Security với JAAS sử dụng DatabaseServerLoginModule

Trong bài này tôi sẽ hướng dẫn cho bạn cách secure EJB với DatabaseServerLoginModule.

1. Cấu hình database

Đầu tiên bạn thiết kế database với MDBRS là Ms SQL Server. Tạo cơ sở dữ liệu có tên EJB_SecureModule và có các bảng cùng mối quan hệ như hình

Dữ liệu cho 2 bảng

2. Cấu hình JBoss

Trước hết bạn cần cấu hình đăng nhập theo keiu63 DatabaseServerLoginModule trong file %JBOSS_HOME%\server\default\conf\logon-config.xml như sau:

<application-policy name="dbsecuritymodule">
		<authentication>
			<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
                             flag="required">
				<module-option name="dsJndiName">java:/SecureDS</module-option>
				<module-option name="principalsQuery">select Password from Users where UserName=?</module-option>
				<module-option name="rolesQuery">Select Role, RoleGroup from Roles where UserName = ?
				</module-option>
			</login-module>

			<!-- Module for doing authentication from within the application -->
		<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "optional">
			<module-option name = "dsJndiName">java:/SecureDS</module-option>
			<module-option name = "principalsQuery"> select Password from Users where UserName=?</module-option>
			<module-option name = "rolesQuery">elect Role, RoleGroup from Roles where UserName = ?</module-option>
		</login-module>

		<!-- Client Login module so that the security context can be set for invoking EJBs -->
		<login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
			<module-option name="restore-login-identity">true</module-option>
		</login-module>

	</authentication>
</application-policy>

Cấu hình phân đoạn datasource – tập tin secure-ds.xml trong thư mục %JBOSS_HOME%\server\default\deploy\ như sau:

<?xml version="1.0" encoding="UTF-8"?>
<datasources>
	<local-tx-datasource>
		<jndi-name>SecureDS</jndi-name>
		<use-java-context>true</use-java-context>
		<connection-url>
			jdbc:sqlserver://localhost:1433;databaseName=EJB_SecureModule
		</connection-url>
		<driver-class>
			com.microsoft.sqlserver.jdbc.SQLServerDriver
		</driver-class>
		<user-name>sa</user-name>
		<password></password>
		<metadata>
			<type-mapping>MS SQLSERVER2000</type-mapping>
		</metadata>
  </local-tx-datasource>
</datasources>

3. Tạo EJB

Trong ví dụ này đơn giản là 1 Session Bean xử lý cho các công việc của ngân hàng đơn giản bao gồm các chức năng: nộp tiền, rút tiền, chuyển tiền.

Thêm vào các business methods như sau:

public boolean Deposit(Account acc, double amount) { if (amount <= 0) { return false; } acc.setBalance(acc.getBalance() + amount); return true; } public boolean Withdral(Account acc, double amount) { if (acc.getBalance() <= amount) { return false; } acc.setBalance(acc.getBalance() - amount); return true; } public boolean Transfer(Account from, Account to, double amount) { if (from.getBalance() <= amount || amount <= 0) { return false; } to.setBalance(to.getBalance() + amount); from.setBalance(from.getBalance() - amount); return true; }

Cấu hình ejb-jar.xml như sau:

<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar version="2.1" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/ejb-jar_2_1.xsd">
    <enterprise-beans>
        <session>
            <display-name>BankingBeanSB</display-name>
            <ejb-name>BankingBeanBean</ejb-name>
            <home>vovanhai.wordpress.com.BankingBeanRemoteHome</home>
            <remote>vovanhai.wordpress.com.BankingBeanRemote</remote>
            <ejb-class>vovanhai.wordpress.com.BankingBeanBean</ejb-class>
            <session-type>Stateless</session-type>
            <transaction-type>Container</transaction-type>
        </session>
    </enterprise-beans>
    <assembly-descriptor>
        <security-role>
            <role-name>Echo</role-name>
        </security-role>
        <method-permission>
            <role-name>Echo</role-name>
            <method>
                <ejb-name>BankingBeanBean</ejb-name>
                <method-name>*</method-name>
            </method>
        </method-permission>

