[teiid-commits] teiid SVN: r3540 - in trunk: runtime/src/main/java/org/teiid/transport and 1 other directories.
teiid-commits at lists.jboss.org
teiid-commits at lists.jboss.org
Thu Oct 6 21:33:47 EDT 2011
Author: shawkins
Date: 2011-10-06 21:33:47 -0400 (Thu, 06 Oct 2011)
New Revision: 3540
Modified:
trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml
trunk/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java
trunk/runtime/src/test/java/org/teiid/transport/TestCommSockets.java
Log:
TEIID-1772 refining cipher suite logic TEIID-1749 expanding the admin guide on login modules
Modified: trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml
===================================================================
--- trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml 2011-10-06 21:06:06 UTC (rev 3539)
+++ trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml 2011-10-07 01:33:47 UTC (rev 3540)
@@ -87,24 +87,80 @@
The default name of JDBC connection's security-domain is "teiid-security". The default name for Admin connection
is "jmx-console". For the Admin connection's security domain, the user is allowed
to change which LoginModule that "jmx-console" pointing to, however should not change the name of the domain, as this name is
- shared between the "admin-console" application.</para>
+ shared between the "admin-console" application. In existing installations an appropriate security domain may already be configured for use by administrative clients (typically "jmx-console").
+ In this case it may be perfectly valid to reuse this existing security domain instead of creating a new teiid-security security domain.</para>
</note>
<section>
<title>Built-in LoginModules</title>
- <para>JBossAS provides several LoginModules for common authentication needs, such as authenticating from text files or LDAP.</para>
- <para>The UsersRolesLoginModule, which utilizes simple text files
- to authenticate users and to define
- their groups. The teiid-jboss-beans.xml configuration file contains an example of how to use UsersRolesLoginModule.
- Note that this is typically not for production use and is strongly recommended that you replace this login module. Please
- also note that, you can install multiple login modules as part of single security domain configuration and configure them
+ <para>JBossAS provides several LoginModules for common authentication needs, such as authenticating from a <xref linkend="text-login"/> or a <xref linkend="ldap-login"/>.</para>
+ <para>You can install multiple login modules as part of single security domain configuration and configure them
to part of login process. For example, for "teiid-security" domain, you can configure a file based and also LDAP based login modules,
- and have your user authenticated with either both or single login module.
+ and have your user authenticated with either or both login modules. If you want to write your own custom login module, check out the Developer's Guide for instructions.
</para>
- <para>See <ulink url="http://community.jboss.org/docs/DOC-11253">LDAP LoginModule configuration</ulink> for utilizing LDAP based authentication.
- If you want write your own Custom Login module, check out the Developer's Guide for instructions.
- </para>
+
+ <section id="text-login">
+ <title>Text Based LoginModule</title>
+ <para>The UsersRolesLoginModule utilizes simple text files to authenticate users and to define their groups.
+The teiid-jboss-beans.xml configuration file contains an example of how to use UsersRolesLoginModule.
+<note><para>The UsersRolesLoginModule is not recommended for production use and is strongly recommended that you replace this login module.</para></note>
+ </para>
+ <para>User names and passwords are stored in the <profile>conf/props/teiid-security-users.properties file.
+<example><title>Example user.properties file</title>
+<programlisting><![CDATA[# A users.properties file for use with the UsersRolesLoginModule
+# username=password
+
+fred=password
+george=password
+...]]></programlisting></example>
+
+JAAS role assignments are stored in the <profile>conf/props/teiid-security-roles.properties file.
+<example><title>Example user.properties file</title>
+<programlisting><![CDATA[# A roles.properties file for use with the UsersRolesLoginModule
+# username=role1,role2,...
+
+data_role_1=fred,sally
+data_role_2=george
+]]></programlisting></example>
+
+User and role names are entirely up to the needs of the given deployment. For example each application team can set their own security constraints for their VDBs, by mapping their VDB data roles to application specific JAAS roles, e.g. app_role_1=user1,user2,user3.
+<note><para>Teiid data roles names are independent of JAAS roles. VDB creators can choose whatever name they want for their data roles, which are then mapped at deployment time to JAAS roles.</para></note>
+</para>
</section>
+
+ <section id="ldap-login">
+ <title>LDAP Based LoginModule</title>
+ <para>See <ulink url="http://community.jboss.org/docs/DOC-11253">LDAP LoginModule configuration</ulink> for the AS community guide. The following are streamlined installation instruction.
+ <orderedlist>
+ <listitem><para>If using SSL to the LDAP server, ensure that the Corporate CA Certificate is added to the JRE trust store.</para>
+ </listitem>
+
+ <listitem><para>Include LDAP LoginModule in the JAAS Configuration</para>
+ <para>Configure LDAP authentication by editing <profile>conf/login-config.xml. If you wish to configure specifically for teiid, then the security domain teiid-security will need to be created/altered.
