Invoking Web Services through a proxy using JAX-RPC and JAX-WS

Not very often, we face the possibility of invoking Web Services provided by external entities that are outside our network. Some companies solve this by configuring their network to allow some application servers to bypass proxy servers. Whatever be the case, when in development, developers have to to be able to invoke web services through proxies. This post will be describe how to

• Invoking Web Services through a proxy using JAX-RPC
• Invoking Web Services through a proxy using JAX-WS

The solutions provided here are specific to Oracle Weblogic Server 10.3. I would suggest that you try the solutions provided on "Java Networking and Proxies", and only if they don't work (which happened to me), try the following.


There's More ...

Invoking Web Services through a proxy using JAX-RPC

1. Generate the Web Service Proxy classes using the following ant task.

   <taskdef name="clientgen" classname="weblogic.wsee.tools.anttasks.ClientGenTask" />
   <target name="build-client">
   <clientgen
   wsdl="[path_to_WSDL]"
   destDir="./src"
   packageName="com.my.client"
    type="JAXRPC"/>
   </target>

2. When the client classes are generated the type as JAXRPC, the generated classes will consist of Service, ServiceImpl, PortType and ProtTypeImpl etc files. To invoke the service you have to create the PortType from the Service. When working behind a proxy, you have to instantiate the ServiceImpl by using a constructor that takes in a weblogic.wsee.connection.transport.http.HttpTransportInfo.HttpTransportInfo object as a parameter as shown below.

     private HttpTransportInfo getHttpInfo() {
       Proxy proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress("proxyServer", 9090));
       HttpTransportInfo httpInfo = new HttpTransportInfo();
       httpInfo.setProxy(proxy);
   
       httpInfo.setProxyUsername("proxyuser".getBytes());
       httpInfo.setProxyPassword("proxypassword".getBytes());
       return httpInfo;
     }

   When using SSL, you can use the weblogic.wsee.connection.transport.https.HttpsTransportInfo class which can be created in the same way as above.

Invoking Web Services through a proxy using JAX-WS

1. When using JAX-WS, you have to change the clientgen task's "type" attribute to JAXWS, as shown below

   <taskdef name="clientgen" classname="weblogic.wsee.tools.anttasks.ClientGenTask" />
   <target name="build-client">
   <clientgen
   wsdl="[path_to_WSDL]"
   destDir="./src"
   packageName="com.my.client"
   type="JAXWS"/>
   </target>

   Make sure that the "path_to_WSDL" is to a local copy of the WSDL, as the properties which we set in the following steps are after the initialization of the service.
2. Running clientgen with JAXWS will create classes of the type *Service and *ServiceSoap
3. Setting up the client for proxy server involves setting a couple of request paramters: Username and password as shown below.

       MyService service = null;
       service = new MyService();
   
       MyServiceSoap port = service.getMyServiceSoap();
       BindingProvider bp = (BindingProvider) port;
       Binding binding = bp.getBinding();
   
       Map<String, Object> ctx = bp.getRequestContext();
       ctx.put(BindingProvider.USERNAME_PROPERTY, "proxyuser");
       ctx.put(BindingProvider.PASSWORD_PROPERTY, "proxypassword");
   

   Note that we don't specify the Proxy Server here. JAX-WS sends authentication information for the proxy in request headers.

Handling Security with Ajax, DWR and Acegi

This is an extension of a previous post that described how to secure your method calls using Acegi security. Here, I will go through how to secure your Asynchronous calls, using the same example with some modifications to include Ajax calls using Direct Web Remoting (DWR).

1. Create the example project as shown in "Spring security with Acegi Security Framework". This will be the starting point.
2. Create the SecureDAO object.

   package test;
   
   public class SecureDAO {
     public String create() {
       System.out.println("Create");
       return "create";
     }
   
     public String read() {
       System.out.println("read");
       return "read";
     }
   
     public String update() {
       System.out.println("update");
       return "update";
     }
   }

3. Update the applicationContext.xml file to include the security definitions by adding the following bean definitions as shown below

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
   
   <beans>
   
   <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
    <property name="filterInvocationDefinitionSource">
     <value>
      CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
      PATTERN_TYPE_APACHE_ANT
      /**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
     </value>
    </property>
   </bean>
   
   <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>
   
   <bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
    <constructor-arg value="/index.jsp"/>
    <constructor-arg>
     <list>
      <ref bean="rememberMeServices"/>
      <bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/>
     </list>
    </constructor-arg>
   </bean>
   
   <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="authenticationFailureUrl" value="/login.jsp?errorId=1"/>
    <property name="defaultTargetUrl" value="/"/>
    <property name="filterProcessesUrl" value="/j_acegi_security_check"/>
    <property name="rememberMeServices" ref="rememberMeServices"/>
   </bean>
   
   <bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/>
   
   <bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="rememberMeServices" ref="rememberMeServices"/>
   </bean>
   
   <bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
    <property name="key" value="changeThis"/>
    <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
   </bean>
   
   <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint">
     <bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
      <property name="loginFormUrl" value="/login.jsp"/>
      <property name="forceHttps" value="false"/>
     </bean>
    </property>
    <property name="accessDeniedHandler">
     <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
      <property name="errorPage" value="/denied.jsp"/>
     </bean>
    </property>
   </bean>
   
   <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="accessDecisionManager">
     <bean class="org.acegisecurity.vote.AffirmativeBased">
      <property name="allowIfAllAbstainDecisions" value="false"/>
      <property name="decisionVoters">
       <list>
        <bean class="org.acegisecurity.vote.RoleVoter"/>
        <bean class="org.acegisecurity.vote.AuthenticatedVoter"/>
       </list>
      </property>
     </bean>
    </property>
    <property name="objectDefinitionSource">
     <value>
      CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
      PATTERN_TYPE_APACHE_ANT
      /secure/admin/**=ROLE_ADMIN
      /secure/**=IS_AUTHENTICATED_REMEMBERED
      /**=IS_AUTHENTICATED_ANONYMOUSLY
     </value>
    </property>
   </bean>
   
   <bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
    <property name="userDetailsService" ref="userDetailsService"/>
    <property name="tokenValiditySeconds" value="1800"></property>
    <property name="key" value="changeThis"/>
   </bean>
   
   <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
    <property name="providers">
     <list>
      <ref local="daoAuthenticationProvider"/>
      <bean class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
       <property name="key" value="changeThis"/>
      </bean>
      <bean class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
       <property name="key" value="changeThis"/>
      </bean>
     </list>
    </property>
   </bean>
   
   <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="userDetailsService"/>
    <property name="userCache">
     <bean class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
      <property name="cache">
       <bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
        <property name="cacheManager">
         <bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
        </property>
        <property name="cacheName" value="userCache"/>
       </bean>
      </property>
     </bean>
    </property>
   </bean>
   
   <bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
    <property name="userProperties">
     <bean class="org.springframework.beans.factory.config.PropertiesFactoryBean">
      <property name="location" value="/WEB-INF/users.properties"/>
     </bean>
    </property>
   </bean>
   
   <bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>
   
    <bean id="methodSecurityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
     <property name="authenticationManager">
      <ref bean="authenticationManager" />
     </property>
     <property name="accessDecisionManager">
      <bean class="org.acegisecurity.vote.AffirmativeBased">
       <property name="allowIfAllAbstainDecisions" value="false" />
       <property name="decisionVoters">
        <list>
         <bean class="org.acegisecurity.vote.RoleVoter" />
         <bean class="org.acegisecurity.vote.AuthenticatedVoter" />
        </list>
       </property>
      </bean>
     </property>
     <property name="objectDefinitionSource">
      <value>
      test.SecureDAO.*=IS_AUTHENTICATED_REMEMBERED 
      test.SecureDAO.u=ROLE_ADMIN
      </value>
     </property>
    </bean>
   
