[jboss-cvs] jboss-docs/jbossas/j2ee/examples/src/main/org/jboss/book/security/ex3b ...
Norman Richards
norman.richards at jboss.com
Wed Nov 1 13:14:21 EST 2006
User: nrichards
Date: 06/11/01 13:14:21
Added: jbossas/j2ee/examples/src/main/org/jboss/book/security/ex3b
ExClient.java TstReadOnly.java
http-invoker-service.xml jboss-service.xml web.xml
Log:
modified for j2ee guide
Revision Changes Path
1.1 date: 2006/11/01 18:14:21; author: nrichards; state: Exp;jboss-docs/jbossas/j2ee/examples/src/main/org/jboss/book/security/ex3b/ExClient.java
Index: ExClient.java
===================================================================
package org.jboss.book.security.ex3b;
import java.rmi.RemoteException;
import javax.naming.InitialContext;
import javax.security.auth.login.LoginContext;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.apache.log4j.FileAppender;
import org.apache.log4j.PatternLayout;
import org.jboss.logging.XLevel;
import org.jboss.security.auth.callback.UsernamePasswordHandler;
import org.jboss.book.security.ex3a.EchoHome;
import org.jboss.book.security.ex3a.Echo;
/** Test accessing EJBs that use clustered HTTP as the transport with SRP
* as the authentication mechanism. SRP also uses clustered HTTP as does
* JNDI. JNDI is also secured with a single read-only context that may be
* accessed by
* @author Scott.Stark at jboss.org
* @version $Revision: 1.1 $
*/
public class ExClient
{
public static void main(String args[]) throws Exception
{
// Set up a simple configuration that logs on the console.
FileAppender fa = new FileAppender(new PatternLayout("%r[%c{1}], %m%n"), "ex3b-trace.log");
fa.setAppend(false);
Logger cat = Logger.getLogger("org.jboss.security");
cat.setLevel(XLevel.TRACE);
cat.setAdditivity(false);
cat.addAppender(fa);
cat = Logger.getLogger("org.jboss.invocation");
cat.setLevel(XLevel.TRACE);
cat.setAdditivity(false);
cat.addAppender(fa);
// Login using SRP
System.out.println("Logging in using the 'srpHAReadOnlyJNDI' configuration");
String username = args[0];
char[] password = args[1].toCharArray();
UsernamePasswordHandler handler = new UsernamePasswordHandler(username, password);
LoginContext lc = new LoginContext("srpHAReadOnlyJNDI", handler);
lc.login();
InitialContext iniCtx = new InitialContext();
Object ref = iniCtx.lookup("EchoBean3a");
EchoHome home = (EchoHome) ref;
Echo echo = home.create();
System.out.println("Created Echo");
// Make some calls across the cluster
for(int c = 1; c <= 4; c ++)
{
System.out.println("Echo.echo()#"+c+" = "+echo.echo("This is call "+c));
}
lc.logout();
}
}
1.1 date: 2006/11/01 18:14:21; author: nrichards; state: Exp;jboss-docs/jbossas/j2ee/examples/src/main/org/jboss/book/security/ex3b/TstReadOnly.java
Index: TstReadOnly.java
===================================================================
package org.jboss.book.security.ex3b;
import java.util.Properties;
import javax.naming.InitialContext;
import javax.naming.Context;
import javax.naming.NamingException;
import org.apache.log4j.Logger;
import org.apache.log4j.FileAppender;
import org.apache.log4j.PatternLayout;
import org.jboss.logging.XLevel;
/**
*
* @author Scott.Stark at jboss.org
* @version $Revision: 1.1 $
*/
public class TstReadOnly
{
public static void main(String args[]) throws Exception
{
// Set up a simple configuration that logs on the console.
