Google Git
Sign in
apache / tomee-site-pub / 43cf80e624a0cecf0f38bef5ef2614bfb2410f57 / . / tomee-8.0 / docs / security.html
blob: 7d03414469c135b7e2bd6743c614fd7ddae9205e [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Apache TomEE</title>
<meta name="description"
content="Apache TomEE is a lightweight, yet powerful, JavaEE Application server with feature rich tooling." />
<meta name="keywords" content="tomee,asf,apache,javaee,jee,shade,embedded,test,junit,applicationcomposer,maven,arquillian" />
<meta name="author" content="Luka Cvetinovic for Codrops" />
<link rel="icon" href="../../favicon.ico">
<link rel="icon" type="image/png" href="../../favicon.png">
<meta name="msapplication-TileColor" content="#80287a">
<meta name="theme-color" content="#80287a">
<link rel="stylesheet" type="text/css" href="../../css/normalize.css">
<link rel="stylesheet" type="text/css" href="../../css/bootstrap.css">
<link rel="stylesheet" type="text/css" href="../../css/owl.css">
<link rel="stylesheet" type="text/css" href="../../css/animate.css">
<link rel="stylesheet" type="text/css" href="../../fonts/font-awesome-4.1.0/css/font-awesome.min.css">
<link rel="stylesheet" type="text/css" href="../../fonts/eleganticons/et-icons.css">
<link rel="stylesheet" type="text/css" href="../../css/jqtree.css">
<link rel="stylesheet" type="text/css" href="../../css/idea.css">
<link rel="stylesheet" type="text/css" href="../../css/cardio.css">
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-2717626-1']);
_gaq.push(['_setDomainName', 'apache.org']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
</head>
<body>
<div class="preloader">
<img src="../../img/loader.gif" alt="Preloader image">
</div>
<nav class="navbar">
<div class="container">
<div class="row"> <div class="col-md-12">
<!-- Brand and toggle get grouped for better mobile display -->
<div class="navbar-header">
<button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="/">
<span>
<img src="../../img/logo-active.png">
</span>
Apache TomEE
</a>
</div>
<!-- Collect the nav links, forms, and other content for toggling -->
<div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
<ul class="nav navbar-nav navbar-right main-nav">
<li><a href="../../docs.html">Documentation</a></li>
<li><a href="../../community/index.html">Community</a></li>
<li><a href="../../security/security.html">Security</a></li>
<li><a href="../../download-ng.html">Downloads</a></li>
</ul>
</div>
<!-- /.navbar-collapse -->
</div></div>
</div>
<!-- /.container-fluid -->
</nav>
<div id="main-block" class="container main-block">
<div class="row title">
<div class="col-md-12">
<div class='page-header'>
<h1>Security</h1>
</div>
</div>
</div>
<div class="row">
<div class="col-md-12">
<h1 id="_security_how_to" class="sect0">Security - How To.</h1>
<div class="paragraph">
<p>We currently have two authentication mechanisms to choose from: *
<em>PropertiesLoginModule</em> (a basic text file based login that looks up
users and groups from the specified properties files) * <em>SQLLoginModule</em>
(database based login that looks up users and groups in a database
through SQL queries)</p>
</div>
<div class="paragraph">
<p>To make your program authenticate itself to the server, simply construct
your InitialContext with the standard javax.naming.Context properties
for user/pass info, which is:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlight"><code class="language-java" data-lang="java">Properties props = new Properties();
props.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.apache.openejb.client.RemoteInitialContextFactory");
props.setProperty(Context.PROVIDER_URL, "ejbd://localhost:4201");
props.setProperty(Context.SECURITY_PRINCIPAL, "someuser");
props.setProperty(Context.SECURITY_CREDENTIALS, "thepass");
props.setProperty("openejb.authentication.realmName", "PropertiesLogin");
// optional
InitialContext ctx = new InitialContext(props);
ctx.lookup(...);</code></pre>
</div>
</div>
<div class="paragraph">
<p>That will get you logged in and all your calls from that context should
execute as you.</p>
</div>
<div class="paragraph">
<p><em>$\{openejb.base}/conf/login.config</em> is a standard JAAS config file.
