| <!DOCTYPE html> |
| <html lang="en"> |
| |
| <head> |
| <meta charset="UTF-8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge"> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| <title>Apache TomEE</title> |
| <meta name="description" |
| content="Apache TomEE is a lightweight, yet powerful, JavaEE Application server with feature rich tooling." /> |
| <meta name="keywords" content="tomee,asf,apache,javaee,jee,shade,embedded,test,junit,applicationcomposer,maven,arquillian" /> |
| <meta name="author" content="Luka Cvetinovic for Codrops" /> |
| <link rel="icon" href="../../favicon.ico"> |
| <link rel="icon" type="image/png" href="../../favicon.png"> |
| <meta name="msapplication-TileColor" content="#80287a"> |
| <meta name="theme-color" content="#80287a"> |
| <link rel="stylesheet" type="text/css" href="../../css/normalize.css"> |
| <link rel="stylesheet" type="text/css" href="../../css/bootstrap.css"> |
| <link rel="stylesheet" type="text/css" href="../../css/owl.css"> |
| <link rel="stylesheet" type="text/css" href="../../css/animate.css"> |
| <link rel="stylesheet" type="text/css" href="../../fonts/font-awesome-4.1.0/css/font-awesome.min.css"> |
| <link rel="stylesheet" type="text/css" href="../../fonts/eleganticons/et-icons.css"> |
| <link rel="stylesheet" type="text/css" href="../../css/jqtree.css"> |
| <link rel="stylesheet" type="text/css" href="../../css/idea.css"> |
| <link rel="stylesheet" type="text/css" href="../../css/cardio.css"> |
| |
| <script type="text/javascript"> |
| |
| var _gaq = _gaq || []; |
| _gaq.push(['_setAccount', 'UA-2717626-1']); |
| _gaq.push(['_setDomainName', 'apache.org']); |
| _gaq.push(['_trackPageview']); |
| |
| (function() { |
| var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; |
| ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; |
| var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); |
| })(); |
| |
| </script> |
| </head> |
| |
| <body> |
| <div class="preloader"> |
| <img src="../../img/loader.gif" alt="Preloader image"> |
| </div> |
| <nav class="navbar"> |
| <div class="container"> |
| <div class="row"> <div class="col-md-12"> |
| |
| <!-- Brand and toggle get grouped for better mobile display --> |
| <div class="navbar-header"> |
| <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1"> |
| <span class="sr-only">Toggle navigation</span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| <span class="icon-bar"></span> |
| </button> |
| <a class="navbar-brand" href="/"> |
| <span> |
| |
| |
| <img src="../../img/logo-active.png"> |
| |
| |
| </span> |
| Apache TomEE |
| </a> |
| </div> |
| <!-- Collect the nav links, forms, and other content for toggling --> |
| <div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1"> |
| <ul class="nav navbar-nav navbar-right main-nav"> |
| <li><a href="../../docs.html">Documentation</a></li> |
| <li><a href="../../community/index.html">Community</a></li> |
| <li><a href="../../security/security.html">Security</a></li> |
| <li><a href="../../download-ng.html">Downloads</a></li> |
| </ul> |
| </div> |
| <!-- /.navbar-collapse --> |
| </div></div> |
| </div> |
| <!-- /.container-fluid --> |
| </nav> |
| |
| |
| <div id="main-block" class="container main-block"> |
| <div class="row title"> |
| <div class="col-md-12"> |
| <div class='page-header'> |
| |
| <h1>Security</h1> |
| </div> |
| </div> |
| </div> |
| <div class="row"> |
| |
| <div class="col-md-12"> |
| <h1 id="_security_how_to" class="sect0">Security - How To.</h1> |
| <div class="paragraph"> |
| <p>We currently have two authentication mechanisms to choose from: * |
| <em>PropertiesLoginModule</em> (a basic text file based login that looks up |
| users and groups from the specified properties files) * <em>SQLLoginModule</em> |
| (database based login that looks up users and groups in a database |
| through SQL queries)</p> |
| </div> |
| <div class="paragraph"> |
| <p>To make your program authenticate itself to the server, simply construct |
| your InitialContext with the standard javax.naming.Context properties |
| for user/pass info, which is:</p> |
| </div> |
| <div class="listingblock"> |
| <div class="content"> |
| <pre class="highlight"><code class="language-java" data-lang="java">Properties props = new Properties(); |
| props.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.apache.openejb.client.RemoteInitialContextFactory"); |
| props.setProperty(Context.PROVIDER_URL, "ejbd://localhost:4201"); |
