itstarting:IT进行时

想自己所想,做自己所爱

  BlogJava :: 首页 :: 新随笔 :: 联系 :: 聚合  :: 管理 ::
  28 随笔 :: 3 文章 :: 55 评论 :: 0 Trackbacks

JS2 Security

1.   安全架构

1.1.      概述

Jetspeed 2 security leverages J2EE authentication and authorization standards for both authentication and authorization through the implementation of a default LoginModule and a default authorization Policy.

Authentication establishes the identity of the user and populates the Subject with all the user principals. In a portal context, the populated Subject is added to the session in the org.apache.jetspeed.security.SecurityValve implementation. The Subject principals are then used to authorize the user's access to a given resource. It leverages JAAS authorization by checking the user's permission with the AccessController. More details on authorization are provided in the JAAS authorization section of this documentation.

1.2.      图示

The following diagram describes the high level security architecture:

2.   主要配置

Jetspeed 2 default security services configuration leverages a relational database as its default persitent datastore for security information. Jetspeed 2 security service provider interface provides a mechanism to replace the default datastore configured.

3 files are involved when configuring Jetspeed 2 security SPI. All the SPI configuration files are located under ${jetspeed-source-home}/portal/src/webapp/WEB-INF/assembly/ .

2.1.      security-atn.xml

This configuration file provides the login module configuration. Not everyone needs this, as some application may decide to use another login module other than the one provided.

2.2.      security-atz.xml

This configuration file configures the authorization policy, in J2's case RdbmsPolicy .

2.3.      security-managers.xml

This configuration file configures all the managers for security purpose.

2.4.      security-providers.xml

This configuration file configures the various providers and weaves the SPI together.

· AuthenticationProviderProxy : Configures the list of AuthenticationProvider and the default authenticator.

·                                                

·                    <bean id="org.apache.jetspeed.security.AuthenticationProviderProxy"

·                       class="org.apache.jetspeed.security.impl.AuthenticationProviderProxyImpl">          

·                       <constructor-arg >

·                          <list>

·                             <ref bean="org.apache.jetspeed.security.AuthenticationProvider"/>

·                          </list>

·                       </constructor-arg>

·                      <constructor-arg><value>DefaultAuthenticator</value></constructor-arg>

·                    </bean>

                        

· AuthenticationProvider : Configures the authentication providers for the current portal implementation. The example below configures the default authenticator that uses the RDBMS to manage/store user information.

·                                                

·                    <bean id="org.apache.jetspeed.security.AuthenticationProvider"

·                                      class="org.apache.jetspeed.security.impl.AuthenticationProviderImpl">                   

·                       <constructor-arg index="0"><value>DefaultAuthenticator</value></constructor-arg>

·                       <constructor-arg index="1"><value>The default authenticator</value></constructor-arg>

·                       <constructor-arg index="2"><value>login.conf</value></constructor-arg>

·                       <constructor-arg index="3">

·                          <ref bean="org.apache.jetspeed.security.spi.CredentialHandler"/>

·                       </constructor-arg>

·                       <constructor-arg index="4">

·                          <ref bean="org.apache.jetspeed.security.spi.UserSecurityHandler"/>

·                       </constructor-arg>

·                    </bean>

                       

· AuthorizationProvider : Configures the policies and instantiates the SecurityPolicies that are used for enforcing permissions. By default, Jetspeed 2 does not load any other security policies that may have been configured. In order to use default policies, set useDefaultPolicy to true

·                                                

·                    <bean id="org.apache.jetspeed.security.AuthorizationProvider"

·                                     class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl">       

·                        <constructor-arg index="0">

·                            <ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/>

·                        </constructor-arg>

·                        <!-- Does not use the default policy as a default behavior -->

·                        <constructor-arg index="1"><value>false</value></constructor-arg>  

·                    </bean>

                       

2.5.      security-spi.xml

This configuration file contains configuration that are common to the authentication and authorization SPIs.

Bean

Description

org.apache.jetspeed.security.spi.SecurityAccess

Used internally by the default OJB based SPI. Provide access to common action/methods for the various SPI implementations. The SecurityAccess bean is used by both the Authentication and Authorization SPIs.