Here, you can configure any number of security realms to authenticate
against. To specify which of the realms you want to authenticate
against, you can set the <em>openejb.authentication.realmName</em> property to
any of the configured realm names in <em>login.config</em>. If you don&#8217;t
speficy a realm name, the default (currently <em>PropertiesLogin</em>) is used.
For examples and more information on JAAS configuration, see the
<a href="http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html">JAAS
Reference Guide</a> .</p>
</div>
<div class="sect1">
<h2 id="_propertiesloginmodule">PropertiesLoginModule</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Supported options:</p>
</div>
<div class="paragraph">
<p>Option</p>
</div>
<div class="paragraph">
<p>Description</p>
</div>
<div class="paragraph">
<p>Required</p>
</div>
<div class="paragraph">
<p>UsersFile</p>
</div>
<div class="paragraph">
<p>name of the properties file that contains the users and their passwords</p>
</div>
<div class="paragraph">
<p><em>yes</em></p>
</div>
<div class="paragraph">
<p>GroupsFile</p>
</div>
<div class="paragraph">
<p>name of the properties file that contains the groups and their member
lists</p>
</div>
<div class="paragraph">
<p><em>yes</em></p>
</div>
<div class="paragraph">
<p><em>UsersFile</em> and <em>GroupsFile</em> are read in on every login, so you can
update them on a running system and those users will "show up"
immediately without the need for a restart of any kind.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_sqlloginmodule">SQLLoginModule</h2>
<div class="sectionbody">
<div class="paragraph">
<p>You can either use a data source or configure the JDBC URL through which
the user/group lookups will be made.</p>
</div>
<div class="paragraph">
<p>If you use a <em>DataSource</em>, you must specify its JNDI name with the
<em>dataSourceName</em> option.</p>
</div>
<div class="paragraph">
<p>If you use JDBC directly, you have to specify at least the JDBC URL of
the database. The driver should be autodetected (provided the
appropriate jar is on your classpath), but if that fails for some
reason, you can force a specific driver using the <em>jdbcDriver</em> option.
For more information on JDBC URLs, see the
<a href="http://java.sun.com/javase/6/docs/technotes/guides/jdbc/">JDBC Guide</a></p>
</div>
<div class="paragraph">
<p>The <em>userSelect</em> query must return a two-column list of user names
(column 1) and passwords (column 2). This query should normally return a
single row, which can be achieved by the use of a query parameter
placeholder "?". Any such placeholders in both queries will be filled in
with the username that the client is trying to log in with. The
<em>groupSelect</em> query must return a two-column list of user names and
their groups (or "roles" in the EJB world).</p>
</div>
<div class="paragraph">
<p>Supported options:</p>
</div>
<div class="paragraph">
<p>Option</p>
</div>
<div class="paragraph">
<p>Description</p>
</div>
<div class="paragraph">
<p>Required</p>
</div>
<div class="paragraph">
<p>dataSourceName</p>
</div>
<div class="paragraph">
<p>the name of a data source</p>
</div>
<div class="paragraph">
<p><em>yes</em> (alternative 1)</p>
</div>
<div class="paragraph">
<p>jdbcURL</p>
</div>
<div class="paragraph">
<p>a standard JDBC URL</p>
</div>
<div class="paragraph">
<p><em>yes</em> (alternative 2)</p>
</div>
<div class="paragraph">
<p>jdbcDriver</p>
</div>
<div class="paragraph">
<p>the fully qualified class name of the database driver</p>
</div>
<div class="paragraph">
<p>no</p>
</div>
<div class="paragraph">
<p>jdbcUser</p>
</div>
<div class="paragraph">
<p>the user name for accessing the database</p>
</div>
<div class="paragraph">
<p>no</p>
</div>
<div class="paragraph">
<p>jdbcPassword</p>
</div>
<div class="paragraph">
<p>the password for accessing the database</p>
