[JBoss JIRA] Created: (JBAS-8169) Make default values of org.jboss.metadata.IorSecurityConfigMetaData configurable
3:37 a.m.
Make default values of org.jboss.metadata.IorSecurityConfigMetaData configurable
--------------------------------------------------------------------------------
Key: JBAS-8169
URL: https://jira.jboss.org/browse/JBAS-8169
Project: JBoss Application Server
Issue Type: Feature Request
Security Level: Public (Everyone can see)
Components: IIOP service
Affects Versions: 6.0.0.M3, JBossAS-5.1.0.GA, JBossAS-4.2.2.GA
Reporter: Dimitris Andreadis
Assignee: Stefan Guilhen
User wants to allow the configuration of all IOR default parameters that are hard coded in
org.jboss.metadata.IorSecurityConfigMetaData ([SasContext : callerPropagation] and
[AsContext : authMethod, realm, required] and [TransportConfig : integrity,
confidentiality, detectMisordering, detectReplay, establishTrustInTarget,
establishTrustInClient]).
Mostly they want to be able to configure [AsContext : realm] and [SasContext :
callerPropagation]
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5:21 a.m.
New subject: [JBoss JIRA] Commented: (JBAS-8169) Make default values of org.jboss.metadata.IorSecurityConfigMetaData configurable
[
https://jira.jboss.org/browse/JBAS-8169?page=com.atlassian.jira.plugin.sy...
]
Colin Mondesir commented on JBAS-8169:
--------------------------------------
If we want to make a service accessible through CORBA
1) We create a standard EJB service using a standard invoker (not IIOP, no IOR Security
config).
2) We create the public interfaces accessible through CORBA in an independent IDL file
3) We create the necessary java objects using IDLJ plug-in.
4) We implement the servant by extending the POA object generated by IDLJ (This servant
object will then make (relay) a CORBA IIOP call to a standard EJB)
5) We add a listener to our EJB application that will register this CORBA object at
deployment using the following schema.
// initialisation
InitialContext ctx = new InitialContext();
NamingContextExt rootNC =
(NamingContextExt)ctx.lookup("java:JBossCorbaNaming");
POA poa = (POA) ctx.lookup("java:JBossCorbaPOA");
ORB orb = (ORB)ctx.lookup("java:JBossCorbaORB");
// using reflexion, we create a IorSecurityConfigMetaData with our custom realm
IorSecurityConfigMetaData data = new IorSecurityConfigMetaData();
Class asConfigClass = data.getAsContext().getClass();
Class sasConfigClass = data.getSasContext().getClass();
Field realm = asConfigClass.getDeclaredField("realm");
realm.setAccessible(true);
realm.set(data.getAsContext(),"weblogicDEFAULT");
Field propagation = sasConfigClass.getDeclaredField("callerPropagation");
propagation.setAccessible(true);
propagation.set(data.getSasContext(),"SUPPORTED");
Any secPolicy = orb.create_any();
secPolicy.insert_Value(data);
Policy csiv2Policy = orb.create_policy(CSIv2Policy.TYPE, secPolicy);
Policy[] policies = new Policy[]{csiv2Policy};
poa.the_POAManager().activate();
// Create a secure child POA
POA childPOA = null;
try{
childPOA = poa.find_POA("csiv2POA",true);
}catch(org.omg.PortableServer.POAPackage.AdapterNonExistent e){
logger.info("csiv2POA do not exist => Beeing created");
childPOA = poa.create_POA("csiv2POA", poa.the_POAManager(), policies);
}
// register the servant in the secure POA and activate it
childPOA.activate_object(servant);
childPOA.the_POAManager().activate();
// add the service in the naming directory
org.omg.CORBA.Object o = childPOA.servant_to_reference(servant);
createContext(nsPath, rootNC);
rootNC.rebind(rootNC.to_name(nsPath), o);
As you can see, the way we register CORBA objects do not allow us to use the IOR
configuration available in the deployment descriptor. The code presented before allows us
to register CORBA services with our custom realm and to change the callerPropagation
setting.
Nevertheless, we would like to avoid reflexion. We propose you to either give the
possibility to set these values through a configuration XML file or by making the
constructor of IorSecurityConfigMetaData to public.
Furthermore, we remarked that the CSIV2 security settings are not propagated to the EJB in
this configuration although the CSIV2 security context is correctly intercepted by
org.jboss.iiop.csiv2.SASTargetInterceptor .
