<html>
<head>
<base href="https://docs.jboss.org/author">
<link rel="stylesheet" href="/author/s/en/2172/19/5/_/styles/combined.css?spaceKey=TEIID&forWysiwyg=true" type="text/css">
</head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
<h2><a href="https://docs.jboss.org/author/display/TEIID/Secure+Embedded+with+PicketBox">Secure Embedded with PicketBox</a></h2>
<h4>Page <b>edited</b> by <a href="https://docs.jboss.org/author/display/~shawkins">Steven Hawkins</a>
</h4>
<br/>
<h4>Changes (16)</h4>
<div id="page-diffs">
<table class="diff" cellpadding="0" cellspacing="0">
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">PicketBox is a Java Security Framework that build on top of JAAS, provides a schema formatted Security Configuration file([security-config_5_0.xsd|https://raw.githubusercontent.com/picketbox/picketbox/master/security-jboss-sx/jbosssx/src/main/resources/schema/security-config_5_0.xsd]) and various of LoginModule Implementation(UsersRolesLoginModule, LdapExtLoginModule, DatabaseServerLoginModule, etc) to security Java Application. The following are 5 key steps to execute a authentication: <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">PicketBox is a Java Security Framework that build on top of JAAS. PicketBox is configured via a schema formatted Security Configuration File([security-config_5_0.xsd|https://raw.githubusercontent.com/picketbox/picketbox/master/security-jboss-sx/jbosssx/src/main/resources/schema/security-config_5_0.xsd]) and provides various LoginModule Implementations (UsersRolesLoginModule, LdapExtLoginModule, DatabaseServerLoginModule, etc). The following are 5 key steps to execute a authentication: <br></td></tr>
<tr><td class="diff-unchanged" >{code} <br>//1. establish the JAAS Configuration with picketbox authentication xml file <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
<tr><td class="diff-changed-lines" >Teiid Embedded <span class="diff-changed-words">expose<span class="diff-added-chars"style="background-color: #dfd;">s</span></span> 2 methods for security authentication: <br></td></tr>
<tr><td class="diff-unchanged" > <br></td></tr>
<tr><td class="diff-changed-lines" >* EmbeddedConfiguration.setSecurityHelper() - associated with a _org.teiid.security.SecurityHelper_ in the engine <span class="diff-changed-words">jar<span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">,</span><span class="diff-added-chars"style="background-color: #dfd;">.</span></span> If no SecurityHelper is set, then no authentication will be performed. <br></td></tr>
<tr><td class="diff-changed-lines" >* EmbeddedConfiguration.setSecurityDomain() - associated with a application-policy's name in Security Configuration <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">file,If</span> <span class="diff-added-words"style="background-color: #dfd;">file. If</span> no SecurityDomain is set, then <span class="diff-added-words"style="background-color: #dfd;">a</span> default "teiid-security" <span class="diff-added-words"style="background-color: #dfd;">will</span> be used. <br></td></tr>
<tr><td class="diff-unchanged" > <br>[EmbeddedSecurityHelper|https://raw.githubusercontent.com/teiid/teiid-embedded-examples/master/common/src/main/java/org/teiid/example/EmbeddedSecurityHelper.java] is a sample implementation of _SecurityHelper_, [authentication.conf|https://raw.githubusercontent.com/teiid/teiid-embedded-examples/master/common/src/main/resources/picketbox/authentication.conf] is a sample Security Configuration file. <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" >h2. How to develop a SecurityHelper <br> <br></td></tr>
<tr><td class="diff-changed-lines" >Add 'teiid-engine-VERSION.jar'to classpath is <span class="diff-changed-words">necessary<span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">,</span><span class="diff-added-chars"style="background-color: #dfd;">.</span></span> If you are using the maven to pull artifacts, the engine dependency can added as <span class="diff-changed-words">b<span class="diff-added-chars"style="background-color: #dfd;">e</span>low,</span> <br></td></tr>
<tr><td class="diff-unchanged" >{code} <br><dependency> <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">The key to develop a SecurityHelper is implement the authenticate() method, use the PicketBox's 5 key steps to execute a authentication to implement this method, below is a example: <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">The key to develop a SecurityHelper is implement the authenticate() method. PicketBox's 5 key steps to execute an authentication is shown in the example below: <br></td></tr>
<tr><td class="diff-unchanged" >{code} <br>@Override <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" > <br> <br></td></tr>
<tr><td class="diff-unchanged" >h2. Embedded Security with LdapExtLoginModule <br> <br></td></tr>
<tr><td class="diff-changed-lines" >Add the following content to <span class="diff-added-words"style="background-color: #dfd;">the</span> PicketBox Security Configuration <span class="diff-changed-words"><span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">f</span><span class="diff-added-chars"style="background-color: #dfd;">F</span>ile:</span> <br></td></tr>
