Configuring the Security System

This chapter describes how to install and configure the security system in JEUS. For information abfLoginModuleout configuring other services in a domain other than what is mentioned here, refer to References.

1. Overview

This section will briefly summarize some basic aspects related to security system configurations.

The JEUS security system starts when the server is executed by the Security Installer. To protect JEUS, the Security Installer creates a security domain based on the information in the domain.xml file before starting the security service. The user accounts and security policies defined in the account.xml and policies.xml files are applied in the default security system.

The following two items can be configured in a security domain.

  • Definitions of security domain and security services.

  • Accounts and policies for the domain.

The following are steps for configuring the default security system.

  1. Configure security domains.

  2. Configure security Services for each security Domain.

  3. Configure Subjects (authentication data) for each Domain.

  4. Configure Policies (authorization data) for each Domain.

  5. Configure additional items.

  6. Configure a JavaSE SecurityManager (optional).

  7. Configure a JACC provider (optional).

Default Security System Directory

The following is the directory structure of the default security system. Each directory lists the configuration files used by the default security system.

JEUS_HOME/domains/<domain name>
   |--config
        |--security
            |--security.key
            |--policy
            |--security-domains.xml
            |--SYSTEM_DOMAIN
                  |--accounts.xml
                  |--policies.xml
security

The following describes each directory and file.

Classification Description

security.key

The file that stores the key for synchronous encryption algorithm. The file will be created when the encryption is executed for the first time.

policy

The Java Permission configuration file. It is used in Java SE Security Manager, separate from the JEUS security system.

security-domains.xml

The file that stores the configuration for JEUS security domains.

SYSTEM_DOMAIN

A domain used by the JEUS server to check for user authentication and authorization. This domain contains Permissions to start and terminate JEUS, and JEUS system administrator accounts.

  • accounts.xml: Stores user information.

  • policies.xml: Stores security policy information (permission grating data).

To apply different security policies to applications, a separate security domain directory must be created and configured.

2. Configuring the Security System Domain

Domains can be configured by manually modifying the domain.xml or security-domains.xml file. Other configurations than the user account and security policy settings cannot be changed dynamically. Therefore, when a security domain is added or security service configurations are changed, the server must be restarted to apply the changes.

All configurations related to security apply to all servers in the JEUS domain. All servers must be restarted in order to apply the security configurations, except for user account and security policy configurations.

This section describes how to define a security domain by editing the xml files.

2.1. Configuring XML

To directly modify the XML file, use the following tags from JEUS_HOME/domains/<domain name>/config/domain.xml and JEUS_HOME/domains/<domain name>/config/security/security-domains.xml files.

XML configuration methods for a domain are defined in jeus-domain.xsd, jeus-security.xsd, and security-domains.xsd in the JEUS_HOME/lib/schemas/jeus/supportLocale/ko directory. The parent tag is <security-manager>, and it has the following child tags for domain configurations. Zero or more child tags can be used.

Configuring a Security System Domain: <domain.xml>
<security-manager>
   <default-application-domain>SYSTEM_DOMAIN</default-application-domain>
   <security-domain-names>
     <security-domain-name>SYSTEM_DOMAIN</security-domain-name>
     ...
   </security-domain-names>
</security-manager>

The following describes configuration tags.

  • <security-manager>

    Sets the security domains that will be registered with JEUS. For more examples of <security-manager>, refer to Configuring Security Domain Components.

    Tag Description

    <connect-retries>

    Sets the connection retry count in JEUS Security NetworkService.

    (Default value: 10)

    <password-validator>

    When specifying a password for a JEUS account, password validity check is configured to enhance password security.

    <default-application-domain>

    Sets the default domain name that will be used in Jakarta EE applications.

    (Default value: SYSTEM_DOMAIN)

  • <security-domain-names>

    Specifies the name of security domains to be used in JEUS.

    Tag Description

    <security-domain-name>

    Sets the security domain name. It is a value referencing the 'name' field in the security domain configuration.

Configuring a Security System Domain: <security-domains.xml>
<security-domains>
   <security-domain>
      <name>SYSTEM_DOMAIN</name>
      <authentication />
      <authorization />
      ...
   </security-domain>
</security-domains>

The following describes configuration tags.

