User: stark
Date: 01/02/12 01:18:33
Added: security/src/main/resources SRPVerifierStore.ser auth.conf
jboss.conf jboss.jcml jndi.properties run_patch.bat
run_patch.sh sample_policy.xml server-auth.conf
server.policy tst-policy.xml tst.policy
Log:
Various config files and scripts used to patch the JBoss server config
with the security extension framework and test policies
Revision Changes Path
1.1 contrib/security/src/main/resources/SRPVerifierStore.ser
<<Binary file>>
1.1 contrib/security/src/main/resources/auth.conf
Index: auth.conf
===================================================================
other {
// Put your login modules that work without jBoss here
security.srp.protocol.jaas.SRPLoginModule required
password-stacking="useFirstPass"
principalClassName="org.jboss.security.SimplePrincipal"
srpServerJndiName="SRPServerInterface"
debug=true
;
// jBoss LoginModule
org.jboss.security.ClientLoginModule required
password-stacking="useFirstPass"
;
// Put your login modules that need jBoss here
};
1.1 contrib/security/src/main/resources/jboss.conf
Index: jboss.conf
===================================================================
<MLET CODE = "org.jboss.logging.Logger" ARCHIVE="jboss.jar"
CODEBASE="../../lib/ext/">
</MLET>
<MLET CODE = "org.jboss.logging.ConsoleLogging" ARCHIVE="jboss.jar"
CODEBASE="../../lib/ext/">
<ARG TYPE="java.lang.String" VALUE="Information,Warning,Error">
<ARG TYPE="java.lang.String" VALUE="[{2}] {4}">
</MLET>
<MLET CODE = "org.jboss.util.Info" ARCHIVE="jboss.jar" CODEBASE="../../lib/ext/">
</MLET>
<MLET CODE = "org.jboss.util.ClassPathExtension" ARCHIVE="jboss.jar"
CODEBASE="../../lib/ext/">
<ARG TYPE="java.lang.String" VALUE="../../log/">
</MLET>
<MLET CODE = "org.jboss.logging.FileLogging" ARCHIVE="jboss.jar"
CODEBASE="../../lib/ext/">
<ARG TYPE="java.lang.String" VALUE="Information,Debug,Warning,Error">
<ARG TYPE="java.lang.String" VALUE="[{2}] {4}">
</MLET>
<MLET CODE = "org.jboss.util.ClassPathExtension" ARCHIVE="jboss.jar"
CODEBASE="../../lib/ext/">
<ARG TYPE="java.lang.String" VALUE="../../tmp/">
</MLET>
<MLET CODE = "org.jboss.util.ClassPathExtension" ARCHIVE="jboss.jar"
CODEBASE="../../lib/ext/">
<ARG TYPE="java.lang.String" VALUE="../../db/">
</MLET>
<MLET CODE = "org.jboss.util.ClassPathExtension" ARCHIVE="jboss.jar"
CODEBASE="../../lib/ext/">
<ARG TYPE="java.lang.String" VALUE="./">
</MLET>
<MLET CODE = "org.jboss.util.ClassPathExtension" ARCHIVE="jboss.jar"
CODEBASE="../../lib/ext/">
<ARG TYPE="java.lang.String" VALUE="../../lib/patch/">
</MLET>
<MLET CODE = "org.jboss.util.ClassPathExtension" ARCHIVE="jboss.jar"
CODEBASE="../../lib/ext/">
<ARG TYPE="java.lang.String" VALUE="../../lib/restricted/">
</MLET>
<!-- MLET CODE = "org.jboss.util.ClassPathExtension" ARCHIVE="jboss.jar"
CODEBASE="../../lib/ext/">
--ARG TYPE="java.lang.String"
VALUE="/usr/local/Java/servlets/jakarta-tomcat-3.2.1/lib/">
--ARG TYPE="java.lang.String" VALUE="Tomcat">
--/MLET -->
<!-- Uncomment to add Jetty classes to classpath (make sure Arg1 ends in a slash) -->
<MLET CODE = "org.jboss.util.ClassPathExtension" ARCHIVE="jboss.jar"
CODEBASE="../../lib/ext/">
<ARG TYPE="java.lang.String" VALUE="/usr/local/Java/Jetty/lib/">
<ARG TYPE="java.lang.String" VALUE="Jetty">
</MLET>
<MLET CODE = "org.jboss.configuration.ConfigurationService"
ARCHIVE="jboss.jar,../xml.jar" CODEBASE="../../lib/ext/">
</MLET>
<MLET CODE = "org.jboss.util.Shutdown" ARCHIVE="jboss.jar" CODEBASE="../../lib/ext/">
</MLET>
<MLET CODE = "org.jboss.util.ServiceControl" ARCHIVE="jboss.jar"
CODEBASE="../../lib/ext/">
</MLET>
1.1 contrib/security/src/main/resources/jboss.jcml
Index: jboss.jcml
===================================================================
<?xml version="1.0" encoding="UTF-8"?>
<!-- This is where you can add and configure your MBeans
ATTENTION: The order of the listing here is the same order as
the MBeans are loaded. Therefore if a MBean depends on another
MBean to be loaded and started it has to be listed after all
the MBeans it depends on.