   
    <bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
     <property name="interceptorNames">
      <list>
      <value>methodSecurityInterceptor</value>
      </list>
     </property>
     <property name="beanNames">
      <list>
      <value>secureDAO</value>
      </list>
     </property>
    </bean>
    
    <bean id="secureDAO" class="test.SecureDAO" />
   </beans>

4. Update the Web deployment descriptor to forward DWR requests to the DWR Servlet

   <?xml version="1.0" encoding="UTF-8"?>
   <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
    <display-name>DWRSpring</display-name>
    <context-param>
     <param-name>contextConfigLocation</param-name>
     <param-value>/WEB-INF/applicationContext.xml</param-value>
    </context-param>
    <listener>
     <display-name>SpringListener</display-name>
     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <filter>
     <filter-name>Acegi Filter Chain Proxy</filter-name>
     <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
     <init-param>
      <param-name>targetClass</param-name>
      <param-value>org.acegisecurity.util.FilterChainProxy</param-value>
     </init-param>
    </filter>
   
    <filter-mapping>
     <filter-name>Acegi Filter Chain Proxy</filter-name>
     <url-pattern>/*</url-pattern>
    </filter-mapping>
    <servlet>
     <servlet-name>dwr-invoker</servlet-name>
     <servlet-class>uk.ltd.getahead.dwr.DWRServlet</servlet-class>
     <init-param>
      <param-name>debug</param-name>
      <param-value>true</param-value>
     </init-param>
    </servlet>
   
    <servlet-mapping>
     <servlet-name>dwr-invoker</servlet-name>
     <url-pattern>/dwr/*</url-pattern>
    </servlet-mapping>
    <welcome-file-list>
     <welcome-file>index.jsp</welcome-file>
     <welcome-file>default.jsp</welcome-file>
    </welcome-file-list>
   </web-app>



5. In the DWR configuration file, set the creator to Spring

   <!DOCTYPE dwr PUBLIC
     "-//GetAhead Limited//DTD Direct Web Remoting 1.0//EN"
     "http://www.getahead.ltd.uk/dwr/dwr10.dtd">
   <dwr>
    <allow>
     <convert match="java.lang.Exception" converter="exception"/>
     <create creator="spring" javascript="secureDAO">
      <param name="beanName" value="secureDAO"/>
     </create>
    </allow>
   </dwr>

   Note:
   • The converter is used to convert the Java exception to Javascript exception.
6. The main change will be made to the secure/authenticatedusers.jsp file. This will use DWR to make Ajax requests. Here is the code for the file

   <%@ page import="org.acegisecurity.context.SecurityContextHolder"%>
   <html>
   <head>
   
   <script type='text/javascript' src="http://java-x.blogspot.com/DWRSpring/dwr/interface/secureDAO.js"></script>
   <script type="text/javascript" src="../dwr/engine.js"> </script>
   <script type="text/javascript"  src="../dwr/util.js"> </script>
   <script>
    dwr.engine.setErrorHandler(errorHandlerFn);
    function update() {
     var name = dwr.util.getValue("method");
     switch(name) {
      case "create": 
        secureDAO.create(callBackFn)
        break;
      case "read": 
        secureDAO.read(callBackFn);
        break;
      case "update": 
        secureDAO.update(callBackFn);
        break;             
     }
    
    }
    
    function callBackFn(str) { 
     dwr.util.setValue("selectedAction","Server Returned : " + str); 
    }
    
    function errorHandlerFn(message, exception) {
     dwr.util.setValue("selectedAction", "Error : " + message);
    }
   </script>
   
   </head>
   <body>
   <h1>Welcome: <%=SecurityContextHolder.getContext().getAuthentication().getName()%></h1>
   <p><a href="../">Home</a>
   <form name="testForm" action=""><select name="method" onchange="update()">
    <option value=""></option>
    <option value="create">create</option>
    <option value="read">read</option>
    <option value="update">update</option>
   </select></form>
   
   <div id="selectedAction"></div>
   <p><a href="../j_acegi_logout">Logout</a></p>
   </body>
   </html>

   Note:
   • The classes that are exposed through DWR will be available through the /WEB_APP_NAME/dwr/interface/JAVASCRIPT_NAME.js files.

     <script type='text/javascript' src="http://java-x.blogspot.com/DWRSpring/dwr/interface/secureDAO.js"></script>

   • The setErrorhandler call sets the global error handling function.

     dwr.engine.setErrorHandler(errorHandlerFn);

     Alternatively, the error handling function can be set for individual method calls (as described in DWR documentationa

     Remote.method(params, {
       callback:function(data) { ... },
       errorHandler:function(errorString, exception) { ... }
     });

   • util.js file contains utility functions for getting and setting values for the document elements.
7. Make sure you have the following Jar files in your classpath:
   • acegi-security-1.0.3.jar
   • ant-junit.jar
   • cglib-nodep-2.1_3.jar
   • commons-codec-1.3.jar
   • commons-logging.jar
   • dwr.jar
   • ehcache-1.2.3.jar
   • jstl.jar
   • spring.jar
   • standard.jar

Securing EJB 3.0 Beans

The Java EE 5 Security services are provided by the container and can be implemented using declarative or programmatic techniques. In addition to declarative and programmatic ways to implement security (in J2EE), Java EE 5 supports the use of metadata annotations for security. This post will describe how to secure EJB 3.0 beans. The post consists of a simple EJB, with a web client. In order to run the example, follow these steps.
Create Users in Glassfish

1. Go to Configuration->Security->Realms->file in the Glassfish admin console.
2. In the file realm, click on manage users.
3. Add new users by clicking on add there.

The EJB Component

1. Start with a Simple Java project in Eclipse.
2. Remote Interface

   package ejb;
   
   import javax.ejb.Remote;
   
   @Remote
   public interface DABean {
   public String create();
   
   public String read();
   
   public String update();
   
   public String delete();
   }

   ejb/DABean.java
3. The Bean:

   package ejb;
   
   import javax.annotation.security.DeclareRoles;
   import javax.annotation.security.RolesAllowed;
   import javax.ejb.Stateless;
   
   @Stateless (mappedName = "ejb/secureEJB")
   @DeclareRoles({"emp","guest"})
   
   public class SecureEJB implements DABean {
   
   @RolesAllowed({"emp","guest"})
   public String create() {
     return "create";
   }
   
   @RolesAllowed({"emp","guest"})
   public String read() {
     return "read";
   }
   
   @RolesAllowed("emp")
   public String update() {
     return "update";
   }
   
   @RolesAllowed("emp")
   public String delete() {
     return "delete";
   }
   
   }

   ejb/SecureEJB.java
   • The declaredRoles and RolesAllowed annotations take a string array as a parameter.
4. Deployment descriptor:

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE sun-ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 9.0 EJB 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-ejb-jar_3_0-0.dtd">
   <sun-ejb-jar>
   <security-role-mapping>
     <role-name>guest</role-name>
     <group-name>guest</group-name>
   </security-role-mapping>
   
   <security-role-mapping>
     <role-name>emp</role-name>
     <group-name>employee</group-name>
   </security-role-mapping>
   
   <enterprise-beans>
     <unique-id>0</unique-id>
     <ejb>
       <ejb-name>SecureEJB</ejb-name>
       <jndi-name>ejb/secureEJB</jndi-name>
       <gen-classes />
     </ejb>
   </enterprise-beans>
   </sun-ejb-jar>

   META-INF/sun-ejb-jar.xml

The Web Client
For a little bit more detail explanation on the Web Application, see the previous post Securing Java EE 5 Web Applications

1. The EJB Client Jar file: When you deploy the EJB application in Glassfish, it creates a corresponding EJB Client jar file for the EJB component, which can be used in the clients. The file will created in the following directory.