  • <security-domain>

    Configure the security domains that will be registered with JEUS. For more examples of <security-domain>, refer to Configuring Security Domain Components.

    Tag Description

    <name>

    Sets the security domain name.

    <authentication>

    Defines the authentication service.

    <authorization>

    Defines the authorization service.

    <identity-assertion>

    Defines the identity assertion.

    <credential-mapping>

    Defines the credential mapping service.

    <credential-verification>

    Defines the credential verification service.

    <audit>

    Defines the audit service.

    <subject-validation>

    Defines the subject validation service.

2.2. Configuring User Accounts and Security Policies

This section describes how to configure user accounts and security policies using the default XML file.

It is possible to store the user account and security policy information in the database as well as in the XML file. For more information, refer to Using Database for user accounts and Using Database for security policies.

The following are steps to configure accounts and policies.

  1. To configure a new security domain, a new directory must be created under the JEUS_HOME/domains/<domain name>/config/security directory. The name of the new directory should match the name of the domain that you wish to create. By convention, domain names use all capital letters and are appended with the string "_DOMAIN". For example, the name "DEFAULT_APPLICATION_DOMAIN" can be used as a domain name.

    To create a domain with the name DEFAULT_APPLICATION_DOMAIN, execute the following command.

    $ mkdir ${JEUS_HOME}/domains/domain1/config/security/DEFAULT_APPLICATION_DOMAIN

    domain1 should be replaced with the actual JEUS domain name.

  2. After creating the new domain directory, you must create a number of configuration files in the directory.

    The best way is to copy existing configuration files from the existing domain directory and modify these files according to your need. Enter the following commands in a single line. The following sections will explain how to modify these copied configuration files.

    $ cp ${JEUS_HOME}/domains/domain1/config/security/SYSTEM_DOMAIN/*.*
         ${JEUS_HOME}/domains/domain1/config/security/DEFAULT_APPLICATION_DOMAIN

    By default, SYSTEM_DOMAIN already exists under the JEUS_HOME/domains/<domain name>/security directory. SYSTEM_DOMAIN is the domain used by the JEUS server to perform authentication and authorization. Among other things, this domain contains the JEUS system "administrator" account and permissions for starting and terminating the JEUS server.

  3. Add the new security domain name to JEUS_HOME/domains/<domain name>/config/domain.xml and JEUS_HOME/domains/<domain name>/config/security/security-domains.xml, respectively. In the case of domain.xml, it must be added to <security-manager><security-domain-names>, and in the case of security-domains.xml, it must be added to <security-domains><security-domain>.

  4. The newly created domain will be applied when JEUS is restarted.

    The security domain, SYSTEM_DOMAIN, will always be included regardless of the configurations in the domain.xml file. In general, you can create a directory with the same name as the domain under the JEUS_HOME/domains/<domain name>/config/security directory. In this directory, you can define the security policy information (policies.xsd) and account information (accounts.xsd) of the Repository, which needs to be defined for each domain. You can also use the domain.xml file to register the Security Service for each domain.

3. Configuring Security Domain Components

This section describes how to configure security domain components, excluding security services.

3.1. Configuring XML

The security services that are loaded to each security domain are defined in domain.xml and security-domains.xml.

The security configurations are defined by an XML schema in jeus-security.xsd and security-domains.xsd which are under the JEUS_HOME/lib/schemas/jeus/supportLocale/ko directory.

Inside the <security-domains> tag, add <security-domain> child tags related to security settings. One or more <security-domain> tags can be used, and each tag defines a security domain used in JEUS.