-->
<server>
<!-- Classloading -->
<mbean code="org.jboss.web.WebService" name="DefaultDomain:service=Webserver">
<attribute name="Port">8083</attribute>
</mbean>
<!-- JNDI -->
<mbean code="org.jboss.naming.NamingService" name="DefaultDomain:service=Naming">
<attribute name="Port">1099</attribute>
</mbean>
<!-- Transactions -->
<mbean code="org.jboss.tm.TransactionManagerService"
name="DefaultDomain:service=TransactionManager">
<attribute name="TransactionTimeout">300</attribute>
</mbean>
<!-- Security -->
<!-- JAAS security manager and realm mapping -->
<mbean code="org.jboss.security.plugins.SRPVerifierStoreService"
name="Security:name=SRPVerifierStoreService">
<attribute name="JndiName">SRPDefaultVerifierSource</attribute>
<attribute name="StoreFile">SRPVerifierStore.ser</attribute>
</mbean>
<mbean code="org.jboss.security.plugins.SRPService" name="service:name=SRPService">
<attribute name="JndiName">SRPServerInterface</attribute>
<attribute name="VerifierSourceJndiName">SRPDefaultVerifierSource</attribute>
<attribute name="AuthenticationCacheJndiName">SRPAuthenticationCache</attribute>
<attribute name="ServerPort">10099</attribute>
</mbean>
<mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
name="Security:name=JaasSecurityManager">
<attribute
name="SecurityManagerClass">org.jboss.security.plugins.SubjectSecurityManager</attribute>
<attribute name="AuthenticationCacheJndiName">SRPAuthenticationCache</attribute>
</mbean>
<mbean code="org.jboss.security.plugins.SecurityPolicyService"
name="Security:name=SecurityPolicyService">
<attribute name="JndiName">DefaultSecurityPolicy</attribute>
<attribute name="PolicyFile">sample_policy.xml</attribute>
</mbean>
<!-- JDBC -->
<mbean code="org.jboss.jdbc.JdbcProvider"
name="DefaultDomain:service=JdbcProvider">
<attribute
name="Drivers">org.hsql.jdbcDriver,org.enhydra.instantdb.jdbc.idbDriver</attribute>
</mbean>
<mbean code="org.jboss.jdbc.HypersonicDatabase"
name="DefaultDomain:service=Hypersonic">
<attribute name="Port">1476</attribute>
<attribute name="Silent">true</attribute>
<attribute name="Database">default</attribute>
<attribute name="Trace">false</attribute>
</mbean>
<mbean code="org.jboss.jdbc.XADataSourceLoader"
name="DefaultDomain:service=XADataSource,name=InstantDB">
<attribute name="PoolName">InstantDB</attribute>
<attribute
name="DataSourceClass">org.opentools.minerva.jdbc.xa.wrapper.XADataSourceImpl</attribute>
<attribute name="Properties"></attribute>
<attribute name="URL">jdbc:idb:../conf/default/instantdb.properties</attribute>
<attribute name="GCMinIdleTime">1200000</attribute>
<attribute name="JDBCUser" />
<attribute name="MaxSize">10</attribute>
<attribute name="Password" />
<attribute name="GCEnabled">false</attribute>
<attribute name="InvalidateOnError">false</attribute>
<attribute name="TimestampUsed">false</attribute>
<attribute name="Blocking">true</attribute>
<attribute name="GCInterval">120000</attribute>
<attribute name="IdleTimeout">1800000</attribute>
<attribute name="IdleTimeoutEnabled">false</attribute>
<attribute name="LoggingEnabled">false</attribute>
<attribute name="MaxIdleTimeoutPercent">1.0</attribute>
<attribute name="MinSize">0</attribute>
</mbean>