Why don't you populate the SecurityAssocation variable with these intercepted values?
If this is a desired feature, how can we access to the CSIV2 security context in our CORBA
servant in order to forward them to the EJB.
It is realy important for us to be able to use this architecture to register CORBA
services and that the security context is correctly propagated.
Make default values of org.jboss.metadata.IorSecurityConfigMetaData
configurable
--------------------------------------------------------------------------------
Key: JBAS-8169
URL: https://jira.jboss.org/browse/JBAS-8169
Project: JBoss Application Server
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: IIOP service
Affects Versions: JBossAS-4.2.2.GA, JBossAS-5.1.0.GA, 6.0.0.M3
Reporter: Dimitris Andreadis
Assignee: Stefan Guilhen
User wants to allow the configuration of all IOR default parameters that are hard coded
in org.jboss.metadata.IorSecurityConfigMetaData ([SasContext : callerPropagation] and
[AsContext : authMethod, realm, required] and [TransportConfig : integrity,
confidentiality, detectMisordering, detectReplay, establishTrustInTarget,
establishTrustInClient]).
Mostly they want to be able to configure [AsContext : realm] and [SasContext :
callerPropagation]
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:57 a.m.
New subject: [JBoss JIRA] Commented: (JBAS-8169) Make default values of org.jboss.metadata.IorSecurityConfigMetaData configurable
[
https://jira.jboss.org/browse/JBAS-8169?page=com.atlassian.jira.plugin.sy...
]
Stefan Guilhen commented on JBAS-8169:
--------------------------------------
I'll take a look at the code to find out the best place to put the IOR configuration.
Regarding CSIv2 security settings propagation, it is wrong to say it doesn't happen.
The application server security context is populated by the EjbObjectCorbaServant and
EjbHomeCorbaServant. When the IIOP call reaches one of these servants, a regular
org.jboss.invocation.Invocation object is created, populated, and then forwarded to the
EJB container just like a JRMP call would have been. If you take a look at the servants,
you will notice they retrieve a SASCurrent instance from the ORB and use this current
object to obtain the security info (internally SASCurrent has a reference to the
SASTargetInterceptor and uses this reference to obtain the security params). The security
info is then inserted in the Invocation object and the invocation is dispatched to the EJB
container.
So if the call is routed through the EJB servants, the security context will be created
later on by the EJB container security interceptors. If you have a different servant, you
will have to code something similar to what we have in the EJB servants yourself.
Make default values of org.jboss.metadata.IorSecurityConfigMetaData
configurable
--------------------------------------------------------------------------------
Key: JBAS-8169
URL: https://jira.jboss.org/browse/JBAS-8169
Project: JBoss Application Server
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: IIOP service
Affects Versions: JBossAS-4.2.2.GA, JBossAS-5.1.0.GA, 6.0.0.M3
Reporter: Dimitris Andreadis
Assignee: Stefan Guilhen
User wants to allow the configuration of all IOR default parameters that are hard coded
in org.jboss.metadata.IorSecurityConfigMetaData ([SasContext : callerPropagation] and
[AsContext : authMethod, realm, required] and [TransportConfig : integrity,
confidentiality, detectMisordering, detectReplay, establishTrustInTarget,
establishTrustInClient]).
Mostly they want to be able to configure [AsContext : realm] and [SasContext :
callerPropagation]
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:21 a.m.
New subject: [JBoss JIRA] Closed: (JBAS-8169) Make default values of org.jboss.metadata.IorSecurityConfigMetaData configurable
[
https://jira.jboss.org/browse/JBAS-8169?page=com.atlassian.jira.plugin.sy...
]
Stefan Guilhen closed JBAS-8169.
--------------------------------
Resolution: Done
Default IOR security settings can now be set in CorbaORBService directly. This is how it
is done in EAP4 and EAP5:
<mbean code="org.jboss.iiop.CorbaORBService"
name="jboss:service=CorbaORB">
<attribute name="ORBClass">org.jacorb.orb.ORB</attribute>
....