<tr><td class="diff-unchanged" >{code} <br><application-policy name = "teiid-security-ldap"> <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" >{code} <br> <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">To prepare security users/roles refer to LDAP Vendors document, for example, if use OpenLDAP, with the ldif file [customer-security.ldif|https://raw.githubusercontent.com/teiid/teiid-embedded-examples/master/embedded-portfolio-security/src/main/resources/customer-security.ldif], execute <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">To define security users/roles refer to your LDAP Vendors documentation. For example, if you use OpenLDAP, then with the ldif file [customer-security.ldif|https://raw.githubusercontent.com/teiid/teiid-embedded-examples/master/embedded-portfolio-security/src/main/resources/customer-security.ldif], execute <br></td></tr>
<tr><td class="diff-unchanged" >{code} <br>ldapadd -x -D "cn=Manager,dc=example,dc=com" -w redhat -f customer-security.ldif <br>{code} <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;">can finish users/roles set up. <br></td></tr>
<tr><td class="diff-added-lines" style="background-color: #dfd;">to setup users/roles. <br></td></tr>
<tr><td class="diff-unchanged" > <br>{note} <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"> <br></td></tr>
<tr><td class="diff-changed-lines" >Note: module-options setting like url, bindDN, bindCredential, baseCtxDN, rolesCtxDN should match to your <span class="diff-added-words"style="background-color: #dfd;">LDAP server</span> setting. <br></td></tr>
<tr><td class="diff-deleted-lines" style="color:#999;background-color:#fdd;text-decoration:line-through;"> <br></td></tr>
<tr><td class="diff-unchanged" >{note} <br> <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
</table>
</div> <h4>Full Content</h4>
<div class="notificationGreySide">
<p>PicketBox is a Java Security Framework that build on top of JAAS. PicketBox is configured via a schema formatted Security Configuration File(<a href="https://raw.githubusercontent.com/picketbox/picketbox/master/security-jboss-sx/jbosssx/src/main/resources/schema/security-config_5_0.xsd" class="external-link" rel="nofollow">security-config_5_0.xsd</a>) and provides various LoginModule Implementations (UsersRolesLoginModule, LdapExtLoginModule, DatabaseServerLoginModule, etc). The following are 5 key steps to execute a authentication:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: java; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
//1. establish the JAAS Configuration with picketbox authentication xml file
SecurityFactory.prepare();
//2. load picketbox authentication xml file
PicketBoxConfiguration config = new PicketBoxConfiguration();
config.load(SampleMain.class.getClassLoader().getResourceAsStream("picketbox/authentication.conf"));
//3. get AuthenticationManager
AuthenticationManager authManager = SecurityFactory.getAuthenticationManager(securityDomain);
//4. execute authentication
authManager.isValid(userPrincipal, credString, subject);
//5. release resource
SecurityFactory.release();
</pre>
</div></div>
<p>Teiid Embedded exposes 2 methods for security authentication:</p>
<ul>
        <li>EmbeddedConfiguration.setSecurityHelper() - associated with a <em>org.teiid.security.SecurityHelper</em> in the engine jar. If no SecurityHelper is set, then no authentication will be performed.</li>
        <li>EmbeddedConfiguration.setSecurityDomain() - associated with a application-policy's name in Security Configuration file. If no SecurityDomain is set, then a default "teiid-security" will be used.</li>
</ul>
<p><a href="https://raw.githubusercontent.com/teiid/teiid-embedded-examples/master/common/src/main/java/org/teiid/example/EmbeddedSecurityHelper.java" class="external-link" rel="nofollow">EmbeddedSecurityHelper</a> is a sample implementation of <em>SecurityHelper</em>, <a href="https://raw.githubusercontent.com/teiid/teiid-embedded-examples/master/common/src/main/resources/picketbox/authentication.conf" class="external-link" rel="nofollow">authentication.conf</a> is a sample Security Configuration file.</p>
<h2><a name="SecureEmbeddedwithPicketBox-HowtodevelopaSecurityHelper"></a>How to develop a SecurityHelper</h2>
<p>Add 'teiid-engine-VERSION.jar'to classpath is necessary. If you are using the maven to pull artifacts, the engine dependency can added as below,</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: java; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<dependency>
<groupId>org.jboss.teiid</groupId>
<artifactId>teiid-engine</artifactId>
</dependency>
</pre>
</div></div>
<p>The key to develop a SecurityHelper is implement the authenticate() method. PicketBox's 5 key steps to execute an authentication is shown in the example below:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: java; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
@Override
public SecurityContext authenticate(String securityDomain, String baseUserName, Credentials credentials, String applicationName) throws LoginException {
SecurityFactory.prepare();
try {
PicketBoxConfiguration config = new PicketBoxConfiguration();
config.load(this.getClass().getClassLoader().getResourceAsStream("picketbox/authentication.conf"));
AuthenticationManager authManager = SecurityFactory.getAuthenticationManager(securityDomain);
if (authManager != null){
final Principal userPrincipal = new SimplePrincipal(baseUserName);
final Subject subject = new Subject();
final String credString = credentials==null?null:new String(credentials.getCredentialsAsCharArray());
final String domain = securityDomain;
boolean isValid = authManager.isValid(userPrincipal, credString, subject);