Configuring a Security System Domain: <domain.xml>
<?xml version="1.0" encoding="UTF-8"?>
<domain version="9.0" xmlns="http://www.tmaxsoft.com/xml/ns/jeus">
   . . .
   <security-manager>
     <default-application-domain>DEFAULT_APPLICATION_DOMAIN</default-application-domain>
     <security-domain-names>
        <security-domain-name>SYSTEM_DOMAIN</security-domain-name>
        <security-domain-name>DEFAULT_APPLICATION_DOMAIN</security-domain-name>
           .....
     </security-domain-names>
  </security-manager>
   . . .
</domain>
Security System Service Configurations: <security-domains.xml>
<?xml version="1.0" encoding="UTF-8"?>
<security-domains xmlns="http://www.tmaxsoft.com/xml/ns/jeus" version="9.0">
   <security-domain>
      <name>SYSTEM_DOMAIN</name>
      .....
   </security-domain>
   <security-domain>
      <name>DEFAULT_APPLICATION_DOMAIN</name>
   </security-domain>
</security-domains>

Inside the <security-domain> tag, if you only configure the <name> tag and do not configure other Service Provider information, the default security services will be used for the corresponding domain.

Descriptions of child tags of <security-domain> are as follows.

  • <name> (required)

    The security domain name.

  • <cache-config> (0 or more, optional)

    Defines the cache policy value that is to be applied to the security repository service in the domain.

    Tag Description

    <min>

    The minimum cache entry size that will be applied to the repository service.

    <max>

    The maximum cache entry size that will be applied to the repository service.

    <timeout>

    The cache entry timeout value that will be applied to the repository service.

  • <keystore-config>(0 or more, optional)

    Defines the keystore file information that will be applied to the security service in the domain.

    If child configuration values do not exist and '–Djeus.ssl.*' or '–Djavax.net.ssl.*' is not configured, the default value will be applied.

    Tag Description

    <keystore-path>

    The path to the keystore file to be applied to the current domain.

    (JEUS_HOME/domains/<domain name>/config/security/keystore)

    <keystore-alias>

    The keystore alias. When there are multiple keyEntry certificates in the keystore file, the keystore entries are accessed via unique aliases.

    <keystore-password>

    The keystore file password for the current domain. (Default value: changeit).

    <keystore-keypassword>

    The password for the keystore file for the current domain.

    (Default value: Same with the value of <keystore-password> )

    <truststore-path>

    The path to the truststore file.

    (JEUS_HOME/domains/<domain name>/config/security/truststore)

    <truststore-password>

    The truststore file password for the current domain (Default value: changeit).

4. Configuring Security Services

JEUS security system supports plugin type of authentication and authorization services. This section describes how to configure security domain components, including security services, by modifying the XML file.

4.1. Configuring XML

The security services that will be loaded for each security domain are set in the security-domains.xml file as follows.

The following is an example of a security configuration file.

Security System Service Configurations: <security-domains.xml>
<?xml version="1.0" encoding="UTF-8"?>
<security-domains xmlns="http://www.tmaxsoft.com/xml/ns/jeus" version="9.0">
   <security-domain>
      <name>SYSTEM_DOMAIN</name>
      <authentication>
         <repository-service>
            <xml-file-repository>
               <config-file>
                  <filename>accounts.xml</filename>
                  <filepath>
                      ${JEUS_HOME}/domains/domain1/config/security/
                  </filepath>
               </config-file>
            </xml-file-repository>
         </repository-service>
      </authentication>
   </security-domain>
   <security-domain>
      <name>DEFAULT_APPLICATION_DOMAIN</name>
   </security-domain>
</security-domains>

Descriptions of child tags of <security-domain> are as follows.

  • <name> (required)

    The security domain name.

  • <authentication> (0 or more, optional)

    Defines the Credential Verification service that applies to the domain.

    • <repository-service>

      Defines the services according to the user information storage type for authentication.

      Tag Description

      <xml-file-repository>

      When the user information is saved in XML file.

      <database-repository>

      When the user information is saved in database.

      <custom-repository>

      When the user information loading method is applied by implementing the extended repository service that inherits the jeus.security.spi.AuthenticationRepositoryService SPI.

    • <jaas-login-config>

      Registers the JAAS service that applies to the domain.

      • <callback-handler-class> : JAAS Callback Handler Factory class name.

      • <login-module> : Configuration related to the LoginModule.

        Tag Description

        <login-module-classname>

        Class name that contains the package that implements the LoginModule.

        <control-flag>

        Property definition for controlling the authentication stack by defining one of the following four properties:

        • required

        • requisite

        • sufficient

        • optional

        <option> (0 or more)

        Definitions of property values that will be applied when initializing the LoginModule.