   GLASSFISH_HOME\domains\DOMAIN_NAME/generated\xml/j2ee-modules/APPLICATION_NAME

2. Selection page

   <html>
   <body>
   <h1>Home Page</h1>
   Anyone can view this page.
   
   <form action="securityServlet"><select name="method">
   <option value="create">create</option>
   <option value="read">read</option>
   <option value="update">update</option>
   <option value="delete">delete</option>
   </select> <input type="submit" name="submit" /></form>
   </body>
   </html>

   index.jsp
3. Servlet

   package servlets;
   
   import java.io.IOException;
   import java.io.PrintWriter;
   
   import javax.annotation.security.DeclareRoles;
   import javax.ejb.EJB;
   import javax.servlet.ServletException;
   import javax.servlet.http.HttpServletRequest;
   import javax.servlet.http.HttpServletResponse;
   
   import ejb.DABean;
   
   @DeclareRoles("emp")
   public class SecurityServlet extends javax.servlet.http.HttpServlet implements javax.servlet.Servlet {
   
   @EJB(name = "timerBean", mappedName = "corbaname:iiop:localhost:3700#ejb/secureEJB")
   private DABean daBean;
   
   public SecurityServlet() {
     super();
   }
   
   protected void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
     PrintWriter out = response.getWriter();
     String method = request.getParameter("method");
     try {
       String result = "";
       if (method.equals("create")) {
         result = daBean.create();
       }
       if (method.equals("read")) {
         result = daBean.read();
       }
   
       if (method.equals("update")) {
         result = daBean.update();
       }
   
       if (method.equals("delete")) {
         result = daBean.delete();
       }
   
       out.println(request.getUserPrincipal() + " is an Authorized User");
     } catch (Exception e) {
       e.printStackTrace();
       out.println(request.getUserPrincipal() + " is not an Authorized to see this page.");
     }
   }
   }

   SecurityServlet.java
4. Deployment descriptor

   <?xml version="1.0" encoding="UTF-8"?>
   <web-app xmlns="http://java.sun.com/xml/ns/javaee" version="2.5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
   <display-name>Java5Security</display-name>
   
   <servlet>
     <description></description>
     <display-name>SecurityServlet</display-name>
     <servlet-name>SecurityServlet</servlet-name>
     <servlet-class>servlets.SecurityServlet</servlet-class>
     <security-role-ref>
       <role-name>emp</role-name>
       <role-link>emp</role-link>
     </security-role-ref>
   </servlet>
   <servlet-mapping>
     <servlet-name>SecurityServlet</servlet-name>
     <url-pattern>/securityServlet</url-pattern>
   </servlet-mapping>
   
   
   <login-config>
     <auth-method>FORM</auth-method>
     <realm-name>file</realm-name>
     <form-login-config>
       <form-login-page>/login.jsp</form-login-page>
       <form-error-page>/error.jsp</form-error-page>
     </form-login-config>
   </login-config>
   
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>Protected Area</web-resource-name>
       <url-pattern>/*</url-pattern>
       <http-method>PUT</http-method>
       <http-method>DELETE</http-method>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>guest</role-name>
       <role-name>emp</role-name>
     </auth-constraint>
   </security-constraint>
   
   <security-constraint>
     <web-resource-collection>
       <web-resource-name>Protected Area</web-resource-name>
       <url-pattern>/secure/*</url-pattern>
       <http-method>PUT</http-method>
       <http-method>DELETE</http-method>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>emp</role-name>
     </auth-constraint>
   </security-constraint>
   <!-- Security roles referenced by this web application -->
   <security-role>
     <role-name>guest</role-name>
   </security-role>
   <security-role>
     <role-name>emp</role-name>
   </security-role>
   
   <welcome-file-list>
     <welcome-file>index.html</welcome-file>
   </welcome-file-list>
   </web-app>

   web.xml
5. Glassfish Deployment descriptor

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 8.1 Servlet 2.4//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_4-1.dtd">
   <sun-web-app>
   <context-root>/Java5Security</context-root>
   <security-role-mapping>
     <role-name>guest</role-name>
     <group-name>guest</group-name>
   </security-role-mapping>
   <security-role-mapping>
     <role-name>emp</role-name>
     <group-name>employee</group-name>
   
   </security-role-mapping>
   </sun-web-app>

   sun-web.xml

Environment: This example was run on Glassfish V2 Build 41 (Glassfish V2 Beta 2).

Customize Acegi SecurityContext

This post describes how to modify the User details stored in the Acegi Security Context.

Acegi Security uses the SecurityContextHolder object to store details of the current security context of the application. The SecurityContext holds the details of the authenticated principal in an Authentication object. By default the SecurityContextHolder uses a ThreadLocal to store these details, so that they will be available all methods in the current thread of execution.In order to obtain the Principal, you would use the following line

Object obj = SecurityContextHolder.getContext().getAuthentication().getPrincipal();

Usually, the principal is an object of the type UserDetails. The UserDetails object is sort of an adapter between the security database and Acegi SecurityContextHolder. Acegi uses a UserDetailsSevice to build the UserDetails object. In order to modify the data stored Security Context of Acegi, you either have to

• setContext() method of the SecurityContextHolder. The SecurityContext object can be set to hold an Authentication object. This will mean that you have to add some additional security code to your application code.
• Implement the UserDetailsService and UserDetails interfaces. This way you can keep security code seperated from the application code.

This post will describe how to implement UserDetailsService and UserDetails Objects. Here's what to do to implement a UserDetailsService.

1. Start with the implementing acegi security posts part 1 and part 2.
2. Create the UserDetailsService:

   package authentication;
   
   import java.util.HashMap;
   import java.util.Map;
   
   import org.acegisecurity.GrantedAuthority;
   import org.acegisecurity.userdetails.UserDetails;
   import org.acegisecurity.userdetails.UserDetailsService;
   import org.acegisecurity.userdetails.UsernameNotFoundException;
   import org.springframework.dao.DataAccessException;
   
   public class MyUserDetailsService implements UserDetailsService {
   
   private Map users = init();
   
   private Map init() {
     Map tUsers = new HashMap();
   
     tUsers.put("scott", new User("scott", "tiger", "ROLE_USER"));
     tUsers.put("harry", new User("harry", "potter", "ROLE_ADMIN"));
     tUsers.put("frodo", new User("frodo", "baggins", "ROLE_USER"));
   
     return tUsers;
   }
   
   public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException, DataAccessException {
     User user = (User) users.get(s);
     GrantedAuthority authority = new MyGrantedAuthority(user.getRole());
     UserDetails userDetails = new MyUserDetails(new GrantedAuthority[] { authority }, user.getUserId(), user.getPassword(), "Additional Data");
     return userDetails;
   }
   