FileAppender fa = new FileAppender(new PatternLayout("%r[%c{1}], %m%n"), "ex3bro-trace.log");
fa.setAppend(false);
Logger cat = Logger.getLogger("org.jboss.security");
cat.setLevel(XLevel.TRACE);
cat.setAdditivity(false);
cat.addAppender(fa);
cat = Logger.getLogger("org.jboss.invocation");
cat.setLevel(XLevel.TRACE);
cat.setAdditivity(false);
cat.addAppender(fa);
Properties env = new Properties();
env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.HttpNamingContextFactory");
env.setProperty(Context.PROVIDER_URL, "http://localhost:8080/invoker/ReadOnlyJNDIFactoryHA");
System.out.println("JNDI env: "+env);
InitialContext iniCtx = new InitialContext(env);
// Do a lookup on the srp-readonly context
Object ref = iniCtx.lookup("srp-readonly/SRPServerInterfaceHA");
cat.info("srp-readonly/SRPServerInterfaceHA: "+ref);
// Do a lookup on another context that should fail
try
{
ref = iniCtx.lookup("jmx");
throw new IllegalStateException("Was able to lookup jmx: "+ref);
}
catch(NamingException e)
{
cat.info("lookup of jmx failed as expected", e);
}
}
}
1.1 date: 2006/11/01 18:14:21; author: nrichards; state: Exp;jboss-docs/jbossas/j2ee/examples/src/main/org/jboss/book/security/ex3b/http-invoker-service.xml
Index: http-invoker-service.xml
===================================================================
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE server>
<!-- $Id: http-invoker-service.xml,v 1.1 2006/11/01 18:14:21 nrichards Exp $ -->
<server>
<!-- The HTTP invoker service configration
-->
<mbean code="org.jboss.invocation.http.server.HttpInvoker"
name="jboss:service=invoker,type=http">
<attribute name="InvokerURLPrefix">http://</attribute>
<attribute name="InvokerURLSuffix">:8080/invoker/restricted/JMXInvokerHAServlet</attribute>
<attribute name="UseHostName">false</attribute>
</mbean>
<mbean code="org.jboss.invocation.http.server.HttpInvokerHA"
name="jboss:service=invoker,type=httpHA">
<attribute name="InvokerURLPrefix">http://</attribute>
<attribute name="InvokerURLSuffix">:8080/invoker/EJBInvokerHAServlet</attribute>
<attribute name="UseHostName">false</attribute>
</mbean>
<!-- Expose the HAJNDI service interface via clustered HTTP. This maps
to the ReadOnlyJNDIFactoryHA servlet URL
-->
<mbean code="org.jboss.invocation.http.server.HttpProxyFactoryHA"
name="jboss:service=invoker,type=httpHA,target=HAJNDI,readonly=true">
<depends>jboss:service=HAJNDI</depends>
<attribute name="InvokerName">jboss:service=HAJNDI</attribute>
<attribute name="InvokerURLPrefix">http://</attribute>
<attribute name="InvokerURLSuffix">:8080/invoker/readonly/JMXInvokerHAServlet</attribute>
<attribute name="UseHostName">false</attribute>
<attribute name="ExportedInterface">org.jnp.interfaces.Naming</attribute>
<attribute name="JndiName"></attribute>
<attribute name="LoadBalancePolicy">org.jboss.ha.framework.interfaces.FirstAvailable</attribute>
<attribute name="PartitionName">DefaultPartition</attribute>
</mbean>
<!-- Expose the HAJNDI service interface via clustered HTTP. This maps
to the secured HAJNDIFactory servlet URL
-->
<mbean code="org.jboss.invocation.http.server.HttpProxyFactoryHA"
name="jboss:service=invoker,type=httpHA,target=HAJNDI,restricted=true">
<depends>jboss:service=HAJNDI</depends>
<attribute name="InvokerName">jboss:service=HAJNDI</attribute>
<attribute name="InvokerURLPrefix">http://</attribute>
<attribute name="InvokerURLSuffix">:8080/invoker/restricted/JMXInvokerHAServlet</attribute>
<attribute name="UseHostName">false</attribute>
<attribute name="ExportedInterface">org.jnp.interfaces.Naming</attribute>
<attribute name="JndiName"></attribute>
<attribute name="LoadBalancePolicy">org.jboss.ha.framework.interfaces.FirstAvailable</attribute>
<attribute name="PartitionName">DefaultPartition</attribute>
</mbean>
</server>
1.1 date: 2006/11/01 18:14:21; author: nrichards; state: Exp;jboss-docs/jbossas/j2ee/examples/src/main/org/jboss/book/security/ex3b/jboss-service.xml
Index: jboss-service.xml
===================================================================
<?xml version="1.0" encoding="UTF-8"?>
<!-- The clustered version of the SRP services
-->
<server>
<!-- The custom JAAS login configuration that installs
a Configuration capable of dynamically updating the
config settings
-->
<mbean code="org.jboss.book.security.service.SecurityConfig"
name="jboss.docs.security:service=LoginConfig-EX3b">
<attribute name="AuthConfig">META-INF/login-config.xml</attribute>
<attribute name="SecurityConfigName">jboss.security:service=XMLLoginConfig</attribute>
</mbean>
<!-- A service that establishes a distributed CachePolicy using the indicated
cluster partition state replication capabilities.
