Own Security Realm in GlassFish
It's no secret that application servers exist to remove some of the work from the developer and put it on ready-made mechanisms. In particular, the authentication mechanism in the Glassfish application server can be organized using the so-called Security Realms. There are several built-in options, such as authentication through DBMS, LDAP, PAM, Certificate, and normal read from file. However, they may not be satisfied due to their limitations (LDAP, for example, can work with only one pre-specified domain). Therefore, we consider the creation of their own security realm'a.
Custom security realm consists of at least two classes. One of which extends the AppservRealm class (com.sun.appserv.security.AppservRealm), and the second accordingly AppservPasswordLoginModule (com.sun.appserv.security.AppservPasswordLoginModule). To get com.sun.appserv.security. * You need to import as a library /glassfish/modules/security.jar
In the realm class, you need to redefine the methods for obtaining the authentication type (usually the name of the realm) and getting the user's groups by his name - in this article we intentionally miss the Java EE authorization review.
Accordingly, here we can realize the flexibility of the mechanism in obtaining groups by user name, for example from a DBMS. In this example, one group is used that indicates that the user has been authenticated. Property jaas-context is specified here to associate this class with the following.
In this class, you must implement an authentication method. It consists of receiving and verifying the realm using it, checking the correctness of the entered login and password (or other details), and finally, receiving and transmitting groups of the user.
Compiled classes (packages with corresponding classes inside) put in the directory <glassfish domain> / lib / classes
We must also determine that our AppservPasswordLoginModule is related to a specific context. You need to edit the file <glassfish domain> /config/login.conf by adding a "link":
In which we define the context and refer to the need for a module.
')
Feel free to launch / reboot our application server and open the administrator GUI.
Create a new Security Realm. Now we don’t need to choose a class from the list, but enter the full realm class: ru.khmb.security.Realm. Do not forget to specify the jaas-context option that connects our realm with the authentication module through the context specified in the login.conf file, i.e. in our cases jaas-context = KHMBRealm
Everything, now it is possible to use Realm'om.
When implementing the mechanism, the source was a blog entry .
Update 08/02/2013:
There is a good description of the creation of various Security Realm (security areas) in David Heffelfinger’s book Java EE 6 and Application Server GlassFish 3
Custom security realm consists of at least two classes. One of which extends the AppservRealm class (com.sun.appserv.security.AppservRealm), and the second accordingly AppservPasswordLoginModule (com.sun.appserv.security.AppservPasswordLoginModule). To get com.sun.appserv.security. * You need to import as a library /glassfish/modules/security.jar
package ru.khmb.security; import com.sun.appserv.security.AppservRealm; import com.sun.enterprise.security.auth.realm.BadRealmException; import com.sun.enterprise.security.auth.realm.InvalidOperationException; import com.sun.enterprise.security.auth.realm.NoSuchRealmException; import com.sun.enterprise.security.auth.realm.NoSuchUserException; import java.util.Enumeration; import java.util.Properties; import java.util.Vector; public class Realm extends AppservRealm { private static final String PARAM_JAAS_CONTEXT = "jaas-context"; private static final String GROUP_ALL = "Authenticated"; @Override public void init(Properties properties) throws BadRealmException, NoSuchRealmException { String propJaasContext = properties.getProperty(PARAM_JAAS_CONTEXT); if (propJaasContext != null) { setProperty(PARAM_JAAS_CONTEXT, propJaasContext); } } @Override public String getAuthType() { return "KHMB Realm"; } @Override public Enumeration getGroupNames(String user) throws InvalidOperationException, NoSuchUserException { Vector vector = new Vector(); vector.add(GROUP_ALL); return vector.elements(); } } In the realm class, you need to redefine the methods for obtaining the authentication type (usually the name of the realm) and getting the user's groups by his name - in this article we intentionally miss the Java EE authorization review.
Accordingly, here we can realize the flexibility of the mechanism in obtaining groups by user name, for example from a DBMS. In this example, one group is used that indicates that the user has been authenticated. Property jaas-context is specified here to associate this class with the following.
package ru.khmb.security; import com.sun.appserv.security.AppservPasswordLoginModule; import java.util.Enumeration; import java.util.LinkedList; import java.util.List; import javax.security.auth.login.LoginException; public class LoginModule extends AppservPasswordLoginModule { @Override protected void authenticateUser() throws LoginException { if (!(_currentRealm instanceof Realm)) { throw new LoginException("Realm not KHMBRealm"); } Realm realm = (Realm) _currentRealm; authenticate(_username, _password); Enumeration enumeration = null; List<String> authenticatedGroups = new LinkedList(); try { enumeration = realm.getGroupNames(_username); } catch (Exception e) { throw new LoginException("Get groups exception"); } for (int i = 0; enumeration != null && enumeration.hasMoreElements(); i++) { authenticatedGroups.add((String) enumeration.nextElement()); } commitUserAuthentication(authenticatedGroups.toArray(new String[0])); } private static void authenticate(String login, String password) throws LoginException { try { LDAP.authenticate(login, password); } catch (Exception e) { throw new LoginException("Authenticate exception:" + e.getMessage()); } } } In this class, you must implement an authentication method. It consists of receiving and verifying the realm using it, checking the correctness of the entered login and password (or other details), and finally, receiving and transmitting groups of the user.
Compiled classes (packages with corresponding classes inside) put in the directory <glassfish domain> / lib / classes
We must also determine that our AppservPasswordLoginModule is related to a specific context. You need to edit the file <glassfish domain> /config/login.conf by adding a "link":
KHMBRealm { ru.khmb.security.LoginModule required; }; In which we define the context and refer to the need for a module.
')
Feel free to launch / reboot our application server and open the administrator GUI.
Create a new Security Realm. Now we don’t need to choose a class from the list, but enter the full realm class: ru.khmb.security.Realm. Do not forget to specify the jaas-context option that connects our realm with the authentication module through the context specified in the login.conf file, i.e. in our cases jaas-context = KHMBRealm
Everything, now it is possible to use Realm'om.
When implementing the mechanism, the source was a blog entry .
Update 08/02/2013:
There is a good description of the creation of various Security Realm (security areas) in David Heffelfinger’s book Java EE 6 and Application Server GlassFish 3
Source: https://habr.com/ru/post/152483/
All Articles