   }

   MyUserDetailsService.java
   Notice that all the user data is defined in this class. The UserDetailsService has to return a UserDetails object using the User name.
3. Create the UserDetails class:

   package authentication;
   
   import org.acegisecurity.GrantedAuthority;
   import org.acegisecurity.userdetails.UserDetails;
   
   public class MyUserDetails implements UserDetails {
   
   
   private GrantedAuthority[] authorities = null;
   private String password = null;
   private String username = null;
   private String additionalData = null;
   
   
   public MyUserDetails(GrantedAuthority[] authorities, String password, String username, String additionalData) {
     super();
     this.authorities = authorities;
     this.password = password;
     this.username = username;
     this.additionalData = additionalData;
   }
   
   public GrantedAuthority[] getAuthorities() {
     return authorities;
   }
   
   public String getPassword() {
     return password;
   }
   
   public String getUsername() {
     return username;
   }
   
   public boolean isAccountNonExpired() {
     return true;
   }
   
   public boolean isAccountNonLocked() {
     return true;
   }
   
   public boolean isCredentialsNonExpired() {
     return true;
   }
   
   public boolean isEnabled() {
     return true;
   }
   }

   MyUserDetails.java
4. The User class:

   package authentication;
   
   public class User {
   
   private String userId;
   
   private String password;
   
   private String role;
   
   public String getPassword() {
     return password;
   }
   
   public void setPassword(String password) {
     this.password = password;
   }
   
   public String getRole() {
     return role;
   }
   
   public void setRole(String role) {
     this.role = role;
   }
   
   public String getUserId() {
     return userId;
   }
   
   public void setUserId(String userId) {
     this.userId = userId;
   }
   
   public User(String userId, String password, String role) {
     super();
     this.userId = userId;
     this.password = password;
     this.role = role;
   }
   
   }

   User.java
5. Modify the applicationContext.xml file: Modify the userDetailsService bean in the application context to as shown below

   <bean id="userDetailsService" class="authentication.MyUserDetailsService">
   </bean>

6. The GrantedAuthority class: The MyGrantedAuthority class is typically used to store application roles.

   package authentication;
   
   import org.acegisecurity.GrantedAuthority;
   
   public class MyGrantedAuthority implements GrantedAuthority {
   
   private String authority = null;
   
   public MyGrantedAuthority(String authority) {
     this.authority = authority;
   }
   public String getAuthority() {
     return authority;
   }
   
   }

   MyGrantedAuthority.java

Securing Middle tier Objects with Acegi Security Framework

Previously, I posted an example on implementing Security using Acegi Security Framework for applications using Spring framework. This post will describe an example on how to secure Middle-tier objects using Acegi, with Role-based authorization. Here is how to implement the example.

1. Create the example project as shown in "Spring security with Acegi Security Framework". This will be the starting point.
2. Create the Secure Object: The secure object here is SecureDAO, which is a dummy object that has the common create, read, update, delete methods.

   package test;
   
   public class SecureDAO {
    public String create() {
      return "create";
    }
   
    public String read() {
      return "read";
    }
   
    public String update() {
      return "update";
    }
   
    public String delete() {
      return "delete";
    }
   }

   SecureDAO.java
3. Create the Test Servlet: The servlet is used to invoke the secure DAO object.

   package servlets;
   
   import java.io.IOException;
   
   import javax.servlet.ServletException;
   import javax.servlet.http.HttpServletRequest;
   import javax.servlet.http.HttpServletResponse;
   
   import org.springframework.web.context.WebApplicationContext;
   import org.springframework.web.context.support.WebApplicationContextUtils;
   
   import test.SecureDAO;
   
   public class TestServlet extends javax.servlet.http.HttpServlet implements javax.servlet.Servlet {
   
    public TestServlet() {
      super();
    }
   
    protected void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
      String method = request.getParameter("method");
   
      WebApplicationContext context = WebApplicationContextUtils.getRequiredWebApplicationContext(getServletContext());
   
      SecureDAO obj = (SecureDAO) context.getBean("secureDAO");
      String result = "";
      if (method.equals("create")) {
        result = obj.create();
      }
      if (method.equals("read")) {
        result = obj.read();
      }
   
      if (method.equals("update")) {
        result = obj.update();
      }
   
      if (method.equals("delete")) {
        result = obj.delete();
      }
   
      response.getWriter().println(result);
   
    }
   }

   TestServlet.java
4. Update the authenticatedusers.jsp file to invoke the TestSerlvet, as shown below

   <%@ page import="org.acegisecurity.context.SecurityContextHolder"%>
   <h1>Welcome: <%=SecurityContextHolder.getContext().getAuthentication().getName()%></h1>
   <p><a href="../">Home</a>
   <form action="/SpringSecurity/TestServlet"><select name="method">
    <option value="create">create</option>
    <option value="read">read</option>
    <option value="update">update</option>
    <option value="delete">delete</option>
   </select> <input type="submit" name="submit" /></form>
   <p><a href="../j_acegi_logout">Logout</a>

   authenticatedusers.jsp


5. Update the applicationContext.xml file to include the security definitions by adding the following bean definitions as shown below

   <bean id="methodSecurityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
   <property name="authenticationManager">
    <ref bean="authenticationManager" />
   </property>
   <property name="accessDecisionManager">
    <bean class="org.acegisecurity.vote.AffirmativeBased">
    <property name="allowIfAllAbstainDecisions" value="false" />
    <property name="decisionVoters">
      <list>
      <bean class="org.acegisecurity.vote.RoleVoter" />
      <bean class="org.acegisecurity.vote.AuthenticatedVoter" />
      </list>
    </property>
    </bean>
   </property>
   <property name="objectDefinitionSource">
    <value>
    test.SecureDAO.*=IS_AUTHENTICATED_REMEMBERED
    test.SecureDAO.delete=ROLE_ADMIN
    </value>
   </property>
   </bean>
   
   
   <bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
   <property name="interceptorNames">
    <list>
    <value>methodSecurityInterceptor</value>
    </list>
   </property>
   <property name="beanNames">
    <list>
    <value>secureDAO</value>
    </list>
   </property>
   </bean>
   
   <bean id="secureDAO" class="test.SecureDAO" />

   Note
   • The MethodSecurityInterceptor is used to define the mapping between the Methods and the roles that are allowed to invoke these methods.
   • The BeanNameAutoProxyCreator is used to create a proxy for the secureDAO object, so that an authorization check may be applied to every invocation on the object.
6. Add the cglib JAR file available in the Spring download as a dependency to your project. This is used for creating the Proxy.

Securing Java EE 5 Web Applications

In this post I will give a brief overview of securing web applications in Java EE 5 with the help of a simple example. The example application consists of a Servlet (securityServlet) and two pages (index.jsp and secure/index.jsp). Two users (newemployee and newguest) with roles employee and guest, will be created, with the following permissions

1. The "guest" user will have access to index.jsp
2. The "employee" user will have access to secure/index.jsp.
3. Both users have access to the servlet.

This example was developed on Eclipse and run on Glassfish application server. Follow these steps to implement the example

Create Users in Glassfish

1. Go to Configuration->Security->Realms->file in the Glassfish admin console.
2. In the file realm, click on manage users.
3. Add new users by clicking on add there.

The Web Application

1. The Web Deployment Descriptor: The following listing shows the complete deployment descriptor used for this example, followed by a quick explanation.

   <?xml version="1.0" encoding="UTF-8"?>
   <web-app xmlns="http://java.sun.com/xml/ns/javaee" version="2.5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
   <display-name>Java5Security</display-name>
   
   <servlet>
    <description></description>
    <display-name>SecurityServlet</display-name>
    <servlet-name>SecurityServlet</servlet-name>
    <servlet-class>servlets.SecurityServlet</servlet-class>
       <security-role-ref>
         <role-name>emp</role-name>
         <role-link>employee</role-link>
       </security-role-ref>
   </servlet>
   <servlet-mapping>
    <servlet-name>SecurityServlet</servlet-name>
    <url-pattern>/securityServlet</url-pattern>
   </servlet-mapping>
   
   <login-config>
    <auth-method>FORM</auth-method>
     <realm-name>file</realm-name>
    <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/error.jsp</form-error-page>
    </form-login-config>
   </login-config>
   
   <security-constraint>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>guest</role-name>
      <role-name>employee</role-name>
    </auth-constraint>
   </security-constraint>
   
   <security-constraint>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/secure/*</url-pattern>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>employee</role-name>
    </auth-constraint>
   </security-constraint>
   <!-- Security roles referenced by this web application -->
   <security-role>
    <role-name>guest</role-name>
   </security-role>
   <security-role>
    <role-name>employee</role-name>
   </security-role>
   
   <welcome-file-list>
    <welcome-file>index.html</welcome-file>
   </welcome-file-list>
   </web-app>
   

   WEB-INF/web.xml
   • In the servlet declaration, the <security-role-ref> element maps the rolename used in the servlet to role declared in the deployment descritpor (this is needed only when the role declared in the deployment descriptor is different from the role used in the servlet (employee and emp)).
   • In the login-config, the <realm-name> element is used to declare the realm in which authentication takes place
   • Realms: A realm is a database of users and groups that identify valid users of a Web application and are controlled by the same authentication policy. Three realms, file, admin-realm, and certificate realms come preconfigured in Glassfish Application Server. For this example I use the file realm, where the user credentials are stored locally in a file.
2. Mapping Roles to Users/Groups in Security Realm: In order to map the roles used in the application to the users defined in the security realm, you have to add the role mappings in the WEB-INF/sun-web.xml. The file is shown below.