-->
<mbean code="org.jboss.book.security.ex3a.service.DistributedCacheService"
name="jboss.docs.security:service=SRPDistributedCache">
<attribute name="PartitionName">DefaultPartition</attribute>
<attribute name="CacheJndiName">srp-test/SRPDistributedCache</attribute>
<attribute name="CacheTimeout">600</attribute>
<depends>jboss:service=DefaultPartition</depends>
</mbean>
<!-- The SRP service that provides the SRP RMI server and server side
authentication cache -->
<mbean code="org.jboss.security.srp.SRPService"
name="jboss.docs.security:service=SRPServiceHA">
<attribute name="VerifierSourceJndiName">srp-test/security-ex3</attribute>
<attribute name="JndiName">srp-test/SRPServerInterface</attribute>
<attribute name="AuthenticationCacheJndiName">srp-test/SRPDistributedCache</attribute>
<attribute name="ServerPort">0</attribute>
<depends>jboss.docs.security:service=PropertiesVerifierStore</depends>
<depends>jboss.docs.security:service=SRPDistributedCache</depends>
</mbean>
<!-- The SRP store handler service that provides the user password verifier
information -->
<mbean code="org.jboss.book.security.ex3.service.PropertiesVerifierStore"
name="jboss.docs.security:service=PropertiesVerifierStore">
<attribute name="JndiName">srp-test/security-ex3</attribute>
</mbean>
<!-- Expose the SRP service interface via clustered HTTP -->
<mbean code="org.jboss.invocation.http.server.HttpProxyFactoryHA"
name="jboss.docs.security:service=SRPProxyFactory">
<!-- The SRP service we are proxying -->
<attribute name="InvokerName">jboss.docs.security:service=SRPServiceHA</attribute>
<!-- Compose the invoker URL from the cluster node address -->
<attribute name="InvokerURLPrefix">http://</attribute>
<attribute name="InvokerURLSuffix">:8080/invoker/SRPInvokerHAServlet</attribute>
<attribute name="UseHostName">false</attribute>
<attribute name="ExportedInterface">org.jboss.security.srp.SRPRemoteServerInterface</attribute>
<!-- The proxy will be available under this JNDI name. Note that this is
under the read-only JNDI context defined in the http-invoker web.xml
-->
<attribute name="JndiName">srp-readonly/SRPServerInterfaceHA</attribute>
<!-- SRP is stateful and so the load balance policy must be sticky -->
<attribute name="LoadBalancePolicy">org.jboss.ha.framework.interfaces.FirstAvailable</attribute>
<attribute name="PartitionName">DefaultPartition</attribute>
</mbean>
</server>
1.1 date: 2006/11/01 18:14:21; author: nrichards; state: Exp;jboss-docs/jbossas/j2ee/examples/src/main/org/jboss/book/security/ex3b/web.xml
Index: web.xml
===================================================================
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<description>A Customized version of the http-invoker.sar/invoker.war
descriptor that sets up a read-only context
</description>
<filter>
<filter-name>ReadOnlyAccessFilterHA</filter-name>
<filter-class>org.jboss.invocation.http.servlet.ReadOnlyAccessFilter</filter-class>
<init-param>
<param-name>readOnlyContext</param-name>
<param-value>srp-readonly</param-value>
<description>The top level JNDI context the filter will enforce
read-only access on. If specified only Context.lookup operations
will be allowed on this context. Another other operations or lookups
on any other context will fail. Do not associate this filter with the
JMXInvokerServlets if you want unrestricted access.
</description>
</init-param>
<init-param>
<param-name>invokerName</param-name>
<param-value>jboss:service=HAJNDI</param-value>
<description>The JMX ObjectName of the HA-JNDI naming service mbean
</description>
</init-param>
</filter>
<filter-mapping>
<filter-name>ReadOnlyAccessFilterHA</filter-name>
<url-pattern>/readonly/*</url-pattern>
</filter-mapping>
<!-- ### Servlets -->
<servlet>
<servlet-name>EJBInvokerHAServlet</servlet-name>
<description>The EJBInvokerHAServlet handles requests to EJBs that
use the "jboss:service=invoker,type=httpHA" service as their invoker.