| props.setProperty(Context.SECURITY_PRINCIPAL, "someuser"); |
| props.setProperty(Context.SECURITY_CREDENTIALS, "thepass"); |
| props.setProperty("openejb.authentication.realmName", "PropertiesLogin"); |
| // optional |
| InitialContext ctx = new InitialContext(props); |
| ctx.lookup(...);</code></pre> |
| </div> |
| </div> |
| <div class="paragraph"> |
| <p>That will get you logged in and all your calls from that context should |
| execute as you.</p> |
| </div> |
| <div class="paragraph"> |
| <p><em>$\{openejb.base}/conf/login.config</em> is a standard JAAS config file. |
| Here, you can configure any number of security realms to authenticate |
| against. To specify which of the realms you want to authenticate |
| against, you can set the <em>openejb.authentication.realmName</em> property to |
| any of the configured realm names in <em>login.config</em>. If you don’t |
| speficy a realm name, the default (currently <em>PropertiesLogin</em>) is used. |
| For examples and more information on JAAS configuration, see the |
| <a href="http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html">JAAS |
| Reference Guide</a> .</p> |
| </div> |
| <div class="sect1"> |
| <h2 id="_propertiesloginmodule">PropertiesLoginModule</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>Supported options:</p> |
| </div> |
| <div class="paragraph"> |
| <p>Option</p> |
| </div> |
| <div class="paragraph"> |
| <p>Description</p> |
| </div> |
| <div class="paragraph"> |
| <p>Required</p> |
| </div> |
| <div class="paragraph"> |
| <p>UsersFile</p> |
| </div> |
| <div class="paragraph"> |
| <p>name of the properties file that contains the users and their passwords</p> |
| </div> |
| <div class="paragraph"> |
| <p><em>yes</em></p> |
| </div> |
| <div class="paragraph"> |
| <p>GroupsFile</p> |
| </div> |
| <div class="paragraph"> |
| <p>name of the properties file that contains the groups and their member |
| lists</p> |
| </div> |
| <div class="paragraph"> |
| <p><em>yes</em></p> |
| </div> |
| <div class="paragraph"> |
| <p><em>UsersFile</em> and <em>GroupsFile</em> are read in on every login, so you can |
| update them on a running system and those users will "show up" |
| immediately without the need for a restart of any kind.</p> |
| </div> |
| </div> |
| </div> |
| <div class="sect1"> |
| <h2 id="_sqlloginmodule">SQLLoginModule</h2> |
| <div class="sectionbody"> |
| <div class="paragraph"> |
| <p>You can either use a data source or configure the JDBC URL through which |
| the user/group lookups will be made.</p> |
| </div> |
| <div class="paragraph"> |
| <p>If you use a <em>DataSource</em>, you must specify its JNDI name with the |
| <em>dataSourceName</em> option.</p> |
| </div> |
| <div class="paragraph"> |
| <p>If you use JDBC directly, you have to specify at least the JDBC URL of |
| the database. The driver should be autodetected (provided the |
| appropriate jar is on your classpath), but if that fails for some |
| reason, you can force a specific driver using the <em>jdbcDriver</em> option. |
| For more information on JDBC URLs, see the |
| <a href="http://java.sun.com/javase/6/docs/technotes/guides/jdbc/">JDBC Guide</a></p> |
| </div> |
| <div class="paragraph"> |
| <p>The <em>userSelect</em> query must return a two-column list of user names |
| (column 1) and passwords (column 2). This query should normally return a |
| single row, which can be achieved by the use of a query parameter |
| placeholder "?". Any such placeholders in both queries will be filled in |
| with the username that the client is trying to log in with. The |
| <em>groupSelect</em> query must return a two-column list of user names and |
| their groups (or "roles" in the EJB world).</p> |
| </div> |
| <div class="paragraph"> |
| <p>Supported options:</p> |
| </div> |
| <div class="paragraph"> |
| <p>Option</p> |
| </div> |
| <div class="paragraph"> |
| <p>Description</p> |
| </div> |
| <div class="paragraph"> |
| <p>Required</p> |
| </div> |
| <div class="paragraph"> |
| <p>dataSourceName</p> |
| </div> |
| <div class="paragraph"> |
| <p>the name of a data source</p> |
| </div> |
| <div class="paragraph"> |
| <p><em>yes</em> (alternative 1)</p> |
| </div> |
| <div class="paragraph"> |
| <p>jdbcURL</p> |
| </div> |
| <div class="paragraph"> |
| <p>a standard JDBC URL</p> |
| </div> |
| <div class="paragraph"> |
| <p><em>yes</em> (alternative 2)</p> |
| </div> |
| <div class="paragraph"> |
| <p>jdbcDriver</p> |
| </div> |
| <div class="paragraph"> |
