Configuring Container-Managed Security

This document covers the following topics:


General Information

The Natural Web I/O Interface client comes as a Java EE-based application. For the ease of installation, the access to this application is by default not secured. You might, however, wish to restrict the access to certain parts of the application to certain users. An important example is the configuration tool, which enables you to modify the Natural session definitions and the logging configuration of the Natural Web I/O Interface client. Another example is the Natural logon page.

This section does not cover the concepts of JAAS-based security in full extent. It provides, however, sufficient information to activate the preconfigured security settings of the Natural Web I/O Interface client and to adapt them to your requirements. More information on the topics described in this section can be found, for instance, at http://www.jboss.org/jbossas/docs/ (security on JBoss is described in the Configuration Guide).

Name and Location of the Configuration File

Security is configured in the file web.xml. The path to this file depends on the application server.

  • JBoss Application Server
    <application-server-install-dir>/server/default/deploy/natuniapp.ear/natuniweb.war/WEB-INF

  • Sun Java System Application Server
    <application-server-install-dir>/domains/domain1/applications/j2ee-apps/natuniapp/natuniweb_war/WEB-INF

  • Oracle GlassFish Server
    <application-server-install-dir>/glassfish/domains/domain1/applications/natuniweb/WEB-INF

  • Apache Tomcat
    <application-server-install-dir>/webapps/natuniweb/WEB-INF

Note:
The following applies for Sun Java System Application Server as of Version 9 and to Oracle GlassFish Server: After the deployment, the file web.xml can no longer be modified. Therefore, it is important that you unpack the WAR file before deploying it, make your changes to the web.xml file, repack the WAR file, and then deploy it. For this reason, unsigned WAR files are delivered for these two application servers.

Activating Security

Great care must be taken when editing and changing the configuration file web.xml. After a change, the application server must be restarted.

Edit the file web.xml and look for the section that is commented with "Uncomment the next lines to add security constraints and roles.". Uncomment this section by removing the comment marks shown in boldface below:

<!-- Uncomment the next lines to add security constraints and roles. -->
<!-- 
<security-constraint>
    <web-resource-collection>   
    <web-resource-name>Configuration Tool</web-resource-name>
        <url-pattern>/conf_index.jsp</url-pattern>
        <url-pattern>/faces/*</url-pattern>
    </web-resource-collection>
...
<security-role>
    <description>Administrator</description>
    <role-name>nwoadmin</role-name>
</security-role>
-->

Defining Security Constraints

The security constraints defined by default are just examples. A <security-constraint> element contains of a number of <web-resource-collection> elements combined with an <auth-constraint> element. The <auth-constraint> element contains a <role-name>. The whole <security-constraint> element describes which roles have access to the specified resources.

Example - the following definition specifies that only users in the role "nwoadmin" have access to the configuration tool:

<security-constraint>
    <web-resource-collection>   
    <web-resource-name>Configuration Tool</web-resource-name>
        <url-pattern>/conf_index.jsp</url-pattern>            
        <url-pattern>/faces/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>nwoadmin</role-name>
    </auth-constraint>
</security-constraint>

In the following section, you will see where and how the roles are defined.

Defining Roles

A few lines below in the file web.xml, there is a section <security-role>. Here, the roles that can be used in <security-constraint> elements are defined. You can define additional roles as needed. The assignment of users to roles is done outside this file and will often be done in a user management that is already established at your site.

Example:

<security-role>
    <description>Administrator</description>
    <role-name>nwoadmin</role-name>
</security-role>

Selecting the Authentication Method

In the file web.xml, there is a section <login-config>. The only element that should possibly be adapted here is <auth-method>. You can choose between the authentication methods "FORM" and "BASIC". Form-based authentication displays a specific page on which users who try to access a restricted resource can authenticate themselves. Basic authentication advises the web browser to retrieve the user credentials with its own dialog box.

Example:

<login-config>
    <auth-method>FORM</auth-method>
...
</login-config>

Choosing the Login Module (JBoss Application Server only)

The directory <application-server-install-dir>/server/default/conf contains a file named njxnwo-login-config.xml. The relevant part in this file is the selection of the login module specified in the <login-module> element and the configuration of this login module. The login module determines where the user definitions and the assignment of users to roles are maintained.

By default, the UsersRolesLoginModule is preconfigured. The UsersRolesLoginModule expects the role definitions in one file (props/njxnwo-roles.properties) and the user definitions (password and assignment to roles) in another file (props/njxnwo-users.properties). An example user "admin" with the password "adminadmin" and the role "nwoadmin" is defined to begin with.

You can choose and configure a different login module (for example, one that expects the user and role definitions in a database or in an LDAP directory), or you can even write a custom login module.

Defining the Security Realm and Users (Sun Java System Application Server and Oracle GlassFish Server only)

The following information applies to Sun Java System Application Server 9.1 and to Oracle GlassFish Server 3, however, the procedure is similar in other versions.

Start of instruction setTo create a new security realm and define the user

  1. Sun Java System Application Server: Open the tree node Configuration > Security > Realms.

    Oracle GlassFish Server: Open the tree node Configuration > server-config > Security > Realms.

  2. Choose New.

  3. Enter "NaturalWebIOAndAjaxRealm" as the name of the new realm.

  4. Select com.sun.enterprise.security.auth.realm.file.FileRealm as the class name.

    Use the following properties which are predefined for this class:

    Option Value
    JAAS Context fileRealm
    Key File ${com.sun.aas.instanceRoot}/config/keyfile
  5. Choose OK.

  6. Edit the new realm NaturalWebIOAndAjaxRealm and choose the Manage Users button.

  7. Choose New.

  8. Enter the user names and the passwords for the users. The name of the group list must be "nwoadmin".

  9. Choose OK.

Configuring the UserDatabaseRealm (Apache Tomcat only)

In the tomcat-users.xml file (which is located in the conf directory), specify the role "nwoadmin" for any desired user name and password. For example:

<user username="pepe" password="pepe123" roles="nwoadmin"/>

For detailed information on the necessary realm configuration for Tomcat, see http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#UserDatabaseRealm.