<attribute name="DefaultIORSecurityConfig">
<ior-security-config>
<transport-config>
<integrity>supported</integrity>
<confidentiality>supported</confidentiality>
<establish-trust-in-target>supported</establish-trust-in-target>
<establish-trust-in-client>supported</establish-trust-in-client>
</transport-config>
<as-context>
<auth-method>username_password</auth-method>
<realm>default_realm</realm>
<required>true</required>
</as-context>
<sas-context>
<caller-propagation>none</caller-propagation>
</sas-context>
</ior-security-config>
</attribute>
</mbean>
As we can see, there is a new attribute, DefaultIORSecurityConfig, that can be used to
specify the default IOR settings. The sintax is the same used in the jboss.xml to specify
the IOR settings for EJBs.
The specified settings will be applied to all IORs created by JBoss AS (all EJBs that have
IIOP-enabled stubs as well as other container services that expose an IOR) and can be
overridden by the IOR settings specified in jboss.xml.
The syntax in JBoss AS 6.x is a little bit different, since the IIOP mbeans have been
converted to MC beans. This is how it is done on AS 6 (the configuration file is called
now iiop-jboss-beans.xml and replaces the old iiop-service.xml):
<?xml version="1.0" encoding="UTF-8"?>
<deployment xmlns="urn:jboss:bean-deployer:2.0">
<!-- ======================================================================= -->
<!-- CORBA ORB service
-->
<!-- The ORB is pluggable. This configuration uses JacORB.
-->
<!-- ======================================================================= -->
<bean name="CorbaORBService"
class="org.jboss.iiop.CorbaORBService">
<annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss:service=CorbaORB",
exposedInterface=org.jboss.iiop.CorbaORBServiceMBean)</annotation>
....
<property name="defaultIORSecurityConfig"><inject
bean="DefaultIORSecurityConfig"/></property>
....
</bean>
....
<!-- ======================================================================= -->
<!-- Default IOR security settings. This can be used to specify the security
-->
<!-- settings that must inserted in the IORs of all beans and services that
-->
<!-- expose an IIOP view. To use this feature, uncomment this bean, set the
-->
<!-- appropriate values, and uncomment the defaultIORSecurityConfig property
-->
<!-- in CorbaORBService.
-->
<!-- NOTE: beans that specify IOR settings in jboss.xml will override the
-->
<!-- default security values defined here.
-->
<!-- ====================================================================== -->
<bean name="DefaultIORSecurityConfig"
class="org.jboss.metadata.IorSecurityConfigMetaData">
<property name="transportConfig">
<bean name="DefaultTransportConfig"
class="org.jboss.metadata.IorSecurityConfigMetaData$TransportConfig">
<constructor>
<parameter><null/></parameter>
<parameter name="integrity">supported</parameter>
<parameter
name="confidentiality">supported</parameter>
<parameter
name="establishTrustInTarget">none</parameter>
<parameter
name="establishTrustInClient">none</parameter>
<parameter name="detectMisordering">none</parameter>
<parameter name="detectReplay">none</parameter>
</constructor>
</bean>
</property>
<property name="asContext">
<bean name="DefaultAsContextConfig"
class="org.jboss.metadata.IorSecurityConfigMetaData$AsContext">
<constructor>
<parameter><null/></parameter>
<parameter
name="authMethod">username_password</parameter>
<parameter name="realm">default</parameter>
<parameter name="required">true</parameter>
</constructor>
</bean>
</property>
<property name="sasContext">
<bean name="DefaultSasContextConfig"
class="org.jboss.metadata.IorSecurityConfigMetaData$SasContext">
<constructor>
<parameter><null/></parameter>
<parameter name="callerPropagation"
class="java.lang.String">none</parameter>
</constructor>
</bean>
</property>
</bean>
</deployment>
As we can see, the security settings are specified as a separate bean and injected into
CorbaORBService.
Make default values of org.jboss.metadata.IorSecurityConfigMetaData
configurable
--------------------------------------------------------------------------------
Key: JBAS-8169
URL: https://jira.jboss.org/browse/JBAS-8169
Project: JBoss Application Server
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: IIOP service
Affects Versions: JBossAS-4.2.2.GA, JBossAS-5.1.0.GA, 6.0.0.M3
Reporter: Dimitris Andreadis
Assignee: Stefan Guilhen
User wants to allow the configuration of all IOR default parameters that are hard coded
in org.jboss.metadata.IorSecurityConfigMetaData ([SasContext : callerPropagation] and
[AsContext : authMethod, realm, required] and [TransportConfig : integrity,
confidentiality, detectMisordering, detectReplay, establishTrustInTarget,
establishTrustInClient]).