| <p>the fully qualified class name of the database driver</p> |
| </div> |
| <div class="paragraph"> |
| <p>no</p> |
| </div> |
| <div class="paragraph"> |
| <p>jdbcUser</p> |
| </div> |
| <div class="paragraph"> |
| <p>the user name for accessing the database</p> |
| </div> |
| <div class="paragraph"> |
| <p>no</p> |
| </div> |
| <div class="paragraph"> |
| <p>jdbcPassword</p> |
| </div> |
| <div class="paragraph"> |
| <p>the password for accessing the database</p> |
| </div> |
| <div class="paragraph"> |
| <p>no</p> |
| </div> |
| <div class="paragraph"> |
| <p>userSelect</p> |
| </div> |
| <div class="paragraph"> |
| <p>the SQL query that returns a list of users and their passwords</p> |
| </div> |
| <div class="paragraph"> |
| <p><em>yes</em></p> |
| </div> |
| <div class="paragraph"> |
| <p>groupSelect</p> |
| </div> |
| <div class="paragraph"> |
| <p>the SQL query that returns a list of users and groups (roles)</p> |
| </div> |
| <div class="paragraph"> |
| <p><em>yes</em></p> |
| </div> |
| <div class="paragraph"> |
| <p>digest</p> |
| </div> |
| <div class="paragraph"> |
| <p>the name of the digest algorithm (e.g. "MD5" or "SHA") for digest |
| authentication</p> |
| </div> |
| <div class="paragraph"> |
| <p>no</p> |
| </div> |
| <div class="paragraph"> |
| <p>encoding</p> |
| </div> |
| <div class="paragraph"> |
| <p>the digest encoding, can be "hex" or "base64"</p> |
| </div> |
| <div class="paragraph"> |
| <p>no</p> |
| </div> |
| </div> |
| </div> |
| <h1 id="_plug_points" class="sect0">PLUG POINTS</h1> |
| <div class="paragraph"> |
| <p>There are four-five different plug points where you could customize the |
| functionality. From largest to smallest: - <em>The SecurityService |
| interface</em>: As before all security work (authentication and |
| authorization) is behind this interface, only the methods on it have |
| been updated. If you want to do something really "out there" or need |
| total control, this is where you go. Plugging in your own |
| SecurityService should really be a last resort. We still have our "do |
| nothing" SecurityService implementation just as before, but it is no |
| longer the default. You can add a new SecurityService impl by creating |
| a service-jar.xml and packing it in your jar. You can configure OpenEJB |
| to use a different SecurityService via the openejb.xml.</p> |
| </div> |
| <div class="ulist"> |
| <ul> |
| <li> |
| <p><em>JaccProvider super class</em>: If you want to plug in your own JACC |
| implementation to perform custom authorization (maybe do some fancy |
| auditing), this is one way to do it without really having to understand |
| JACC too much. We will plug your provider in to all the places required |
| by JACC if you simply set the system property |
| "<em>org.apache.openejb.core.security.JaccProvider</em>" with the name of your |
| JaccProvider impl.</p> |
| </li> |
| <li> |
| <p><em>Regular JACC</em>. The JaccProvider is simply a wrapper around the many |
| things you have to do to create and plugin a JACC provider, but you can |
| still plugin a JACC provider in the standard ways. Read the JACC spec |
| for that info.</p> |
| </li> |
| <li> |
| <p><em>JAAS LoginModule</em>. You can setup a different JAAS LoginModule to do |
| all your authentication by simply editing the conf/login.config file |
| which is a plain JAAS config file. At the moment we only support |
| username/password based login modules. At some point it would be nice to |
| support any kind of input for a JAAS LoginModule, but username/password |
| at least covers the majority. It actually <em>is</em> possible to support any |
| LoginModule, but you would have to supply your clients with your own way |
| to authenticate to it and write a strategy for telling the OpenEJB |
| client what data to send to the server with each invocation request. See |
| the |
| <a href="http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASLMDevGuide.html">JAAS |
| LoginModule Developer’s Guide</a> for more information.</p> |
| </li> |
| <li> |
| <p><em>Client IdentityResolver</em>. This is the just mentioned interface you |
| would have to implement to supply the OpenEJB client with alternate data |
| to send to the server with each invocation request. If you’re plugging |
| in a new version of this it is likely that you may also want to plugin |
| in your own SecurityService implementation. Reason being, the object |
| returned from IdentiyResolve.getIdentity() is sent across the wire and |