</div>
<div class="paragraph">
<p>no</p>
</div>
<div class="paragraph">
<p>userSelect</p>
</div>
<div class="paragraph">
<p>the SQL query that returns a list of users and their passwords</p>
</div>
<div class="paragraph">
<p><em>yes</em></p>
</div>
<div class="paragraph">
<p>groupSelect</p>
</div>
<div class="paragraph">
<p>the SQL query that returns a list of users and groups (roles)</p>
</div>
<div class="paragraph">
<p><em>yes</em></p>
</div>
<div class="paragraph">
<p>digest</p>
</div>
<div class="paragraph">
<p>the name of the digest algorithm (e.g. "MD5" or "SHA") for digest
authentication</p>
</div>
<div class="paragraph">
<p>no</p>
</div>
<div class="paragraph">
<p>encoding</p>
</div>
<div class="paragraph">
<p>the digest encoding, can be "hex" or "base64"</p>
</div>
<div class="paragraph">
<p>no</p>
</div>
</div>
</div>
<h1 id="_plug_points" class="sect0">PLUG POINTS</h1>
<div class="paragraph">
<p>There are four-five different plug points where you could customize the
functionality. From largest to smallest: - <em>The SecurityService
interface</em>: As before all security work (authentication and
authorization) is behind this interface, only the methods on it have
been updated. If you want to do something really "out there" or need
total control, this is where you go. Plugging in your own
SecurityService should really be a last resort. We still have our "do
nothing" SecurityService implementation just as before, but it is no
longer the default. You can add a new SecurityService impl by creating
a service-jar.xml and packing it in your jar. You can configure OpenEJB
to use a different SecurityService via the openejb.xml.</p>
</div>
<div class="ulist">
<ul>
<li>
<p><em>JaccProvider super class</em>: If you want to plug in your own JACC
implementation to perform custom authorization (maybe do some fancy
auditing), this is one way to do it without really having to understand
JACC too much. We will plug your provider in to all the places required
by JACC if you simply set the system property
"<em>org.apache.openejb.core.security.JaccProvider</em>" with the name of your
JaccProvider impl.</p>
</li>
<li>
<p><em>Regular JACC</em>. The JaccProvider is simply a wrapper around the many
things you have to do to create and plugin a JACC provider, but you can
still plugin a JACC provider in the standard ways. Read the JACC spec
for that info.</p>
</li>
<li>
<p><em>JAAS LoginModule</em>. You can setup a different JAAS LoginModule to do
all your authentication by simply editing the conf/login.config file
which is a plain JAAS config file. At the moment we only support
username/password based login modules. At some point it would be nice to
support any kind of input for a JAAS LoginModule, but username/password
at least covers the majority. It actually <em>is</em> possible to support any
LoginModule, but you would have to supply your clients with your own way
to authenticate to it and write a strategy for telling the OpenEJB
client what data to send to the server with each invocation request. See
the
<a href="http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASLMDevGuide.html">JAAS
LoginModule Developer&#8217;s Guide</a> for more information.</p>
</li>
<li>
<p><em>Client IdentityResolver</em>. This is the just mentioned interface you
would have to implement to supply the OpenEJB client with alternate data
to send to the server with each invocation request. If you&#8217;re plugging
in a new version of this it is likely that you may also want to plugin
in your own SecurityService implementation. Reason being, the object
returned from IdentiyResolve.getIdentity() is sent across the wire and
straight in to the SecurityService.associate(Object) method.</p>
</li>
</ul>
</div>
</div>
</div>
</div>
<footer>
<div class="container">
<div class="row">
<div class="col-sm-6 text-center-mobile">