2.6.      security-spi-atn.xml

This configuration file contains all the configurations for configuring the authentication SPI.

Bean

Description

org.apache.jetspeed.security.spi.CredentialHandler

The CredentialHandler encapsulates the operations involving manipulation of credentials. The default implementation provides support for password protection as defined by the PasswordCredentialProvider ; as well as lifecycle management of credentials through InternalPasswordCredentialInterceptor which can be configured to manages parameters such as maximum number of authentication failures, maximum life span of a credential in days and how much history to retain for a given credential.

org.apache.jetspeed.security.spi.UserSecurityHandler

The UserSecurityHandler encapuslated all the operations around the user principals.

The following simple CredentialHandler configuration is currently provided by default with Jetspeed:

<!-- require a non-empty password -->

<bean id="org.apache.jetspeed.security.spi.CredentialPasswordValidator"

     class="org.apache.jetspeed.security.spi.impl.DefaultCredentialPasswordValidator"/>

 

<!-- MessageDigest encode passwords using SHA-1 -->

<bean id="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"

     class="org.apache.jetspeed.security.spi.impl.MessageDigestCredentialPasswordEncoder">

     <constructor-arg index="0"><value>SHA-1</value></constructor-arg>      

</bean>      

 

<!-- allow multiple InternalPasswordCredentialInterceptors to be used for DefaultCredentialHandler -->

<bean id="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"

     class="org.apache.jetspeed.security.spi.impl.InternalPasswordCredentialInterceptorsProxy">

     <constructor-arg index="0">

       <list>

         <!-- enforce an invalid preset password value in the persisent store is required to be changed -->

         <bean class="org.apache.jetspeed.security.spi.impl.ValidatePasswordOnLoadInterceptor"/>

 

         <!-- ensure preset cleartext passwords in the persistent store  will be encoded on first use -->

         <bean class="org.apache.jetspeed.security.spi.impl.EncodePasswordOnFirstLoadInterceptor"/>

       </list>

     </constructor-arg>

</bean>

 

<bean id="org.apache.jetspeed.security.spi.PasswordCredentialProvider"

     class="org.apache.jetspeed.security.spi.impl.DefaultPasswordCredentialProvider">

     <constructor-arg index="0">

       <ref bean="org.apache.jetspeed.security.spi.CredentialPasswordValidator"/>

     </constructor-arg>      

     <constructor-arg index="1">

       <ref bean="org.apache.jetspeed.security.spi.CredentialPasswordEncoder"/>

     </constructor-arg>      

</bean>      

 

<bean id="org.apache.jetspeed.security.spi.CredentialHandler"

     class="org.apache.jetspeed.security.spi.impl.DefaultCredentialHandler">      

     <constructor-arg index="0">

       <ref bean="org.apache.jetspeed.security.spi.SecurityAccess"/>

     </constructor-arg>      

     <constructor-arg index="1">

       <ref bean="org.apache.jetspeed.security.spi.PasswordCredentialProvider"/>

     </constructor-arg>      

     <constructor-arg index="2">

       <ref bean="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"/>

     </constructor-arg>

</bean>

                 

The above configuration requires not much more than that a password should not be empty and MessageDigest encode it using SHA-1.

Before the 2.0-M4 release, Jetspeed came configured with a much stricter configuration, but for first time users of the Portal this was a bit overwelming and also quite difficult to configure differently.

With the 2.0-M4 release, the previously provided, and rather complex, InternalPasswordCredentialInterceptor implementations are split up in single atomic interceptors which can much easier be configured indepedently.

An overview of the new interceptors and how related request processing pipeline valves can be configured to provide feedback to the user is provided in the Credentials Management document.