| straight in to the SecurityService.associate(Object) method.</p> |
| </li> |
| </ul> |
| </div> |
| </div> |
| |
| </div> |
| </div> |
| <footer> |
| <div class="container"> |
| <div class="row"> |
| <div class="col-sm-6 text-center-mobile"> |
| <h3 class="white">Be simple. Be certified. Be Tomcat.</h3> |
| <h5 class="light regular light-white">"A good application in a good server"</h5> |
| <ul class="social-footer"> |
| <li><a href="https://www.facebook.com/ApacheTomEE/"><i class="fa fa-facebook"></i></a></li> |
| <li><a href="https://twitter.com/apachetomee"><i class="fa fa-twitter"></i></a></li> |
| <li><a href="https://plus.google.com/communities/105208241852045684449"><i class="fa fa-google-plus"></i></a></li> |
| </ul> |
| </div> |
| <div class="col-sm-6 text-center-mobile"> |
| <div class="row opening-hours"> |
| <div class="col-sm-3 text-center-mobile"> |
| <h5><a href="../../latest/docs/documentation.html" class="white">Documentation</a></h5> |
| <ul class="list-unstyled"> |
| <li><a href="../../latest/docs/admin/configuration/index.html" class="regular light-white">How to configure</a></li> |
| <li><a href="../../latest/docs/admin/file-layout.html" class="regular light-white">Dir. Structure</a></li> |
| <li><a href="../../latest/docs/developer/testing/index.html" class="regular light-white">Testing</a></li> |
| <li><a href="../../latest/docs/admin/cluster/index.html" class="regular light-white">Clustering</a></li> |
| </ul> |
| </div> |
| <div class="col-sm-3 text-center-mobile"> |
| <h5><a href="../../latest/examples/" class="white">Examples</a></h5> |
| <ul class="list-unstyled"> |
| <li><a href="../../latest/examples/simple-cdi-interceptor.html" class="regular light-white">CDI Interceptor</a></li> |
| <li><a href="../../latest/examples/rest-cdi.html" class="regular light-white">REST with CDI</a></li> |
| <li><a href="../../latest/examples/ejb-examples.html" class="regular light-white">EJB</a></li> |
| <li><a href="../../latest/examples/jsf-managedBean-and-ejb.html" class="regular light-white">JSF</a></li> |
| </ul> |
| </div> |
| <div class="col-sm-3 text-center-mobile"> |
| <h5><a href="../../community/index.html" class="white">Community</a></h5> |
| <ul class="list-unstyled"> |
| <li><a href="../../community/contributors.html" class="regular light-white">Contributors</a></li> |
| <li><a href="../../community/social.html" class="regular light-white">Social</a></li> |
| <li><a href="../../community/sources.html" class="regular light-white">Sources</a></li> |
| </ul> |
| </div> |
| <div class="col-sm-3 text-center-mobile"> |
| <h5><a href="../../security/index.html" class="white">Security</a></h5> |
| <ul class="list-unstyled"> |
| <li><a href="http://apache.org/security" target="_blank" class="regular light-white">Apache Security</a></li> |
| <li><a href="http://apache.org/security/projects.html" target="_blank" class="regular light-white">Security Projects</a></li> |
| <li><a href="http://cve.mitre.org" target="_blank" class="regular light-white">CVE</a></li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| </div> |
| <div class="row bottom-footer text-center-mobile"> |
| <div class="col-sm-12 light-white"> |
| <p>Copyright © 1999-2016 The Apache Software Foundation, Licensed under the Apache License, Version 2.0. Apache TomEE, TomEE, Apache, the Apache feather logo, and the Apache TomEE project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.</p> |
| </div> |
| </div> |
| </div> |
| </footer> |
| <!-- Holder for mobile navigation --> |
| <div class="mobile-nav"> |
| <ul> |
| <li><a hef="../../latest/docs/admin/index.html">Administrators</a> |
| <li><a hef="../../latest/docs/developer/index.html">Developers</a> |
| <li><a hef="../../latest/docs/advanced/index.html">Advanced</a> |
| <li><a hef="../../community/index.html">Community</a> |
| </ul> |
| <a href="#" class="close-link"><i class="arrow_up"></i></a> |
| </div> |
| <!-- Scripts --> |
| <script src="../../js/jquery-1.11.1.min.js"></script> |
| <script src="../../js/owl.carousel.min.js"></script> |
| <script src="../../js/bootstrap.min.js"></script> |
| <script src="../../js/wow.min.js"></script> |
| <script src="../../js/typewriter.js"></script> |
| <script src="../../js/jquery.onepagenav.js"></script> |
| <script src="../../js/tree.jquery.js"></script> |
| <script src="../../js/highlight.pack.js"></script> |
| <script src="../../js/main.js"></script> |
| </body> |
| |
| </html> |
| |