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 8.1 Servlet 2.4//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_4-1.dtd">
   <sun-web-app>
   <context-root>/Java5Security</context-root>
     <security-role-mapping>
       <role-name>guest</role-name>
       <principal-name>newguest</principal-name>
     </security-role-mapping>
     <security-role-mapping>
       <role-name>employee</role-name>
       <principal-name>newemployee</principal-name>
     </security-role-mapping>
   </sun-web-app>

   WEB-INF/sun-web.xml
3. The Servlet: The following is a listing of the servlet used for this example

   package servlets;
   
   import java.io.IOException;
   import java.io.PrintWriter;
   
   import javax.annotation.security.DeclareRoles;
   import javax.servlet.ServletException;
   import javax.servlet.http.HttpServletRequest;
   import javax.servlet.http.HttpServletResponse;
   
   @DeclareRoles("emp")
   public class SecurityServlet extends javax.servlet.http.HttpServlet implements
    javax.servlet.Servlet {
   
   public SecurityServlet() {
    super();
   }
   
   protected void service(HttpServletRequest request,
      HttpServletResponse response) throws ServletException, IOException {
    PrintWriter out = response.getWriter();
       if (request.isUserInRole("emp"))
   
      out.println(request.getUserPrincipal() + " is an Authorized User");
    else
      out.println(request.getUserPrincipal() + " is not an Authorized to see this page.");
   }
   }

   SecurityServlet.java
   • The @DeclareRoles annotation is used to define the security roles in the application. This annotation is specified on a class, and it typically would be used to define roles that could be tested (i.e., by calling isUserInRole) from within the methods of the annotated class.
   • The isUserInRole() method is from J2EE.
4. The login page: The following is the listing for the login.jsp page. There is nothing new here.

   <%@ taglib prefix='c' uri='http://java.sun.com/jstl/core'%>
   <html>
   <head>
   <title>Login</title>
   </head>
   
   <body>
   <h1>Login</h1>
   
   <h2>Hello, please login:</h2>
   <br>
   <br>
   <form action="j_security_check" method=post>
   <table>
   <tr>
   <td>User:</td>
   <td><input type="text" name="j_username" size="25"></td>
   </tr>
   <tr>
   <td>Password:</td>
   <td><input type='password' name='j_password'></td>
   </tr>
   
   <tr>
   <td colspan='2'><input name="submit" type="submit"></td>
   </tr>
   <tr>
   <td colspan='2'><input name="reset" type="reset"></td>
   </tr>
   </table>
   
   </form>
   </body>
   </html>

   /login.jsp
5. The index.jsp and error.jsp could be any JSP page
6. This post did not describe how to logout. But that has been discussed earlier in the Form-based Authentication Logout post.

Spring Security with Acegi Security

Acegi Security provides a comprehensive security solution for J2EE-based enterprise software applications, built using the Spring Framework. Acegi provides authentication service through the use of a web filter, an AuthenticationProvider and an AuthenticationEntryPoint. Authorization in Acegi can be done at different levels: authorizing web requests, authorizing which methods can be invoked, and authorizing access to individual domain object instances. In this example I will describe how to implement form-based authentication and URL level authorization using Acegi.
For this example, I use two secure JSPs, the secure/authenticatedusers.jsp file is available to all the authenticated users, and secure/admin/admin.jsp is only available to the users with ADMIN role. The login.jsp is used for login and denied.jsp is used to redirect unauthorized users. Follow these steps to run the example:

1. Download Acegi and Spring.
   
2. Start with a dynamic web project in eclipse.
3. Copy the following Jar files into the WEB-INF/lib directory.

   acegi-security-1.0.3.jar	Main classes of the Acegi security system.
   commons-codec-1.3.jar	Encoders and decoders such as Base64, Hex, Phonetic and URLs.
   ehcache-1.2.3.jar	Used by the authentication provider.
   jstl.jar, standard.jar	The JSTL tag library
   spring.jar	Spring framework
   commons-logging.jar, cglib-nodep-2.1_3.jar	Available in the spring download (spring with dependencies)

4. Create the Login page: The following is a listing for the login page.

   <jsp:root version="1.2" xmlns:jsp="http://java.sun.com/JSP/Page"
   xmlns:c="urn:jsptld:http://java.sun.com/jsp/jstl/core">
   <jsp:directive.page contentType="text/html; charset=UTF-8" />
   <jsp:directive.page
     import="org.acegisecurity.ui.AbstractProcessingFilter, org.acegisecurity.ui.webapp.AuthenticationProcessingFilter, org.acegisecurity.AuthenticationException" />
   <head>
   <title>Login</title>
   </head>
   <body>
   <form action="j_acegi_security_check" method="POST">
     <table>
       <tr>
         <td>User:</td>
           </td><input type='text' name='j_username' />
         </td>
       </tr>
       <tr>
         <td>Password:</td>
         <td><input type='password' name='j_password' /></td>
       </tr>
       <tr>
         <td><input type="checkbox" name="_acegi_security_remember_me" /></td>
         <td>Remember me (14 days)</td>
       </tr>
       <tr><td colspan='2'><input name="submit" type="submit" /></td></tr>
       <tr><td colspan='2'><input name="reset" type="reset" /></td></tr>
     </table>
   </form>
   </body>
   </jsp:root>

   login.jsp
   Notes:
   • The login form uses j_acegi_security_check instead of j_security_check normally used for form-based authentication. Similarly for logout, we use j_acegi_logout action.
   • In order to remember a user for a period of time, use the _acegi_security_remember_me attribute. This is configured in the applicatonContext.xml file(see below).
5. Create the other JSP files: The listings for the JSP pages used for this example are shown below, along with their respective directories.