        <method-permission>
            <role-name>Coder</role-name>
            <method>
                <ejb-name>BankingBeanBean</ejb-name>
                <method-name>create</method-name>
            </method>
            <method>
                <ejb-name>BankingBeanBean</ejb-name>
                <method-name>Deposit</method-name>
            </method>
        </method-permission>

        <container-transaction>
            <method>
                <ejb-name>BankingBeanBean</ejb-name>
                <method-name>*</method-name>
            </method>
            <trans-attribute>Required</trans-attribute>
        </container-transaction>
    </assembly-descriptor>
</ejb-jar>

Cấu hình file jboss.xml như sau:

<?xml version="1.0" encoding="UTF-8"?>
<jboss>
    <!-- All bean containers use this security manager by default -->     
    <security-domain>java:/jaas/dbsecuritymodule</security-domain>    
    <enterprise-beans>
        <session>
            <ejb-name>BankingBeanBean</ejb-name>
            <jndi-name>ty/BankingBeanBean</jndi-name>
        </session>
    </enterprise-beans>
</jboss>

Triển khai ứng dụng lên JBoss.

Client

package securityejb_client; import javax.jms.Session; import javax.naming.InitialContext; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.NameCallback; import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; import vovanhai.wordpress.com.Account; import vovanhai.wordpress.com.BankingBeanRemote; import vovanhai.wordpress.com.BankingBeanRemoteHome; /** * * @author VoVanHai */ public class DatabaseLogonModule_client { static class AppCallbackHandler implements CallbackHandler { private String username; private char[] password; public AppCallbackHandler(String username, char[] password) { this.username = username; this.password = password; } public void handle(Callback[] callbacks) throws java.io.IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof NameCallback) { NameCallback nc = (NameCallback) callbacks[i]; nc.setName(username); } else if (callbacks[i] instanceof PasswordCallback) { PasswordCallback pc = (PasswordCallback) callbacks[i]; pc.setPassword(password); } else { throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); } } } } public static void main(String args[]) throws Exception { System.setProperty("java.naming.factory.initial", "org.jnp.interfaces.NamingContextFactory"); System.setProperty("java.naming.provider.url", "localhost:1099"); System.setProperty("java.security.policy", "mypol.policy"); System.setSecurityManager(new SecurityManager()); System.setProperty("java.security.auth.login.config", "au.conf"); String name = "teo"; char[] password = "123".toCharArray(); String example = " sqllogonmodule "; System.out.println("+++ Running SessionClient with username=" + name + ", password=" + new String(password) + ", example=" + example); try { AppCallbackHandler handler = new AppCallbackHandler(name, password); //chay others{}trong au.conf LoginContext lc = new LoginContext("other ", handler); System.out.println("Created LoginContext"); lc.login(); System.out.println("Login success"); } catch (LoginException le) { System.out.println("Login failed"); le.printStackTrace(); } System.out.println("___Starting call business methods"); try { InitialContext ctx = new InitialContext(); Object obj = ctx.lookup("ty/BankingBeanBean"); BankingBeanRemoteHome home = (BankingBeanRemoteHome) obj; BankingBeanRemote rem = home.create(); Account acc = new Account(1900l, "Nguyen Van Teo", 1000); rem.Deposit(acc, 500); System.out.println("Deposit OK"); System.out.println("Try to withdrawal..."); rem.Withdral(acc, 300); } catch (Exception e) { e.printStackTrace(); } } }

File au.conf đặt cùng thư mục gốc của project

srp-client{ //Login Module Needed – I use Database (Note it correlates to what I had in login-config.xml org.jboss.security.auth.spi.DatabaseServerLoginModule required dsJndiName=”java:/SecureDS” principalsQuery=”select Password from Users where UserName=?” rolesQuery=”Select Role, RoleGroup from Roles where UserName = ?”; }; other{ //DEFAULT CLIENT-LOGIN MODULE org.jboss.security.ClientLoginModule required; //org.jboss.security.auth.spi.DatabaseServerLoginModule required; };

Phần srp-client cho ví dụ khác

File mypol.policy như sau

grant { permission java.security.AllPermission; };

Chạy ứng dụng, bạn sẽ có kết quả:

Thay username= java, password=echoman và chạy thử cho phép truy xuất phương thức withdrawal. Kết quả:

Chúc thành công!