<mbean code="org.jboss.jdbc.XADataSourceLoader"
name="DefaultDomain:service=XADataSource,name=DefaultDS">
<attribute name="PoolName">DefaultDS</attribute>
<attribute
name="DataSourceClass">org.opentools.minerva.jdbc.xa.wrapper.XADataSourceImpl</attribute>
<attribute name="Properties"></attribute>
<attribute name="URL">jdbc:HypersonicSQL:hsql://localhost:1476</attribute>
<attribute name="GCMinIdleTime">1200000</attribute>
<attribute name="JDBCUser">sa</attribute>
<attribute name="MaxSize">10</attribute>
<attribute name="Password" />
<attribute name="GCEnabled">false</attribute>
<attribute name="InvalidateOnError">false</attribute>
<attribute name="TimestampUsed">false</attribute>
<attribute name="Blocking">true</attribute>
<attribute name="GCInterval">120000</attribute>
<attribute name="IdleTimeout">1800000</attribute>
<attribute name="IdleTimeoutEnabled">false</attribute>
<attribute name="LoggingEnabled">false</attribute>
<attribute name="MaxIdleTimeoutPercent">1.0</attribute>
<attribute name="MinSize">0</attribute>
</mbean>
<!-- J2EE deployment -->
<mbean code="org.jboss.ejb.ContainerFactory" name=":service=ContainerFactory">
<attribute name="VerifyDeployments">true</attribute>
<attribute name="MetricsEnabled">false</attribute>
<attribute name="VerifierVerbose">true</attribute>
<attribute name="BeanCacheJMSMonitoringEnabled">false</attribute>
</mbean>
<!-- Uncomment to add embedded tomcat service
<mbean code="org.jboss.tomcat.EmbeddedTomcatService"
name="DefaultDomain:service=EmbeddedTomcat" />
-->
<!-- Uncomment and set file URL to add Jetty service (you can set config more than
once)
<mbean code="org.jboss.jetty.JettyService" name="DefaultDomain:service=Jetty">
<attribute
name="Configuration">file:/usr/local/src/cvsroot/jBoss/jboss/dist/conf/default/jetty.xml</attribute>
</mbean>
-->
<!-- For Message Driven Beans -->
<mbean code="org.jbossmq.server.JBossMQService"
name="DefaultDomain:service=JBossMQ" />
<mbean code="org.jboss.jms.jndi.JMSProviderLoader"
name=":service=JMSProviderLoader,name=JBossMQProvider">
<attribute name="ProviderName">DefaultJMSProvider</attribute>
<attribute
name="ProviderAdapterClass">org.jboss.jms.jndi.JBossMQProvider</attribute>
</mbean>
<mbean code="org.jboss.jms.asf.ServerSessionPoolLoader"
name=":service=ServerSessionPoolMBean,name=StdJMSPool">
<attribute name="PoolName">StdJMSPool</attribute>
<attribute
name="PoolFactoryClass">org.jboss.jms.asf.StdServerSessionPoolFactory</attribute>
</mbean>
<!-- Make sure you change EmbeddedTomcat to Jetty if you are using Jetty -->
<mbean code="org.jboss.deployment.J2eeDeployer" name="J2EE:service=J2eeDeployer">
<attribute name="DeployerName">Default</attribute>
<attribute name="JarDeployerName">:service=ContainerFactory</attribute>
<attribute name="WarDeployerName">:service=EmbeddedTomcat</attribute>
</mbean>
<mbean code="org.jboss.ejb.AutoDeployer" name="EJB:service=AutoDeployer">
<attribute name="Deployer">J2EE:service=J2eeDeployer</attribute>
<attribute name="URLs">../deploy</attribute>
</mbean>
<!-- J2EE connector architecture -->
<mbean code="org.jboss.resource.RARDeployer" name="JCA:service=RARDeployer">
</mbean>
<!-- Minerva local transaction connection manager factory.