   <html>
   <body>
   Everyone
   <p><a href="secure/authenticatedusers.jsp">Authenticated users only</a>
   <p><a href="secure/admin/admin.jsp">Admins only</a>
   </body>
   </html>

   index.jsp

   Access Denied.

   denied.jsp

   <%@ page import="org.acegisecurity.context.SecurityContextHolder" %>
   <h1>Welcome: <%= SecurityContextHolder.getContext().getAuthentication().getName() %></h1>
   <p><a href="../">Home</a>
   <p><a href="../j_acegi_logout">Logout</a>

   secure/authenticatedusers.jsp

   <%@ page import="org.acegisecurity.context.SecurityContextHolder" %>
   <h1>Welcome: <%= SecurityContextHolder.getContext().getAuthentication().getName() %> is an Admin</h1>
   <p><a href="../../">Home</a>
   <p><a href="../../j_acegi_logout">Logout</a>
   </body>
   </html>

   secure/admin/admin.jsp
6. The users.properties file: This example uses an in memory user registry and the WEB-INF/users.properties file is used to store the usernames and passwords.

   scott=tiger,ROLE_USER
   harry=potter,ROLE_ADMIN
   frodo=baggins,ROLE_USER

   WEB-INF/users.properties
7. Configure the Acegi filter in the Web deployment descriptor: The web.xml file is shown below

   <?xml version="1.0" encoding="UTF-8"?>
   <web-app id="WebApp_ID" version="2.4"
    xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <display-name>SpringSecurity</display-name>
   
      <filter>
          <filter-name>Acegi Filter Chain Proxy</filter-name>
          <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
          <init-param>
              <param-name>targetClass</param-name>
              <param-value>org.acegisecurity.util.FilterChainProxy</param-value>
          </init-param>
      </filter>
   
     <filter-mapping>
       <filter-name>Acegi Filter Chain Proxy</filter-name>
       <url-pattern>/*</url-pattern>
     </filter-mapping>
   
    <listener>
     <listener-class>
      org.springframework.web.context.ContextLoaderListener
     </listener-class>
    </listener>
   
    <welcome-file-list>
     <welcome-file>index.html</welcome-file>
     <welcome-file>index.htm</welcome-file>
     <welcome-file>index.jsp</welcome-file>
     <welcome-file>default.html</welcome-file>
     <welcome-file>default.htm</welcome-file>
     <welcome-file>default.jsp</welcome-file>
    </welcome-file-list>
   </web-app>
   

   web.xml
8. Configure Acegi in applicationContext.xml file: The following is a listing of the WEB-INF/applicationContext.xml file, followed be explanations of the different beans defined in there.

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
   
   <beans>
   
   <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
     <property name="filterInvocationDefinitionSource">
       <value>
         CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
         PATTERN_TYPE_APACHE_ANT
         /**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
       </value>
     </property>
   </bean>
   
   <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>
   
   <bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
     <constructor-arg value="/index.jsp"/>
     <constructor-arg>
       <list>
         <ref bean="rememberMeServices"/>
         <bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/>
       </list>
     </constructor-arg>
   </bean>
   
   <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
     <property name="authenticationManager" ref="authenticationManager"/>
     <property name="authenticationFailureUrl" value="/login.jsp?errorId=1"/>
     <property name="defaultTargetUrl" value="/"/>
     <property name="filterProcessesUrl" value="/j_acegi_security_check"/>
     <property name="rememberMeServices" ref="rememberMeServices"/>
   </bean>
   
   <bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/>
   
   <bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
     <property name="authenticationManager" ref="authenticationManager"/>
     <property name="rememberMeServices" ref="rememberMeServices"/>
   </bean>
   
   <bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
     <property name="key" value="changeThis"/>
     <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
   </bean>
   
   <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
     <property name="authenticationEntryPoint">
       <bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
         <property name="loginFormUrl" value="/login.jsp"/>
         <property name="forceHttps" value="false"/>
       </bean>
     </property>
     <property name="accessDeniedHandler">
       <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
         <property name="errorPage" value="/denied.jsp"/>
       </bean>
     </property>
   </bean>
   
   <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
     <property name="authenticationManager" ref="authenticationManager"/>
     <property name="accessDecisionManager">
       <bean class="org.acegisecurity.vote.AffirmativeBased">
         <property name="allowIfAllAbstainDecisions" value="false"/>
         <property name="decisionVoters">
           <list>
             <bean class="org.acegisecurity.vote.RoleVoter"/>
             <bean class="org.acegisecurity.vote.AuthenticatedVoter"/>
           </list>
         </property>
       </bean>
     </property>
     <property name="objectDefinitionSource">
       <value>
         CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
         PATTERN_TYPE_APACHE_ANT
         /secure/admin/**=ROLE_ADMIN
         /secure/**=IS_AUTHENTICATED_REMEMBERED
         /**=IS_AUTHENTICATED_ANONYMOUSLY
       </value>
     </property>
   </bean>
   
   <bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
     <property name="userDetailsService" ref="userDetailsService"/>
     <property name="tokenValiditySeconds" value="1800"></property>
     <property name="key" value="changeThis"/>
   </bean>
   
   <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
     <property name="providers">
       <list>
         <ref local="daoAuthenticationProvider"/>
         <bean class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
           <property name="key" value="changeThis"/>
         </bean>
         <bean class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
           <property name="key" value="changeThis"/>
         </bean>
       </list>
     </property>
   </bean>
   
   <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
     <property name="userDetailsService" ref="userDetailsService"/>
     <property name="userCache">
       <bean class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
         <property name="cache">
           <bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
             <property name="cacheManager">
               <bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
             </property>
             <property name="cacheName" value="userCache"/>
           </bean>
         </property>
       </bean>
     </property>
   </bean>
   
   <bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
     <property name="userProperties">
       <bean class="org.springframework.beans.factory.config.PropertiesFactoryBean">
         <property name="location" value="/WEB-INF/users.properties"/>
       </bean>
     </property>
   </bean>
   
   <bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>
   
   </beans>

   WEB-INF/applicationContext.xml
   1. FilterChainProxy: Delegates Filter requests to a list of Spring-managed beans.
   2. HttpSessionContextIntegrationFilter: Populates the SecurityContextHolder with information obtained from the HttpSession.
   3. LogoutFilter: Logs a principal out.
   4. AuthenticationProcessingFilter: Processes an authentication form.
   5. SecurityContextHolderAwareRequestFilter: A Filter which populates the ServletRequest with a new request wrapper.
   6. RememberMeProcessingFilter: Detects if there is no Authentication object in the SecurityContext, and populates it with a remember-me authentication token if a RememberMeServices implementation so requests.
   7. AnonymousProcessingFilter: Detects if there is no Authentication object in the SecurityContextHolder, and populates it with one if needed.
   8. AnonymousProcessingFilter: Detects if there is no Authentication object in the SecurityContextHolder, and populates it with one if needed.
   9. ExceptionTranslationFilter: Handles any AccessDeniedException and AuthenticationException thrown within the filter chain.
   10. AuthenticationProcessingFilterEntryPoint: Used by the SecurityEnforcementFilter to commence authentication via the AuthenticationProcessingFilter. This object holds the location of the login form, relative to the web app context path, and is used to commence a redirect to that form.
   11. AccessDeniedHandlerImpl: Used by ExceptionTranslationFilter to handle an AccessDeniedException.
   12. FilterSecurityInterceptor: Performs security handling of HTTP resources via a filter implementation.
   13. TokenBasedRememberMeServices: Identifies previously remembered users by a Base-64 encoded cookie.
   14. DaoAuthenticationProvider: An AuthenticationProvider implementation that retrieves user details from an UserDetailsService.
   15. InMemoryDaoImpl: Retrieves user details from an in-memory list created by the bean context.

Configuring LDAP in Weblogic

WebLogic Server does not support or certify any particular LDAP servers. Any LDAP v2 or v3 compliant LDAP server should work with WebLogic Server. The LDAP Authentication providers in this release of WebLogic Server (v9.2) are configured to work readily with the SunONE (iPlanet), Active Directory, Open LDAP, and Novell NDS LDAP servers. You can use an LDAP Authentication provider to access other types of LDAP servers. Choose either the LDAP Authentication provider (LDAPAuthenticator) or the existing LDAP provider that most closely matches the new LDAP server and customize the existing configuration to match the directory schema and other attributes for your LDAP server. The server comes with the following Authentication Providers, which help to configure different LDAP servers

• iPlanet Authentication provider
• Active Directory Authentication provider
• Open LDAP Authentication provider
• Novell Authentication provider
• generic LDAP Authentication provider

Follow these steps to configure LDAP in Weblogic:

1. Choose an LDAP Authentication provider that matches your LDAP server and create an instance of the provider in your security realm.
   
