Security with JBoss Enterprise Application Platform

JBoss Enterprise Application Platform (EAP) is the official supported product from Red Hat Inc based on the popular open source JBoss Application Server (AS). It incorporates all the features of the community release as well additional features required for enterprise deployments (for paying customers).

In this article we will show you some of the noteworthy security features of JBoss EAP 5.1.  Most of the features should be applicable to the EAP 5.0.x versions also.

This article was co-authored by  Marcus Moyses, Stefan Guilhen and Darren Lofthouse from Red Hat Inc.

 

Security Features

JBoss EAP 5 is based on JBoss AS 5.1 so it includes all the features already shown for the community release such as Simplified Security Domain Configuration, Password masking in configuration files, XACML authorization for EJB and WEB and Instance based authorization.

Let us look at the features available as part of EAP5.1

 

Authentication

EAP5.1 has support for JAAS based authentication. We ship various login modules that are based on security information from ldap, databases, filesystems etc.

Additionally, we do have an implementation of the JSR-196 servlet specification.Information is found here.

 

Authorization

EAP 5.1 supports the Role Based Access Control (RBAC) semantics of the Java EE specifications. Customers can also make use of the pluggable authorization framework to obtain EE spec authorization (default) or JSR-115 (JACC) or Oasis XACML v2 behavior.

 

 

Fine Grained Authorization

Oasis XACML v2 is an industry standard for access control.  In JBoss EAP5.x, we provide XACML support for web and ejb applications.  Additionally, business applications running on the EAP can make use of the XACML infrastructure by using the XACML API.

 

Auditing

Auditing of security events is a valuable feature for system administrators who need to comply with regulations in various domains such as financial systems, healthcare etc. JBoss EAP5.x has support for auditing of security events for Web and EJB Applications.

 

Web Container : Native connectors

JBoss EAP 5 is also distributed with the native connectors for JBossWeb so configuring a HTTPS connector requires a different set of properties than the properties for a plain Java connector. One of these properties is SSLPassword used to set up the password for the certificate file. Up until now there was no feature to mask this password as we had for the non-native connector (described here). This feature is now present in JBoss EAP 5 and described here.

 

SSL

Many services may require mutual SSL authentication, for example LDAP, EJB2 or EJB3. This can be a problem when JBoss is the client in the SSL handshake if each service requires a different certificate, mainly because using the system properties (i.e. javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword) one can only set one keystore to be used and only the first alias of the keystore.

To workaround this issue we have created an implementation of SSLSocketFactory that uses a JaasSecurityDomain to configure which certificate to be used in the handshake.

A complete example for LDAP and EJB2 can be seen in our wiki.

 

JBoss EJB3 uses a socket based invoker layer on port 3873 by default. This is set up in deploy directory of your server configuration and the file is ejb3-connectors-jboss-beans.xml. To use SSL as the transport for your beans, you must generate a keystore and configure your beans to use SSL transport as two steps:

Step 1: Configure the remoting connector.

 <bean name="EJB3SSLRemotingConnector"
    class="org.jboss.remoting.transport.Connector">

    <property name="invokerLocator">sslsocket://${jboss.bind.address}:3843</property>
    <property name="serverConfiguration">
      <inject bean="ServerConfiguration" />
    </property>
  </bean>

 Step 2: Configure the RemoteBinding annotation on the bean

All beans will use the default connector on socket://${jboss.bind.address}:3873, unless they are configured with the @org.jboss.annotation.ejb.RemoteBinding annotation.

 

@RemoteBinding(clientBindUrl="sslsocket://0.0.0.0:3843", jndiBinding="StatefulSSL"),
   @Remote(BusinessInterface.class)
   public class StatefulBean implements BusinessInterface
   {
      ...
   }

 More information is here.

 

Web Container: SSL Connector

JBossWeb is the name of the web container integrated in JBoss EAP. It is based on Apache Tomcat. To configure web applications to use HTTPS (SSL/TLS), you need to configure a tomcat connector as described in the Tomcat SSL Documentation.

 

Single Sign On (SSO) with Kerberos

JBoss EAP 5.x supports SPNego for Web Applications. This is a feature that enables web applications to have desktop SSO.  If an user logs into a Windows or a Linux desktop that is governed by a Kerberos based Domain Controller (Example would be Microsoft Active Directory), then the web applications hosted on JBoss EAP can have SSO.

 

Installation steps include the following:

• Configure a security domain for JBoss EAP.
• Configure a SPNEGO Tomcat Authenticator.
• Configure the web applications to use the SPNego Authenticator and security domain.

To configure the negotiation feature, users can download the negotiation toolkit for JBossNegotiation from Wiki  (The Toolkit is packaged as part of the negotiation releases). The toolkit is a set of servlets that can help in the configuration of negotiation feature.

 

 

Information on configuring Negotiation on JBoss EAP running on a windows server in a domain with Active Directory is described here in detail.