Use this for resource adapters that support "local"
transactions. -->
<mbean code="org.jboss.resource.ConnectionManagerFactoryLoader"
name="JCA:service=ConnectionManagerFactoryLoader,name=MinervaSharedLocalCMFactory">
<attribute name="FactoryName">MinervaSharedLocalCMFactory</attribute>
<attribute
name="FactoryClass">org.opentools.minerva.connector.jboss.MinervaSharedLocalCMFactory</attribute>
<attribute name="Properties"></attribute>
</mbean>
<!-- Minerva XA transaction connection manager factory
Use this for resource adapters that support "xa"
transactions. -->
<mbean code="org.jboss.resource.ConnectionManagerFactoryLoader"
name="JCA:service=ConnectionManagerFactoryLoader,name=MinervaXACMFactory">
<attribute name="FactoryName">MinervaXACMFactory</attribute>
<attribute
name="FactoryClass">org.opentools.minerva.connector.jboss.MinervaXACMFactory</attribute>
<attribute name="Properties"></attribute>
</mbean>
<!-- Example connection factory for the example "Black Box" resource
adapter. This points at the same database as DefaultDS. -->
<mbean code="org.jboss.resource.ConnectionFactoryLoader"
name="JCA:service=ConnectionFactoryLoader,name=BlackBoxDS">
<attribute name="FactoryName">BlackBoxDS</attribute>
<attribute name="RARDeployerName">JCA:service=RARDeployer</attribute>
<attribute name="ResourceAdapterName">Black Box LocalTx Adapter</attribute>
<attribute name="Properties">
ConnectionURL=jdbc:HypersonicSQL:hsql://localhost:1476
</attribute>
<attribute
name="ConnectionManagerFactoryName">MinervaSharedLocalCMFactory</attribute>
<!-- See the documentation for the specific connection manager
implementation you are using for the properties you can set -->
<attribute name="ConnectionManagerProperties">
# Pool type - uncomment to force, otherwise it is the default
#PoolConfiguration=per-factory
# Connection pooling properties - see
# org.opentools.minerva.pool.PoolParameters
MinSize=0
MaxSize=10
Blocking=true
GCEnabled=false
IdleTimeoutEnabled=false
InvalidateOnError=false
TrackLastUsed=false
GCIntervalMillis=120000
GCMinIdleMillis=1200000
IdleTimeoutMillis=1800000
MaxIdleTimeoutPercent=1.0
</attribute>
<!-- Principal mapping configuration -->
<attribute
name="PrincipalMappingClass">org.jboss.resource.security.ManyToOnePrincipalMapping</attribute>
<attribute name="PrincipalMappingProperties">
userName=sa
password=
</attribute>
</mbean>
<!-- This is an example of using a resource adapter that supports XA
transactions. The Black Box XA resource adapter requires an
XADataSource to be in JNDI somewhere. JBoss doesn't include a
database with an XA-compliant JDBC driver, so this will need to
be configured to use whatever XADataSource implementation you
have.