2. Configure the provider-specific attributes of the LDAP Authentication provider, which you can do through the Administration Console. For each LDAP Authentication provider, there are attributes that:
   1. Enable communication between the LDAP server and the LDAP Authentication provider. For a more secure deployment, BEA recommends using the SSL protocol to protect communications between the LDAP server and WebLogic Server. Enable SSL with the SSLEnabled attribute.
   2. Configure options that control how the LDAP Authentication provider searches the LDAP directory.
   3. Specify where in the LDAP directory structure users are located.
   4. Specify where in the LDAP directory structure groups are located.
   5. Define how members of a group are located.
3. Configure performance options that control the cache for the LDAP server. Use the Configuration: Provider Specific and Performance pages for the provider in the Administration Console to configure the cache.
   

FAILOVER
You can configure an LDAP provider to work with multiple LDAP servers and enable failover if one LDAP server is not available. For this, Change the Host attribute in the security_realm > Providers > provider_specific page, to contain a list of hostnames and ports (localhost:389, remotehost:389). When using failover, the Parallel Connect Delay and Connection Timeout attributes have to be set for the LDAP Authentication provider:

• Parallel Connect Delay—Specifies the number of seconds to delay when making concurrent attempts to connect to multiple servers. An attempt is made to connect to the first server in the list. The next entry in the list is tried only if the attempt to connect to the current host fails. This setting might cause your application to block for an unacceptably long time if a host is down. If the value is greater than 0, another connection setup thread is started after the specified number of delay seconds has passed. If the value is 0, connection attempts are serialized.
• Connection Timeout—Specifies the maximum number of seconds to wait for the connection to the LDAP server to be established. If the set to 0, there is no maximum time limit and WebLogic Server waits until the TCP/IP layer times out to return a connection failure. Set to a value over 60 seconds depending upon the configuration of TCP/IP.

NOTE
If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. You can either create an Administrators group in the LDAP directory, and include your user in that group, or use an existing group and add the group to the admin role in the WebLogic Administration Console. For more information refer to Weblogic documentation: Configuring LDAP providers.

Weblogic Security

WebLogic Security Framework provides a simplified application programming interface (API) that can be used by security and application developers to define security services. WebLogic Security Framework also acts as an intermediary between the WebLogic containers (Web and EJB), the Resource containers, and the security providers. In this post, I describe a few concepts and features available in Weblogic Server 9.2 for authentication and authorization and auditing.
Authentication
Authentication is the process of determining whether the client who it claims to be. Generally, authentication is accomplished by the client sending credentials (username/password, certificate, security token etc.) and the server verifying the credentials. WebLogic uses the authentication classes of the Java Authentication and Authorization Service (JAAS), for authentication.
Identity Assertion
Weblogic also supports the concept of perimeter-based authentication, where the actual authentication process occurs at an application perimeter such as a Web server, firewall, or VPN, and outside of WebLogic Server. The perimeter authentication provider then asserts the identity to the Weblogic server using different "Security token types" (e.g., Microsoft Passport, SAML Assertions, or tokens from third-party commercial authentication products). The "security tokens" are validated by the Weblogic Server, which then assigns a username to the token. This username is used by the authentication providers to populate the "Subject" that will be used in authorization. IBM WebSphere implements this by the use of Trust Association Interceptors. WebLogic Server 's support for perimeter-based authentication supports the ability to propagate security tokes over multiple protocols, such as HTTP, and IIOP-CSIv2 (used for EJB layer security).
Authorization
Authorization phase determines if the user has access to the requested application resource. Authorization in Weblogic is divided in to two steps

1. Decision
2. Adjudication (Enforce)
   

Decision
In this step, the WebLogic Security Framework uses the request parameters and user information to determine the roles associated with the user (for this the security framework uses the configured Role Mapping Providers). Based on the user's roles, the Authorization provider determines whether the subject is entitled to access the requested resource i.e the Authorization provider makes the Access Decision. If there are multiple Authorization providers configured, the WebLogic Security Framework delegates the job of reconciling any conflicts in the Access Decisions to the Adjudication provider
Adjudication
The Adjudication provider is required to tally the multiple Access Decisions and render a verdict. The Adjudication provider returns either a TRUE or FALSE verdict to the Authorization providers, which forward it to the resource container through the WebLogic Security Framework.

• If the decision is TRUE, the resource container dispatches the request to the protected WebLogic resource.
• If the decision is FALSE, the resource container throws a security exception that indicates that the requestor was not authorized to perform the requested access on the protected WebLogic resource.

Auditing
The auditing process is initiated when a resource container passes a user's authentication information to the WebLogic Security Framework as part of a login request. If, in addition to providing authentication services, the Authentication provider is designed to post audit events, the Authentication provider instantiates an AuditEvent object. The AuditEvent object includes information such as the event type and an audit severity level. The Authentication provider then calls the Auditor Service in the WebLogic Security Framework, passing in the AuditEvent object. The Auditor Service passes the AuditEvent object to the configured Auditing providers' runtime classes, enabling audit event recording. Depending on the Auditing provider implementation, audit records may be written to a file, a database, or some other persistent storage medium.

Weblogic: SSO with Windows

An increasing number of intranet-based applications are requiriong Single sign-on (SSO) with between Windows clients (web browser, .NET application etc.) and Java EE servers. The last time, I blogged SSO with IBM WebSphere application server and Windows. To implement this feature, the Microsoft clients must use Windows authentication based on the Simple and Protected Negotiate (SPNEGO) mechanism.

Cross-platform authentication is achieved by emulating the negotiate behavior of native Windows-to-Windows authentication services that use the Kerberos protocol. In order for cross-platform authentication to work, non-Windows servers (WebSphere/WebLogic Servers) need to parse SPNEGO tokens in order to extract Kerberos tokens which are then used for authentication. This post gives a brief overview of the requirements and steps to setup SSO with Windows in Weblogic and provides the resources for further reference:
Requirements
Server

• Windows 2000 or later installed
• Fully-configured Active Directory authentication service.
• WebLogic Server installed and configured properly to authenticate through Kerberos

Client

• Windows 2000 Professional SP2 or later installed
• One of the following types of clients:
  • A properly configured Internet Explorer browser. Internet Explorer 6.01 or later is supported.
  • .NET Framework 1.1 and a properly configured Web Service client.
• Clients must be logged on to a Windows 2000 domain and have Kerberos credentials acquired from the Active Directory server in the domain. Local logons will not work.

Main Steps for Congifuration
Configuring SSO with Microsoft clients requires set-up procedures in the Microsoft Active Directory, the client, and the WebLogic Server domain.

• Define a principal in Active Directory to represent the WebLogic Server. The Kerberos protocol uses the Active Directory server in the Microsoft domain to store the necessary security information.
• Any Microsoft client you want to access in the Microsoft domain must be set up to use Windows Integrated authentication, sending a Kerberos ticket when available.
• In the security realm of the WebLogic Server domain, configure a Negotiate Identity Assertion provider. The Web application or Web Service used in SSO needs to have authentication set in a specific manner. A JAAS login file that defines the location of the Kerberos identification for WebLogic Server must be created.

To configure SSO with Microsoft clients:

1. Configure your network domain to use Kerberos.
2. Create a Kerberos identification for WebLogic Server.
1. Create a user account in the Active Directory for the host on which WebLogic Server is running.
2. Create a Service Principal Name for this account.
3. Create a user mapping and keytab file for this account.
3. Choose a Microsoft client (either a Web Service or a browser) and configure it to use Windows Integrated authentication.
4. Set up the WebLogic Server domain to use Kerberos authentication.
1. Create a JAAS login file that points to the Active Directory server in the Microsoft domain and the keytab file created in Step 1.
2. Configure a Negotiate Identity Assertion provider in the WebLogic Server security realm.
5. Start WebLogic Server using specific start-up arguments.

