Mule : Jaas Security
This page last changed on Oct 29, 2006 by jesper.
The JaasSimpleAuthenticationProvider is a security provider which provides a way to interact with the Jaas Authentication Service. Configuration: The security provider for Jaas can be configured in a couple of different ways. First of all, it allows you to configure jaas either by passing to the provider a jaas configuration file, which will be discussed below, or by passing the required attributes directly to the JaasSimpleAuthenticationProvider. These two configuration methods are described below. Option 1: Using the Jaas Configuration File The Jaas Configuration File Usually, JAAS authentication is performed in a pluggable fashion, so applications can remain independent from underlying authentication technologies. com.ss.jaasTest{
com.ss.jaas.loginmodule.DefaultLoginModule required
credentials="anon:anon;Marie:Marie;"
};
The above example was saved in a file called jaas.conf. This file contains just one entry called com.ss.jaasTest, which is where the application we want to protect can be found. The entry specifies the LoginModule that will be used to authenticate the the user. As a login module, you can either use Mule's DefaultLoginModule, one of the LoginModules that come with Sun, or else create your own. In this case, we have opted for Mule's DefaultLoginModule. The "required" flag that follows the LoginModule specifies that the LoginModule must succeed in order for the authentication to be considered successful. There are other flags apart from this. These are: Required - The LoginModule is required to succeed. If it succeeds or fails, authentication still continues to proceed down the LoginModule list. Requisite - The LoginModule is required to succeed. If it succeeds, authentication continues down the LoginModule list. If it fails, control immediately returns to the application. Sufficient - The LoginModule is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list. Optional - The LoginModule is not required to succeed. If it succeeds or fails, authentication still continues to proceed down the LoginModule list. The entry also specifies the credentials, in which we put a string of authorised users together with their passwords. The credentials are put here only when the DefaultLoginModule is going to be used as the method in which the user names and passwords are obtained may vary from one LoginModule to another. The Format of the credentials string must adhere to the following format if the DefaultLoginModule is going to be used: <username>:<password>; The Mule XML configuration <security-provider name="JaasProvider" className="com.ss.jaas.provider.JaasSimpleAuthenticationProvider"> <properties> <property name="loginContextName" value="com.ss.jaasTest"/> <property name="loginConfig" value="jaas.conf"/> </properties> </security-provider> Note that in the above, the loginContextName contains the same name of the entry in the jaas configuration file discussed above. This will be used for creating the login context as well as to find the complete URL of the jaas.conf file. Option 2: Using passing the credentials directly to the Provider The second option for the configuration of the JaasSimpleAuthenticationProvider is to pass the configuration details which would otherwise be found in the jaas configuration file directly to the provider. <security-provider name="JaasProvider" className="com.ss.jaas.provider.JaasSimpleAuthenticationProvider"> <properties> <property name="loginContextName" value="com.ss.jaasTest"/> <property name="credentials" value="anon:anon;Marie.Rizzo:dragon;" /> </properties> </security-provider> In the above configuration, you can note that we removed the property "loginConfig" and we don't need to pass any jaas configuration file. All we need to do is to pass the credentials to the provider (using the same format specified above). Since no LoginModule is specified, the DefaultLoginModule will be used. However, the JaasSimpleAuthenticationProvider also permits you to enter, using this configuration, your own LoginModule. Option 3: Passing a non- default Login Module <security-provider name="JaasProvider"className="com.ss.jaas.provider.JaasSimpleAuthenticationProvider"> <properties> <property name="loginContextName" value="com.ss.jaasTest"/> <property name="loginModule" value="com.sun.security.auth.module.NTLoginModule"/> </properties> </security-provider> In the above configuration, we have added a further property for the loginModule where you can add the LoginModule you wish to use to authenticate the user. Since the NTLoginModule does not require you to input a list of accepted usernames and passwords, the property for the "credentials" was removed. Configuring the security filter on an Endpoint: As a security-filter, the MuleEncryptionEndpointSecurityFilter can be used. <mule-descriptor name="SendStringUMO" implementation="com.ss.jaasTest.SendString"> <inbound-router> <endpoint address="vm://localhost/test"> <security-filter className="org.mule.impl.security.filters.MuleEncryptionEndpointSecurityFilter"> <properties> <property name="strategyName" value="PBE"/> </properties> </security-filter> </endpoint> </inbound-router> </mule-descriptor> |
Document generated by Confluence on Nov 27, 2006 10:27 |