<mbean code="org.jboss.jdbc.RawXADataSourceLoader"
name="DefaultDomain:service=RawXADataSourceLoader,name=BlackBoxXADS">
<attribute name="PoolName">BlackBoxXADS</attribute>
<attribute name="DataSourceClass">Put your XADataSource implementation class
here</attribute>
<attribute name="Properties"></attribute>
</mbean>
<mbean code="org.jboss.resource.ConnectionFactoryLoader"
name="JCA:service=ConnectionFactoryLoader,name=XABlackBoxDS">
<attribute name="FactoryName">XABlackBoxDS</attribute>
<attribute name="RARDeployerName">JCA:service=RARDeployer</attribute>
<attribute name="ResourceAdapterName">Black Box XA Adapter</attribute>
<attribute name="Properties">
XADataSourceName=java:/BlackBoxXADS
</attribute>
<attribute name="ConnectionManagerFactoryName">MinervaXACMFactory</attribute>
<attribute name="ConnectionManagerProperties">
# Pool type - uncomment to force, otherwise it is the default
#PoolConfiguration=per-factory
# Connection pooling properties - see
# org.opentools.minerva.pool.PoolParameters
MinSize=0
MaxSize=10
Blocking=true
GCEnabled=false
IdleTimeoutEnabled=false
InvalidateOnError=false
TrackLastUsed=false
GCIntervalMillis=120000
GCMinIdleMillis=1200000
IdleTimeoutMillis=1800000
MaxIdleTimeoutPercent=1.0
</attribute>
<attribute
name="PrincipalMappingClass">org.jboss.resource.security.ManyToOnePrincipalMapping</attribute>
<attribute name="PrincipalMappingProperties">
userName=sa
password=
</attribute>
</mbean>
-->
<!-- JMX adaptors -->
<mbean code="org.jboss.jmx.server.JMXAdaptorService" name="Adaptor:name=RMI" />
<mbean code="org.jboss.jmx.server.RMIConnectorService" name="Connector:name=RMI" />
<mbean code="com.sun.jdmk.comm.HtmlAdaptorServer" name="Adaptor:name=html">
<attribute name="MaxActiveClientCount">10</attribute>
<attribute name="Parser" />
<attribute name="Port">8082</attribute>
</mbean>
<!-- Mail Connection Factory -->
<mbean code="org.jboss.mail.MailService" name=":service=Mail">
<attribute name="JNDIName">Mail</attribute>
<attribute name="ConfigurationFile">mail.properties</attribute>
<attribute name="User">user_id</attribute>
<attribute name="Password">password</attribute>
</mbean>
<!-- Uncomment to enable JMX monitoring of the bean cache
<mbean code="org.jboss.monitor.BeanCacheMonitor"
name="Monitor:name=BeanCacheMonitor"/>
-->
<!-- Add your custom MBeans here -->
</server>
1.1 contrib/security/src/main/resources/jndi.properties
Index: jndi.properties
===================================================================
# JNDI initial context properties for jboss app server
java.naming.factory.initial=org.jnp.interfaces.NamingContextFactory
java.naming.provider.url=localhost
java.naming.factory.url.pkgs=org.jboss.naming
1.1 contrib/security/src/main/resources/run_patch.bat
Index: run_patch.bat
===================================================================
@echo off
@if not "%ECHO%" == "" echo %ECHO%
@if "%OS%" == "Windows_NT" setlocal
REM Add all login modules for JAAS-based security
REM and all libraries that are used by them here
set CP=run.jar;../lib/patch/jboss-jaas-patch.jar
REM Set jboss.home so that the server.policy file rules expand correctly
set [EMAIL PROTECTED]@
java %VMOPTS% -classpath "%CP%" org.jboss.Main -p ../lib/patch %1 %2
pause
1.1 contrib/security/src/main/resources/run_patch.sh
Index: run_patch.sh
===================================================================
#!/bin/sh
# Add all login modules for JAAS-based security
# and all libraries that are used by them here
CP=run.jar:../lib/patch/jboss-jaas-patch.jar
# Set jboss.home so that the server.policy file rules expand correctly
[EMAIL PROTECTED]@
java $VMOPTS -classpath "$CP" org.jboss.Main -p ../lib/patch $*
1.1 contrib/security/src/main/resources/sample_policy.xml
Index: sample_policy.xml
===================================================================
<?xml version = "1.0" encoding = "UTF-8"?>
<policy>
<application-policy name = "test-domain">
<authentication>
<login-module code =
"org.jboss.security.plugins.DigestLoginModule" flag = "required">
<module-option name =
"digest-algorithm">SHA</module-option>
</login-module>
</authentication>
<authorization>
<grant>
<principal code = "org.jboss.security.SimplePrincipal"
name = "scott"/>
<permission code =
"org.jboss.test.security.test.NamespacePermission" name = "Project1" actions = "rwxd"/>
<permission code =
"org.jboss.test.security.test.NamespacePermission" name = "Project1/Documents/Private"
actions = "rw-d"/>
</grant>
<grant>
<principal code = "org.jboss.security.SimplePrincipal"
name = "starksm"/>
<permission code =
"org.jboss.test.security.test.NamespacePermission" name = "Project1/Documents/Public"
actions = "r---"/>
</grant>
</authorization>
</application-policy>
</policy>
1.1 contrib/security/src/main/resources/server-auth.conf
Index: server-auth.conf
===================================================================
RestoreSubjectFromCache {
org.jboss.security.plugins.RestoreSubjectFromCacheLoginModule required;
};
// The default server login module
other {
// A realistic server login module, which can be used when the number
// of users is relatively small. It uses two properties files:
// users.properties, which holds users (key) and their password (value).
