |
| </TABLE> |
| |
| <!-- Needed for composition plugin --> |
| <!-- delay the loading of large javascript files to the end so that they don't interfere with the loading of page content --> |
| <SPAN style="display: none"> |
| <SCRIPT type="text/javascript" language="JavaScript" src="http://cwiki.apache.org/confluence/labels-javascript"></SCRIPT> |
| |
| <SCRIPT src="http://www.google-analytics.com/urchin.js" type="text/javascript"> |
| </SCRIPT> |
| <SCRIPT type="text/javascript"> |
| _uacct = "UA-2717626-1"; |
| urchinTracker(); |
| </SCRIPT> |
| </SPAN> |
| |
| </BODY> |
| </HTML> |