Since the "old" (pre 2.0-M4) interceptors are no longer provided with Jetspeed, the example below shows how to "restore" the old setup using the new interceptors:

<!-- require a password of minimum length 6 and at least two numeric characters -->

<bean id="org.apache.jetspeed.security.spi.CredentialPasswordValidator"

     class="org.apache.jetspeed.security.spi.impl.SimpleCredentialPasswordValidator">

     <constructor-arg index="0"><value>6</value></constructor-arg>      

     <constructor-arg index="1"><value>2</value></constructor-arg>      

</bean>

 

<!-- allow multiple InternalPasswordCredentialInterceptors to be used for DefaultCredentialHandler -->

<bean id="org.apache.jetspeed.security.spi.InternalPasswordCredentialInterceptor"

     class="org.apache.jetspeed.security.spi.impl.InternalPasswordCredentialInterceptorsProxy">

     <constructor-arg index="0">

       <list>

         <!-- enforce an invalid preset password value in the persisent store is required to be changed -->

         <bean class="org.apache.jetspeed.security.spi.impl.ValidatePasswordOnLoadInterceptor"/>

 

         <!-- ensure preset cleartext passwords in the persistent store  will be encoded on first use -->

         <bean class="org.apache.jetspeed.security.spi.impl.EncodePasswordOnFirstLoadInterceptor"/>

 

         <!-- remember the last 3 passwords used and require a new password to be different from those -->

         <bean class="org.apache.jetspeed.security.spi.impl.PasswordHistoryInterceptor">

           <constructor-arg index="0"><value>3</value></constructor-arg>      

         </bean>

 

         <!-- Automatically expire a password after 60 days -->

         <bean class="org.apache.jetspeed.security.spi.impl.PasswordExpirationInterceptor">

           <constructor-arg index="0"><value>60</value></constructor-arg>      

         </bean>

 

         <!-- Automatically disable a password after 3 invalid authentication attempts in a row -->

         <bean class="org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor">

           <constructor-arg index="0"><value>3</value></constructor-arg>      

         </bean>

       </list>

     </constructor-arg>

</bean>

                 

And, make sure something like the following configuration is set for the security related valves in pipelines.xml:

<bean id="passwordCredentialValve"

      class="org.apache.jetspeed.security.impl.PasswordCredentialValveImpl"

      init-method="initialize">

 <constructor-arg>

   <!-- expirationWarningDays -->

   <list>

     <value>2</value>

     <value>3</value>

     <value>7</value>

   </list>

 </constructor-arg>

</bean>

 

<bean id="loginValidationValve"

      class="org.apache.jetspeed.security.impl.LoginValidationValveImpl"

      init-method="initialize">

  <!-- maxNumberOfAuthenticationFailures

       This value should be in sync with the value for

       org.apache.jetspeed.security.spi.impl.MaxPasswordAuthenticationFailuresInterceptor

       (if used) to make sense.

       Any value < 2 will suppress the LoginConststants.ERROR_FINAL_LOGIN_ATTEMPT

       error code when only one last attempt is possible before the credential

       will be disabled after the next authentication failure.

  -->

  <constructor-arg index="0"><value>3</value></constructor-arg> 

</bean>

                 

Also, make sure the above valves are configured in the jetspeed-pipeline bean.

See the User Interaction section in the Credentials Management document for a description of these valves and their relation to the interceptors configuration.

2.7.      security-spi-atz.xml

This configuration file contains all the configurations for configuring the authorization SPI.

Bean

Description

org.apache.jetspeed.security.spi.RoleSecurityHandler

The RoleSecurityHandler encapsulates all the operations around the role principals.

org.apache.jetspeed.security.spi.GroupSecurityHandler

The GroupSecurityHandler encapsulates all the operations around the group principals.

org.apache.jetspeed.security.spi.SecurityMappingHandler

The SecurityMappingHandler encapsulates all the operations involving mapping between principals. It contains the logic managing hierarchy resolution for hierarchical principals (roles or groups). The default hierarchy resolution provided is a hierarchy by generalization (see overview for definitions). A contructor-arg can be added to the SecurityMappingHandler to change the hierarchy resolution strategy. Jetspeed 2 also support a hierarchy resolution by aggregation.

A sample SecurityMappingHandler configuration could be:

<!-- Security SPI: SecurityMappingHandler -->

<bean id="org.apache.jetspeed.security.spi.SecurityMappingHandler"

      class="org.apache.jetspeed.security.spi.impl.DefaultSecurityMappingHandler">          

   <constructor-arg >

      <ref bean="org.apache.jetspeed.security.spi.SecurityAccess"/>

   </constructor-arg>

   <!-- Default role hierarchy strategy is by generalization. 