// roles.properties, which holds users (key) and a comma-separated list of
their roles (value).
org.jboss.security.plugins.samples.JaasServerLoginModule required;
// For database based authentication comment the line above,
// uncomment the line below and adjust the parameters in quotes
// Database server login module provides security manager only, no role mapping
// org.jboss.security.plugins.DatabaseServerLoginModule required
db="jdbc/DbJndiName" table="UserTable" name="UserNameColumn" password="UserPswColumn";
};
1.1 contrib/security/src/main/resources/server.policy
Index: server.policy
===================================================================
/* A Java2 security file that gives no permissions to any
files loaded
*/
grant codeBase "file:${jboss.home}/lib/restricted/-" {
};
grant codeBase "file:${jboss.home}/client/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home}/lib/patch/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home}/lib/ext/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home}/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home}/bin/run.jar" {
permission java.security.AllPermission;
};
1.1 contrib/security/src/main/resources/tst-policy.xml
Index: tst-policy.xml
===================================================================
<?xml version = "1.0" encoding = "UTF-8"?>
<policy>
<application-policy name = "test-domain">
<authentication>
<login-module code =
"org.jboss.security.plugins.IdentityLoginModule" flag = "required">
<module-option name =
"principal">starksm</module-option>
</login-module>
</authentication>
<authorization>
<grant>
<principal code = "org.jboss.security.SimplePrincipal"
name = "scott"/>
<permission code =
"org.jboss.test.security.test.NamespacePermission" name = "Project1" actions = "rwxd"/>
<permission code =
"org.jboss.test.security.test.NamespacePermission" name = "Project1/Documents/Private"
actions = "rw-d"/>
</grant>
<grant>
<principal code = "org.jboss.security.SimplePrincipal"
name = "starksm"/>
<permission code =
"org.jboss.test.security.test.NamespacePermission" name = "Project1/Documents/Public"
actions = "r---"/>
</grant>
</authorization>
</application-policy>
<!-- A application policy that specifies the SRPLoginModule + JBoss
ClientLogin module
for testing the secure authentication link.
-->
<application-policy name = "srp-login">
<authentication>
<login-module code =
"security.srp.protocol.jaas.SRPLoginModule" flag = "required">
<module-option name =
"password-stacking">useFirstPass</module-option>
<module-option name =
"principalClassName">org.jboss.security.SimplePrincipal</module-option>
<module-option name =
"srpServerJndiName">SRPServerInterface</module-option>
<module-option name = "debug">true</module-option>
</login-module>
<login-module code = "org.jboss.security.ClientLoginModule"
flag = "required">
<module-option name =
"password-stacking">useFirstPass</module-option>
</login-module>
</authentication>
</application-policy>
</policy>
1.1 contrib/security/src/main/resources/tst.policy
Index: tst.policy
===================================================================
grant {
permission java.security.SecurityPermission "*";
permission javax.security.auth.AuthPermission "*";
permission java.lang.RuntimePermission "*";
permission java.util.PropertyPermission "*", "read";
permission java.util.PropertyPermission "cache.auth.policy", "read,write";
};