</description>
<servlet-class>org.jboss.invocation.http.servlet.InvokerServlet</servlet-class>
<init-param>
<param-name>invokerName</param-name>
<param-value>jboss:service=invoker,type=httpHA</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>JMXInvokerHAServlet</servlet-name>
<description>The JMXInvokerHAServlet receives posts containing serlized
MarshalledInvocation objects that are routed to the invoker given by
the invokerName init-param. The return content is a serialized
MarshalledValue containg the return value of the inovocation, or any
exception that may have been thrown.
</description>
<servlet-class>org.jboss.invocation.http.servlet.InvokerServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>ReadOnlyJNDIFactoryHA</servlet-name>
<description>A servlet that exposes the JBoss JNDI Naming service stub
through http, but only for a single read-only context. The return content
is a serialized MarshalledValue containg the org.jnp.interfaces.Naming
stub.
</description>
<servlet-class>org.jboss.invocation.http.servlet.NamingFactoryServlet</servlet-class>
<init-param>
<param-name>namingProxyMBean</param-name>
<param-value>jboss:service=invoker,type=httpHA,target=HAJNDI,readonly=true</param-value>
<description>The HA capable invoker name.
</description>
</init-param>
<init-param>
<param-name>proxyAttribute</param-name>
<param-value>Proxy</param-value>
</init-param>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet>
<servlet-name>HAJNDIFactory</servlet-name>
<description>A servlet that exposes the JBoss JNDI Naming service stub
through http. The return content is a serialized
MarshalledValue containg the org.jnp.interfaces.Naming stub. This
configuration handles requests for the HA JNDI naming service.
</description>
<servlet-class>org.jboss.invocation.http.servlet.NamingFactoryServlet</servlet-class>
<init-param>
<param-name>namingProxyMBean</param-name>
<param-value>jboss:service=invoker,type=httpHA,target=HAJNDI,restricted=true</param-value>
<description>The HA capable invoker name.
</description>
</init-param>
<init-param>
<param-name>proxyAttribute</param-name>
<param-value>Proxy</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
<!-- ### Servlet Mappings -->
<servlet-mapping>
<servlet-name>ReadOnlyJNDIFactoryHA</servlet-name>
<url-pattern>/ReadOnlyJNDIFactoryHA/*</url-pattern>
</servlet-mapping>
<!-- Alternate mappings that place the servlets under the restricted
path to required authentication for access. Remove the unsecure mappings
if only authenticated users should be allowed.
-->
<servlet-mapping>
<servlet-name>HAJNDIFactory</servlet-name>
<url-pattern>/restricted/HAJNDIFactory/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>EJBInvokerHAServlet</servlet-name>
<url-pattern>/EJBInvokerHAServlet/*</url-pattern>
</servlet-mapping>
<!-- An unsecured mapping used by the SRP authentication service -->
<servlet-mapping>
<servlet-name>JMXInvokerHAServlet</servlet-name>
<url-pattern>/SRPInvokerHAServlet/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>JMXInvokerHAServlet</servlet-name>
<url-pattern>/restricted/JMXInvokerHAServlet/*</url-pattern>
</servlet-mapping>
<!-- A mapping for the JMXInvokerHAServlet that only allows invocations
of lookups under a read-only context. This is enforced by the
ReadOnlyAccessFilterHA.
-->
<servlet-mapping>
<servlet-name>JMXInvokerHAServlet</servlet-name>
<url-pattern>/readonly/JMXInvokerHAServlet/*</url-pattern>
</servlet-mapping>
<!-- An example security constraint that restricts access to the HTTP invoker
to users with the role HttpInvoker Edit the roles to what you want and
configure the WEB-INF/jboss-web.xml/security-domain element to reference
the security domain you want.
-->
<security-constraint>
<web-resource-collection>
<web-resource-name>HttpInvokers</web-resource-name>
<description>An example security config that only allows users with the
role HttpInvoker to access the HTTP invoker servlets
</description>
<url-pattern>/restricted/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>HttpInvoker</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JBoss HTTP Invoker</realm-name>
</login-config>
<security-role>
<role-name>HttpInvoker</role-name>
</security-role>
</web-app>
More information about the jboss-cvs-commits
mailing list