if (isValid) {
SecurityContext securityContext = AccessController.doPrivileged(new PrivilegedAction<SecurityContext>(){
@Override
public SecurityContext run() {
SecurityContext sc;
try {
sc = SecurityContextFactory.createSecurityContext(userPrincipal, credString, subject, domain);
} catch (Exception e) {
throw new RuntimeException(e);
}
return sc;
}});
return securityContext;
}
}
} finally {
SecurityFactory.release();
}
throw new LoginException("The username " + baseUserName + " and/or password could not be authenticated by security domain " + securityDomain + ".");
}
</pre>
</div></div>
<p>You can just return null from negotiateGssLogin unless you want to all GSS authentications from JDBC/ODBC.</p>
<h2><a name="SecureEmbeddedwithPicketBox-EmbeddedSecuritywithUsersRolesLoginModule"></a>Embedded Security with UsersRolesLoginModule</h2>
<p>Add the following content to PicketBox Security Configuration file:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: java; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<application-policy name = "teiid-security">
<authentication>
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"></login-module>
</authentication>
</application-policy>
</pre>
</div></div>
<p>To prepare users/roles by add users.properties and roles.properties to class path. A sample of users.properties</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: java; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
testUser=password
</pre>
</div></div>
<p>A sample of roles.properties</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: java; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
testUser=user
</pre>
</div></div>
<p>To start Embedded Server with UsersRolesLoginModule based security authentication via:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: java; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
EmbeddedServer server =
...
EmbeddedConfiguration config = new EmbeddedConfiguration();
config.setSecurityDomain("teiid-security-file");
config.setSecurityHelper(new EmbeddedSecurityHelper());
server.start(config);
</pre>
</div></div>
<h2><a name="SecureEmbeddedwithPicketBox-EmbeddedSecuritywithLdapExtLoginModule"></a>Embedded Security with LdapExtLoginModule</h2>
<p>Add the following content to the PicketBox Security Configuration File:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: java; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
<application-policy name = "teiid-security-ldap">
<authentication>
<login-module code = "org.jboss.security.auth.spi.LdapExtLoginModule" flag = "required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://HOST:389</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">cn=Manager,dc=example,dc=com</module-option>
<module-option name="bindCredential">redhat</module-option>
<module-option name="baseCtxDN">ou=Customers,dc=example,dc=com</module-option>
<module-option name="baseFilter">(uid={0})</module-option>
<module-option name="rolesCtxDN">ou=Roles,dc=example,dc=com</module-option>
<module-option name="roleFilter">(uniqueMember={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
</login-module>
</authentication>
</application-policy>
</pre>
</div></div>
<p>To define security users/roles refer to your LDAP Vendors documentation. For example, if you use OpenLDAP, then with the ldif file <a href="https://raw.githubusercontent.com/teiid/teiid-embedded-examples/master/embedded-portfolio-security/src/main/resources/customer-security.ldif" class="external-link" rel="nofollow">customer-security.ldif</a>, execute</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: java; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
ldapadd -x -D "cn=Manager,dc=example,dc=com" -w redhat -f customer-security.ldif
</pre>
</div></div>
<p>to setup users/roles.</p>
<div class='panelMacro'><table class='noteMacro'><colgroup><col width='24'><col></colgroup><tr><td valign='top'><img src="/author/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td>Note: module-options setting like url, bindDN, bindCredential, baseCtxDN, rolesCtxDN should match to your LDAP server setting.</td></tr></table></div>
<p>To start Embedded Server with LdapExtLoginModule based security authentication via:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="theme: Confluence; brush: java; gutter: false" style="font-size:12px; font-family: ConfluenceInstalledFont,monospace;">
EmbeddedServer server =
...
EmbeddedConfiguration config = new EmbeddedConfiguration();
config.setSecurityDomain("teiid-security-ldap");
config.setSecurityHelper(new EmbeddedSecurityHelper());
server.start(config);
</pre>
</div></div>
</div>
<div id="commentsSection" class="wiki-content pageSection">
<div style="float: right;" class="grey">
<a href="https://docs.jboss.org/author/users/removespacenotification.action?spaceKey=TEIID">Stop watching space</a>
<span style="padding: 0px 5px;">|</span>
<a href="https://docs.jboss.org/author/users/editmyemailsettings.action">Change email notification preferences</a>
</div>
<a href="https://docs.jboss.org/author/display/TEIID/Secure+Embedded+with+PicketBox">View Online</a>
|
<a href="https://docs.jboss.org/author/pages/diffpagesbyversion.action?pageId=94142852&revisedVersion=7&originalVersion=6">View Changes</a>
|
<a href="https://docs.jboss.org/author/display/TEIID/Secure+Embedded+with+PicketBox?showComments=true&showCommentArea=true#addcomment">Add Comment</a>
</div>
</div>
</div>
</div>
</div>
</body>
</html>