Mostly they want to be able to configure [AsContext : realm] and [SasContext :
callerPropagation]
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:33 a.m.
New subject: [JBoss JIRA] Reopened: (JBAS-8169) Make default values of org.jboss.metadata.IorSecurityConfigMetaData configurable
[
https://jira.jboss.org/browse/JBAS-8169?page=com.atlassian.jira.plugin.sy...
]
Stefan Guilhen reopened JBAS-8169:
----------------------------------
Reopening to set the "Fix Versions"
Make default values of org.jboss.metadata.IorSecurityConfigMetaData
configurable
--------------------------------------------------------------------------------
Key: JBAS-8169
URL: https://jira.jboss.org/browse/JBAS-8169
Project: JBoss Application Server
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: IIOP service
Affects Versions: JBossAS-4.2.2.GA, JBossAS-5.1.0.GA, 6.0.0.M3
Reporter: Dimitris Andreadis
Assignee: Stefan Guilhen
Fix For: 6.0.0.Final
User wants to allow the configuration of all IOR default parameters that are hard coded
in org.jboss.metadata.IorSecurityConfigMetaData ([SasContext : callerPropagation] and
[AsContext : authMethod, realm, required] and [TransportConfig : integrity,
confidentiality, detectMisordering, detectReplay, establishTrustInTarget,
establishTrustInClient]).
Mostly they want to be able to configure [AsContext : realm] and [SasContext :
callerPropagation]
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:33 a.m.
New subject: [JBoss JIRA] Closed: (JBAS-8169) Make default values of org.jboss.metadata.IorSecurityConfigMetaData configurable
[
https://jira.jboss.org/browse/JBAS-8169?page=com.atlassian.jira.plugin.sy...
]
Stefan Guilhen closed JBAS-8169.
--------------------------------
Resolution: Done
Make default values of org.jboss.metadata.IorSecurityConfigMetaData
configurable
--------------------------------------------------------------------------------
Key: JBAS-8169
URL: https://jira.jboss.org/browse/JBAS-8169
Project: JBoss Application Server
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: IIOP service
Affects Versions: JBossAS-4.2.2.GA, JBossAS-5.1.0.GA, 6.0.0.M3
Reporter: Dimitris Andreadis
Assignee: Stefan Guilhen
Fix For: 6.0.0.Final
User wants to allow the configuration of all IOR default parameters that are hard coded
in org.jboss.metadata.IorSecurityConfigMetaData ([SasContext : callerPropagation] and
[AsContext : authMethod, realm, required] and [TransportConfig : integrity,
confidentiality, detectMisordering, detectReplay, establishTrustInTarget,
establishTrustInClient]).
Mostly they want to be able to configure [AsContext : realm] and [SasContext :
callerPropagation]
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:33 a.m.
New subject: [JBoss JIRA] Updated: (JBAS-8169) Make default values of org.jboss.metadata.IorSecurityConfigMetaData configurable
[
https://jira.jboss.org/browse/JBAS-8169?page=com.atlassian.jira.plugin.sy...
]
Stefan Guilhen updated JBAS-8169:
---------------------------------
Fix Version/s: 6.0.0.Final
Make default values of org.jboss.metadata.IorSecurityConfigMetaData
configurable
--------------------------------------------------------------------------------
Key: JBAS-8169
URL: https://jira.jboss.org/browse/JBAS-8169
Project: JBoss Application Server
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: IIOP service
Affects Versions: JBossAS-4.2.2.GA, JBossAS-5.1.0.GA, 6.0.0.M3
Reporter: Dimitris Andreadis
Assignee: Stefan Guilhen
Fix For: 6.0.0.Final
User wants to allow the configuration of all IOR default parameters that are hard coded
in org.jboss.metadata.IorSecurityConfigMetaData ([SasContext : callerPropagation] and
[AsContext : authMethod, realm, required] and [TransportConfig : integrity,
confidentiality, detectMisordering, detectReplay, establishTrustInTarget,
establishTrustInClient]).
Mostly they want to be able to configure [AsContext : realm] and [SasContext :
callerPropagation]
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5192
days inactive
5275
days old
6 comments
3 participants
participants (3)
-
Colin Mondesir (JIRA) -
Dimitris Andreadis (JIRA)
-
Stefan Guilhen (JIRA)