+ In new installations the more likely option is that you want to configure LDAP based authentication for the AS itself by modifying the "jmx-console" security domain.
+ You could do one of the following for Teiid:
+ <itemizedlist>
+ <listitem>
+ <para>Reuse the jmx-console (or whatever name you choose) security domain for Teiid by changing the teiid configuration &jboss-beans; to point to jmx-console, rather than teiid-security.
+ </para>
+ </listitem>
+ <listitem>
+ <para>Follow the same steps to configure an LDAP security domain named teiid-security.
+ </para>
+ </listitem>
+ <listitem>
+ <para>Leave Teiid to use the default file based LoginModule secuirty domain or create an entirely custom security domain configuration.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para></listitem>
+ <listitem><para>Obscure the LDAP Password</para><para>Finally, protect the password following <ulink url="http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Using_LdapExtLoginModule_with_JaasSecurityDomain.html">these instructions.</ulink>
+ Note that the salt must be 8 chars andd see also http://community.jboss.org/message/137756#137756 for more on securing passwords.
+ </para></listitem>
+ </orderedlist>
+ </para>
+ </section>
+ </section>
<section>
<title>Kerberos support through GSSAPI</title>
@@ -389,7 +445,7 @@
public key for the client. Depending upon how you created the keystore and truststores,
this may be same file as defined under "keystoreFilename" property.</para></listitem>
<listitem><para>truststorePassword - password for the truststore. </para></listitem>
- <listitem><para>enabledCipherSuites - A comma separated list of cipher suites allowed for encryption between server and client</para></listitem>
+ <listitem><para>enabledCipherSuites - A comma separated list of cipher suites allowed for encryption between server and client. The values must be valid supported cipher suites otherwise SSL connections will fail.</para></listitem>
</itemizedlist>
<section id="ssl_auth">
<title>SSL Authentication Modes</title>
Modified: trunk/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java
===================================================================
--- trunk/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java 2011-10-06 21:06:06 UTC (rev 3539)
+++ trunk/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java 2011-10-07 01:33:47 UTC (rev 3540)
@@ -24,9 +24,7 @@
import java.io.IOException;
import java.security.GeneralSecurityException;
-import java.util.ArrayList;
import java.util.Arrays;
-import java.util.StringTokenizer;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
@@ -90,7 +88,7 @@
if (!(Arrays.asList(result.getSupportedCipherSuites()).contains(SocketUtil.ANON_CIPHER_SUITE))) {
throw new GeneralSecurityException(RuntimePlugin.Util.getString("SSLConfiguration.no_anonymous")); //$NON-NLS-1$
}
- result.setEnabledCipherSuites(this.enabledCipherSuites == null?new String[] {SocketUtil.ANON_CIPHER_SUITE}:this.enabledCipherSuites);
+ result.setEnabledCipherSuites(new String[] {SocketUtil.ANON_CIPHER_SUITE});
} else {
if (this.enabledCipherSuites != null) {
result.setEnabledCipherSuites(this.enabledCipherSuites);
@@ -150,14 +148,10 @@
}
public void setEnabledCipherSuites(String enabledCipherSuites) {
- ArrayList<String> ciphers = new ArrayList<String>();
- StringTokenizer st = new StringTokenizer(enabledCipherSuites);
- while(st.hasMoreTokens()) {
- ciphers.add(st.nextToken().trim());
- }
-
- if (!ciphers.isEmpty()) {
- this.enabledCipherSuites = ciphers.toArray(new String[ciphers.size()]);
- }
+ this.enabledCipherSuites = enabledCipherSuites.split(","); //$NON-NLS-1$
}
+
+ public String[] getEnabledCipherSuites() {
+ return enabledCipherSuites;
+ }
}
Modified: trunk/runtime/src/test/java/org/teiid/transport/TestCommSockets.java
===================================================================
--- trunk/runtime/src/test/java/org/teiid/transport/TestCommSockets.java 2011-10-06 21:06:06 UTC (rev 3539)
+++ trunk/runtime/src/test/java/org/teiid/transport/TestCommSockets.java 2011-10-07 01:33:47 UTC (rev 3540)
@@ -217,6 +217,7 @@
@Test public void testAnonSSLConnect() throws Exception {
SSLConfiguration config = new SSLConfiguration();
config.setMode(SSLConfiguration.ENABLED);
+ config.setEnabledCipherSuites("x"); //ensure that this cipher suite is not used
config.setAuthenticationMode(SSLConfiguration.ANONYMOUS);
Properties p = new Properties();
p.setProperty("org.teiid.sockets.soTimeout", "100");
@@ -255,4 +256,10 @@
conn.close();
}
+ @Test public void testEnableCipherSuites() throws Exception {
+ SSLConfiguration config = new SSLConfiguration();
+ config.setEnabledCipherSuites("x,y,z");
+ assertArrayEquals(new String[] {"x","y","z"}, config.getEnabledCipherSuites());
+ }
+
}
More information about the teiid-commits
mailing list