        Add contructor-arg to change the strategy. -->

   <!-- Default group hierarchy strategy is by generalization. 

        Add contructor-arg to change the strategy. -->

</bean>

                   

2.8.      结论和分析

配置文件

说明

分析

security-atn.xml

login module 配置文件

具体可参考:

提供了一个接口,可以实现不同的登陆模块,实现不同的登陆认证过程

此时在 jetspeed2-security-{version}.jar 中包含配置文件 login.conf ,其内容为:

Jetspeed {

org.apache.jetspeed.security.impl.DefaultLoginModule equired;

};

In order to override this configuration, you can place your own login.conf file in your web application class path under WEB-INF/classes. The location of the login.conf file is configured in the security-providers.xml as described below.

security-atz.xml

authorization policy 配置文件

JAAS 认证策略的配置

security-managers.xml

UserManager GroupManager RoleManager PermissionManager 配置文件

配置四个对象的关系管理实现

security-providers.xml

AuthenticationProvider AuthenticationProviderProxy SecurityProvider AuthorizationProvider 授权认证提供者配置文件

 

说明:

1、  关于 login module 可参考:
http://portals.apache.org/jetspeed-2/multiproject/jetspeed-security/login-module.html

 

3.   分析

3.1.      登陆认证过程分析

3.1.1.          相关配置

主要参考 security-*.xml 等几个安全相关的配置文件,尤其关注 security-providers.xml ,里面存在如下设置:

<!-- Security: Default Authentication Provider -->

  <bean id="org.apache.jetspeed.security.AuthenticationProvider"

         class="org.apache.jetspeed.security.impl.AuthenticationProviderImpl"

  >          

         <constructor-arg index="0"><value>DefaultAuthenticator</value></constructor-arg>

         <constructor-arg index="1"><value>The default authenticator</value></constructor-arg>

         <constructor-arg index="2"><value>login.conf</value></constructor-arg>

         <constructor-arg index="3"><ref bean="org.apache.jetspeed.security.spi.CredentialHandler"/></constructor-arg>

         <constructor-arg index="4"><ref bean="org.apache.jetspeed.security.spi.UserSecurityHandler"/></constructor-arg>

  </bean>

这里设置了提供的默认认证方式,此时:

DefaultAuthenticator ——第一个参数是认证方式的名称,意义不大;

The default authenticator ——第二个参数是认证方式的描述,意义不大;

login.conf ——第三个参数是认证配置文件的路径,非常关键,这个文件可以在 jetspeed-security-2.0.jar 中找到,此时的配置为:

Jetspeed {

   org.apache.jetspeed.security.impl.DefaultLoginModule required;

};

表示配置了一个 realm ,名称为 Jetspeed ,实现类为 org.apache.jetspeed.security.impl.DefaultLoginModule 。此时回顾 web.xml 中的如下描述:

<!-- Login configuration uses form-based authentication -->

  <login-config>

    <auth-method>FORM</auth-method>

    <realm-name>Jetspeed</realm-name>

    <form-login-config>

      <form-login-page>/login/login</form-login-page>

      <form-error-page>/login/error</form-error-page>

    </form-login-config>

  </login-config>

此时使用的 realm 就是 Jetspeed ,关联起来了吧。

第三、第四个参数是回调

3.1.2.          调用过程

1、  * LoginServlet.java(doGet) :触发登陆的 submit

2、  进入 servlet container 中触发 FormAuthenticator.authenticate 认证(请看配置设置: <auth-method>FORM</auth-method> );

3、  * org.apache.jetspeed.security.impl.DefaultLoginModule.java :根据 web.xml 配置的 realm-name Jetspeed )确定认证模块( login module ),并调用 login() 方法,在该方法中调用顺序如下:

a)         设置回调;

b)        调用 org.apache.jetspeed.security.impl.UserManagerImp .java authenticate(this.username, password) 进行认证,继续跟进该方法:

                                       i.              除非当前用户是匿名用户,否则调用 org.apache.jetspeed.security.impl.AuthenticationProviderProxyImpl .java authenticate(userName, password, providerName) 方法进行认证,此时该 provider 会调用其 CredentialHandler (感觉就是 DAO, 此为 org.apache.jetspeed.security.spi.impl.DefaultCredentialHandler .java )的 authenticate(userName, password) 进行真正的验证。

3.2.      数据结构分析

从数据库模型来分析:

1、  SECURITY_PRINCIPAL :包含了用户、角色、组的信息,都认为是 PRINCIPAL (主体);

2、  SECURITY_CREDENTIAL :用户的证书,默认为密码,这样设计表明一个 PRINCIPAL 可以有多个 CREDENTIAL

3、  SECURITY_PERMISSION :基于 JAAS 的权限的定义,目前分为 FOLDER PAGE PORTLET 等类型(可以扩展吗?

3.3.      与传统机构部门、人员、角色、组设计的分析

从目前设计来看,存在如下问题:

1、              GROUP 直接放在 SECURITY_PRINCIPAL ,也是一个 PRINCIPAL ,与用户、角色类似进行处理,显然不符合实际需要;

2、              这里的用户、角色关注的是“权限”的概念,并无业务概念,显然也存在一定的需求障碍(根据 JSR168 用户信息可以很方便的扩展,这个需要再深入了解

4.   初步方案

4.1.      改良方案

通过修订 / 扩展上述 PDM 的几个表,并通过调整相关 ojb 的几个 XML 配置文件 ( 请参考 src_security\JETSPEED-INF\ojb\security_repository.xml) ,可以较为轻松的完成扩展。

但我个人并不倾向这么做,原因是:

1、  我们不熟悉 OJB

2、  我们并不打算在 j2-admin 中完善该管理过程——工作量不小,意义却不大;

3、  我们已经有比较好的机构用户管理模块,比如 Ioa5 中的实现。

4.2.      改革方案:与 UUM 的结合

从理论上说,这是可行的:

1、              可以通过实现 GroupManager UserManager RoleManager 接口,替换 / 扩展现有的几个默认实现( org.apache.jetspeed.security.impl.*ManagerImpl ),达到控制几个对象的管理;

2、              可以通过替换 / 扩展现有的几个默认 SPI 实现(具体请参考 org.apache.jetspeed.security.spi 下的 CredentialHandler UserSecurityHandler RoleSecurityHandler GroupSecurityHandler 等),达到 DAO 的效果,操作包括 RDBMS/LDAP 的数据访问和存取

5.   附件

5.1.      Login Module Implementation

The DefaultLoginModule implementation is illustrated by the class diagram below:

The roles of the classes used to implement the DefaultLoginModule are:

Class

Description

org.apache.jetspeed.security.impl.DefaultLoginModule

The javax.security.auth.spi.LoginModule implementation. The DefaultLoginModule authentication decision is encapsulated behind the UserManager interface which leverages the SPI implementation to decide which authenticator should be used in order to authenticate a user against a specific system of record. For more information on how to implement your own authenticator, see the authentication SPI documentation.

org.apache.jetspeed.security.LoginModuleProxy

A utility component used to expose the UserManager to the DefaultLoginModule .

org.apache.jetspeed.security.User

The User is an interface that holds the javax.security.auth.Subject and his/her java.util.prefs.Preferences . The UserManager upon user authentication populates the user subject with all user java.security.Principal . Jetspeed 2 implements 3 types of principals:

·   UserPrincipal: The principal holding the user unique identifier for the application.

·   RolePrincipal: The principal representing a role for the system.

·   GroupPrincipal: The principal representing a group for the system.

org.apache.jetspeed.security.UserManager

The interface exposing all user operations. This interfaces fronts the aggregates various SPI to provide developers with the ability to map users to their specific system of record.

 

posted on 2006-05-30 14:00 IT进行时 阅读(954) 评论(0)  编辑  收藏 所属分类: JetSpeed 2

只有注册用户登录后才能发表评论。


网站导航: