[jboss-user] [Security & JAAS/JBoss] - Re: How to configure

[draggy]

"draggy" wrote : Hello JBoss experts and professionals,
  | 
  | Currently, I’m using JBoss Portal 2.6.4 bundle with Application server 4.2.2 and referring to http://wiki.jboss.org/wiki/NegotiateKerberos about
  | 
  | 
  |   | 3. Modify the ${jboss.server.dir}/conf/jboss-service.xml (if you installed via the JBoss Installer Jar, then the file you need to edit is ${jboss.server.dir}/deploy/security-service.xml) in the server you copied the jars to. You need to change the "jboss.security:service=JaasSecurityManager MBean" to use the new callback handler included with the negotiate jar. 
  |   | You need to find the mbean definition in the file, and add or change the CallbackHandlerClassName? attribute to be the following:
  |   |  
  |   |       <attribute name="CallbackHandlerClassName">org.jboss.web.tomcat.security.AdvancedWebCallbackHandler</attribute>
  |   | 
  |   | for 4.04 you may need to use ${jboss.server.dir}/deploy/security-service.xml) event it is not installed using the JBoss Installer Jar. 
  |   | 
  |   | for 4.05 you may need to use ${jboss.server.dir}\deploy\security.sar\META-INF\jboss-service.xml 
  |   | 
  | 
  | I am not sure how to configure this particular parts:
  | 
  | 
  |   | You need to find the mbean definition in the file, and add or change the CallbackHandlerClassName? attribute to be the following:
  |   |  
  |   |       <attribute name="CallbackHandlerClassName">org.jboss.web.tomcat.security.AdvancedWebCallbackHandler</attribute>
  |   | 
  | 
  | And
  | 
  | 
  |   | for 4.04 you may need to use ${jboss.server.dir}/deploy/security-service.xml) event it is not installed using the JBoss Installer Jar. 
  |   | 
  |   | for 4.05 you may need to use ${jboss.server.dir}\deploy\security.sar\META-INF\jboss-service.xml
  |   | 
  | 
  | However, I have managed to find JAAS in my jboss-service.xml:
  | 
  | 
  |   | <!-- JAAS security manager and realm mapping -->
  |   |    <mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
  |   |       name="jboss.security:service=JaasSecurityManager">
  |   |       <!-- A flag which indicates whether the SecurityAssociation server mode
  |   |       is set on service creation. This is true by default since the
  |   |       SecurityAssociation should be thread local for multi-threaded server
  |   |       operation.
  |   |       -->
  |   |       <attribute name="ServerMode">true</attribute>
  |   |       <attribute name="SecurityManagerClassName">org.jboss.security.plugins.JaasSecurityManager</attribute>
  |   |       <attribute name="DefaultUnauthenticatedPrincipal">anonymous</attribute>
  |   |       <!-- DefaultCacheTimeout: Specifies the default timed cache policy timeout
  |   |       in seconds.
  |   |       If you want to disable caching of security credentials, set this to 0 to
  |   |       force authentication to occur every time. This has no affect if the
  |   |       AuthenticationCacheJndiName has been changed from the default value.
  |   |       -->
  |   |       <attribute name="DefaultCacheTimeout">1800</attribute>
  |   |       <!-- DefaultCacheResolution: Specifies the default timed cache policy
  |   |       resolution in seconds. This controls the interval at which the cache
  |   |       current timestamp is updated and should be less than the DefaultCacheTimeout
  |   |       in order for the timeout to be meaningful. This has no affect if the
  |   |       AuthenticationCacheJndiName has been changed from the default value.
  |   |       -->
  |   |       <attribute name="DefaultCacheResolution">60</attribute>
  |   |       <!-- DeepCopySubjectMode: This set the copy mode of subjects done by the
  |   |       security managers to be deep copies that makes copies of the subject
  |   |       principals and credentials if they are cloneable. It should be set to
  |   |       true if subject include mutable content that can be corrupted when
  |   |       multiple threads have the same identity and cache flushes/logout clearing
  |   |       the subject in one thread results in subject references affecting other
  |   |       threads.
  |   |       -->
  |   |       <attribute name="DeepCopySubjectMode">false</attribute>
  |   |    </mbean>
  |   | 
  | 
  | May I know how to configure it?
  | 
  | Thank you
  | 

is it just add the 

  | <attribute name="CallbackHandlerClassName">org.jboss.web.tomcat.security.AdvancedWebCallbackHandler</attribute>
  | 

just like this:

  | <!-- JAAS security manager and realm mapping -->
  |    <mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
  |       name="jboss.security:service=JaasSecurityManager">
  |       <!-- A flag which indicates whether the SecurityAssociation server mode
  |       is set on service creation. This is true by default since the
  |       SecurityAssociation should be thread local for multi-threaded server
  |       operation.
  |       -->
  |       <attribute name="ServerMode">true</attribute>
  |       <attribute name="CallbackHandlerClassName">org.jboss.web.tomcat.security.AdvancedWebCallbackHandler</attribute>
  |       <attribute name="SecurityManagerClassName">org.jboss.security.plugins.JaasSecurityManager</attribute>
  |       <attribute name="DefaultUnauthenticatedPrincipal">anonymous</attribute>
  |       <!-- DefaultCacheTimeout: Specifies the default timed cache policy timeout
  |       in seconds.
  |       If you want to disable caching of security credentials, set this to 0 to
  |       force authentication to occur every time. This has no affect if the
  |       AuthenticationCacheJndiName has been changed from the default value.
  |       -->
  |       <attribute name="DefaultCacheTimeout">1800</attribute>
  |       <!-- DefaultCacheResolution: Specifies the default timed cache policy
  |       resolution in seconds. This controls the interval at which the cache
  |       current timestamp is updated and should be less than the DefaultCacheTimeout
  |       in order for the timeout to be meaningful. This has no affect if the
  |       AuthenticationCacheJndiName has been changed from the default value.
  |       -->
  |       <attribute name="DefaultCacheResolution">60</attribute>
  |       <!-- DeepCopySubjectMode: This set the copy mode of subjects done by the
  |       security managers to be deep copies that makes copies of the subject
  |       principals and credentials if they are cloneable. It should be set to
  |       true if subject include mutable content that can be corrupted when
  |       multiple threads have the same identity and cache flushes/logout clearing
  |       the subject in one thread results in subject references affecting other
  |       threads.
  |       -->
  |       <attribute name="DeepCopySubjectMode">false</attribute>
  |    </mbean>
  | 

is it correct?

Thank you

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4144732#4144732

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4144732