References

• Weblogic Documentation: Configuring Single Sign-On with Microsoft Clients
• Weblogic Documentation: Weblogic Security Service Architecture
• SSO with SPNEGO (articles on appliedcrypto)

Oracle: Transparent Data Encryption

Oracle transparent data encryption (available from 10g Release 2) enables you to encrypt database columns and manage encryption keys. Transparent data encryption can be used to protect confidential data such as credit card and social security numbers. An application that processes sensitive data can use this feature to provide strong data encryption with little or no change to the application. Transparent data encryption is a key-based access control system. When a table contains encrypted columns, a single key is used regardless of the number of encrypted columns. The keys for all tables containing encrypted columns are encrypted with the database server master key and stored in a dictionary table in the database. No keys are stored in the clear. Follow these steps to implement encryption on the Database side.

1. Set the Master Encryption Key by issuing the following command

   ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password

No database columns can be encrypted wihtout setting the master encryption key first. This command automatically creates an oracle wallet and sets the password for the wallet. The wallet is also opened as a result of this command. Note that there must be a directory $ORACLEBASE/admin/$ORACLESID otherwise you will ge an error

ORA-28368: cannot auto-create wallet error

2. Open the wallet: The wallet must be opened explicitly after the database instance starts. When you create the wallet you also open the wallet for operation. After you create the wallet and set the password, every time you open the database, you'll have to open the wallet using the same password as follows:

   alter system set encryption wallet open authenticated by password;

   You can close the wallet like this:

   alter system set encryption wallet close;

   The wallet must be open for Transparent Data Encryption to work. If the wallet is closed, you can access all nonencrypted columns, but not encrypted columns (you will get a "wallet not open" error).
3. Create a table using CREATE TABLE as shown below

     CREATE TABLE "SCOTT"."ACCOUNT"
     ( "ACCOUNTID" VARCHAR2(40 BYTE),
    "NAME" VARCHAR2(40 BYTE),
    "SSN" VARCHAR2(40 BYTE)
     ) ;

4. Encrypt the columns: A column can be encrypted by altering the table with the following command
   The default algorithm for encryption is AES with 192-bit key. This can be changed to any other with the "using" clause added after encrypt, as shown below

   alter table accounts modify (ssn encrypt using 'AES128'); 

   Some other encryption algorithms that can be used are AES128, AES192, AES256, or 3DES168.

Do not, use transparent data encryption with these database features:

• Index types other than B-tree
• Range scan search through an index
• Large object datatypes such as BLOB and CLOB
• Original import/export utilities
• Other database tools and utilities that directly access data files

For further information refer to Oracle Advanced security administrator's guide.

Java 6: Native Platform Security

The Java Platform, Standard Edition (Java SE) provides application developers with a large set of security APIs, tools, and implementations of commonly used security algorithms, mechanisms, and protocols. A new article article titled "Leveraging Security in the Native Platform Using Java SE 6 Technology" discusses important enhancements on the native security integration using JDK 6, to enable the Java developer use the enhancements to native platforms such as, cryptographic accelerators, secure key management etc. The enhancements to provided in Java 6 include:

• Access Microsoft CryptoAPI and Its Cryptographic Services: On the Microsoft (MS) Windows operating system, the MS CryptoAPI (CAPI) defines a standard interface for performing cryptographic operations as well as accessing the user keys and certificates that Windows manages. The SunMSCAPI provider is layered on top of CAPI and helps Java platform applications access CAPI cryptographic services to Access private keys and certificates stored in CAPI and Use CAPI's cryptographic algorithm implementations
• Access PKCS#11 Cryptographic Services: PKCS#11, the Cryptographic Token Interface Standard, defines native programming interfaces to cryptographic tokens such as hardware cryptographic accelerators and smart cards. This means that Java platform applications (from JDK 5) can use existing security and cryptography APIs in the Java platform to access
  • Cryptographic smart cards for added security
  • Hardware cryptographic accelerators for better performance
  • Software implementations for more algorithms or for meeting certification requirements
• Access Native GSS-API: The Generic Security Services API (GSS-API) defines a generic security API atop a variety of underlying cryptographic mechanisms including Kerberos version 5. With GSS-API, applications can authenticate a principal, delegate its rights to a peer, and apply security services such as confidentiality and integrity on a per-message basis.
• Import and Export PKCS#12 Keystores: PKCS#12, the Personal Information Exchange Syntax Standard, defines a portable format for storing or transporting personal identity information, including private keys, certificates, and so on. This enables users to share their personal identity information among applications that support this standard. In particular, user credentials that browsers generate can be exported in PKCS#12 format and accessed and used by Java platform applications.

References:

• Leveraging Security in the Native Platform Using Java SE 6 Technology
• Java Security Overview
• Java Cryptography Architecture API Specification and Reference Guide
• Java Secure Socket Extension (JSSE) Reference Guide
• Java PKCS#11 Reference Guide
• Default Policy Implementation and Policy File Syntax
• Java GSS API (RFC 2853)
• Introduction to JAAS and Java GSS-API Tutorials
• Single Sign-on Using Kerberos in Java
• Java SASL API Programming and Deployment Guide

Notes: Declarative Authentication in JEE

A Java EE web-application can be configured to restrict access to resources via the deployment descriptor (web.xml). Authentication does not need any programming, as it is handled by the container (provided it is properly configured). Here are two ways to implement declarative authentication in Java EE web applications:
Basic Authentication
The web.xml snippet below uses BASIC authentication:

Form Authentication
In the snippet below, the section has been changed to use FORM authentication. This will require an additional login form to be created with j_security_check as it's action.

The following is the sample form:

Other possible values for are DIGEST and CLIENT-CERT.The value of essentially defines whether SSL is required or not. If the value is INTEGRAL or CONFIDENTIAL, then you can assume that an https request is required to access the resource.

Using jCIFS for Authentication

JCIFS is an Open Source client library that implements the CIFS/SMB networking protocol in 100% Java. CIFS is the standard file sharing protocol on the Microsoft Windows platform (e.g. Map Network Drive ...). This client is used extensively in production on large Intranets. The JCIFS SMB client library enables Java applications to remotely access shared files and directories on SMB file servers(i.e. a Microsoft Windows "share") in addition to domain, workgroup, and server enumeration of NetBIOS over TCP/IP networks. It is an advanced implementation of the CIFS protocol supporting Unicode, batching, multiplexing of threaded callers, encrypted authentication, transactions, the Remote Access Protocol (RAP), and much more. It is licensed under LGPL which means commercial organizations can legitimately use it with their proprietary code(you just can't sell or give away a modified binary only version of the library itself without reciprocation). While the core library is for implementing File Sharing, we can also use it for authentication using LDAP. The following are a sequence of steps to setup jCIFS for authentication:

1. Download jCIFS from the site.
2. The following three lines of code are enough to check authentication

   UniAddress uniaddress = UniAddress.getByName(LDAP_Host_Name);
   NtlmPasswordAuthentication ntlmpasswordauthentication = new NtlmPasswordAuthentication(domain, username, password);
   SmbSession.logon(uniaddress, ntlmpasswordauthentication);
   

If the authentication fails, then the logon method throws an exception.

This type of authentication can also be achieved by using JNDI, jCIFS adds more to this, i.e. jCIFS supports NTLM authentication, i.e. users within the domain are not challenged for username and password (if using Internet Explorer, Firefox always prompts for password). This feature is similar to the SPNEGO TAI provided with WebSphere Application server. To know how to setup NTLM authentication with jCIFS, visit the JCIFS NTLM HTTP Authentication page.