<h3 class="white">Be simple. Be certified. Be Tomcat.</h3>
<h5 class="light regular light-white">"A good application in a good server"</h5>
<ul class="social-footer">
<li><a href="https://www.facebook.com/ApacheTomEE/"><i class="fa fa-facebook"></i></a></li>
<li><a href="https://twitter.com/apachetomee"><i class="fa fa-twitter"></i></a></li>
<li><a href="https://plus.google.com/communities/105208241852045684449"><i class="fa fa-google-plus"></i></a></li>
</ul>
</div>
<div class="col-sm-6 text-center-mobile">
<div class="row opening-hours">
<div class="col-sm-3 text-center-mobile">
<h5><a href="../../latest/docs/" class="white">Documentation</a></h5>
<ul class="list-unstyled">
<li><a href="../../latest/docs/admin/configuration/index.html" class="regular light-white">How to configure</a></li>
<li><a href="../../latest/docs/admin/file-layout.html" class="regular light-white">Dir. Structure</a></li>
<li><a href="../../latest/docs/developer/testing/index.html" class="regular light-white">Testing</a></li>
<li><a href="../../latest/docs/admin/cluster/index.html" class="regular light-white">Clustering</a></li>
</ul>
</div>
<div class="col-sm-3 text-center-mobile">
<h5><a href="../../latest/examples/" class="white">Examples</a></h5>
<ul class="list-unstyled">
<li><a href="../../latest/examples/simple-cdi-interceptor.html" class="regular light-white">CDI Interceptor</a></li>
<li><a href="../../latest/examples/rest-cdi.html" class="regular light-white">REST with CDI</a></li>
<li><a href="../../latest/examples/ejb-examples.html" class="regular light-white">EJB</a></li>
<li><a href="../../latest/examples/jsf-managedBean-and-ejb.html" class="regular light-white">JSF</a></li>
</ul>
</div>
<div class="col-sm-3 text-center-mobile">
<h5><a href="../../community/index.html" class="white">Community</a></h5>
<ul class="list-unstyled">
<li><a href="../../community/contributors.html" class="regular light-white">Contributors</a></li>
<li><a href="../../community/social.html" class="regular light-white">Social</a></li>
<li><a href="../../community/sources.html" class="regular light-white">Sources</a></li>
</ul>
</div>
<div class="col-sm-3 text-center-mobile">
<h5><a href="../../security/index.html" class="white">Security</a></h5>
<ul class="list-unstyled">
<li><a href="http://apache.org/security" target="_blank" class="regular light-white">Apache Security</a></li>
<li><a href="http://apache.org/security/projects.html" target="_blank" class="regular light-white">Security Projects</a></li>
<li><a href="http://cve.mitre.org" target="_blank" class="regular light-white">CVE</a></li>
</ul>
</div>
</div>
</div>
</div>
<div class="row bottom-footer text-center-mobile">
<div class="col-sm-12 light-white">
<p>Copyright &copy; 1999-2016 The Apache Software Foundation, Licensed under the Apache License, Version 2.0. Apache TomEE, TomEE, Apache, the Apache feather logo, and the Apache TomEE project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.</p>
</div>
</div>
</div>
</footer>
<!-- Holder for mobile navigation -->
<div class="mobile-nav">
<ul>
<li><a hef="../../latest/docs/admin/index.html">Administrators</a>
<li><a hef="../../latest/docs/developer/index.html">Developers</a>
<li><a hef="../../latest/docs/advanced/index.html">Advanced</a>
<li><a hef="../../community/index.html">Community</a>
</ul>
<a href="#" class="close-link"><i class="arrow_up"></i></a>
</div>
<!-- Scripts -->
<script src="../../js/jquery-1.11.1.min.js"></script>
<script src="../../js/owl.carousel.min.js"></script>
<script src="../../js/bootstrap.min.js"></script>
<script src="../../js/wow.min.js"></script>
<script src="../../js/typewriter.js"></script>
<script src="../../js/jquery.onepagenav.js"></script>
<script src="../../js/tree.jquery.js"></script>
<script src="../../js/highlight.pack.js"></script>
<script src="../../js/main.js"></script>
</body>
</html>