    • <custom-authentication-service>

      Defined when applying the default authentication service that is extended by inheriting the jeus.security.spi.AuthenticationService SPI. Follow the Custom Security Services configuration methods.

  • <authorization> (0 or more, optional)

    Defines the authorization service that applies to the domain.

    • <repository-service>

      Defines service according to the policy information repository type used for authorization.

      Tag Description

      <xml-file-repository>

      When the policy information is saved in XML file.

      <database-repository>

      When the policy information is saved in a database.

      <custom-repository>

      When the policy information loading method is applied by implementing the extended repository service that inherits the jeus.security.spi.AuthorizationRepositoryService SPI.

    • <custom-authorization-service>

      Defined when applying the default authorization service that is extended by inheriting the jeus.security.spi.AuthorizationService SPI. Follow the Custom Security Services configuration methods.

    • <jacc-service>

      Defined when applying the JACC 2.0-based authorization service.

  • <identity-assertion>(0 or more, optional)

    Defines the IdentityAssertion service that applies to the domain.

    • <default-identity-assertion-service>

      Defines the basic Identity Assertion Service that is provided by the JEUS Security Framework.

      • <x509-identity-assertion>: Supports Identity Assertion Service for the X509Certificate token.

        Tag Description

        <config-file>

        Specifies the location of the file that defines the information needed to perform user mapping of the X509Certificate token.

        (Default value: user-cert-map.xml under the DOMAIN directory)

        <default-user-mapper>

        Defines a delimiter for the attribute value (attribute-value-delimiter), attribute Type(attribute-type), or attribute type(cert-attr-type) value for the X509Certificate Token value.

    • <custom-identity-assertion-service>

      Defined by implementing the Identity Assertion Service that inherits jeus.security.spi.IdentityAssertionService SPI. Follow the Custom Security Services configuration methods.

  • <credential-mapping> (0 or more, optional)

    Defines the CredentialMapping service that applies to the domain.

    • <default-credential-mapping-service>

      Supports the basic Credential Mapping Service that is provided by the JEUS Security Framework.

      • <x509-credential-mapping> : Supports the Credential Mapping Service for the x509Certificate.

        Tag Description

        <truststore-path>

        Defines the path for truststore file that is to be applied to the current domain.

        <truststore-password>

        Defines the password for truststore file that is to be applied to the current domain.

    • <custom-credential-mapping-service>

      Defined by implementing the Credential Mapping Service that inherits jeus.security.spi.CredentialMappingService SPI. Follow the Custom Security Services configuration methods.

  • <credential-verification> (0 or more, optional)

    Defines the Credential Verification service that applies to the domain.

    • <default-credential-verification-service>

      Supports the basic Credential Verification Service that is provided by the JEUS Security Framework.

      Tag Description

      <password-verification>

      Defines the verification service for the PasswordFactory class.

      <jeus-certificate-verification>

      Defines the verification service for the X509Certificate.

    • <custom-credential-verification-service>

      Defined by implementing the Credential Verification Service that inherits jeus.security.spi.CredentialVerificationService SPI. Follow the Custom Security Services configuration methods.

  • <audit> (0 or more, optional)

    Defines the EventHandlingService that is to be applied to the corresponding domain. This is used to collect information about events that occurred in JEUS Security Framework.

    Tag Description

    <default-audit-service>

    Defines the event log level and the file path where event information is saved.

    • config-file: Log file path.

    • audit-level: Log level.

    <custom-audit-service>

    Defined by implementing the Audit Service that inherits jeus.security.spi.EventHandlingServiceService SPI. Follow Custom Security Services configuration methods.

Custom Security Services

The following describes how to configure custom security services. For more information about the security service types provided by JEUS and custom security service development, refer to Developing Custom Security Service.

  • <classname> (Required)

    Name of the Java class that implements the Custom Security Service. This class should contain a default public no-argument constructor, and should inherit the jeus.security.spi package’s SPI or directly inherit the jeus.security.base.Service class.

  • <property> (0 or more)

    The jeus.security.base.PropertyHolder interface (that is implemented by the jeus.security.base.Service class) can be used to configure property as a name-value pair for security services. This property is used to initialize each of the security services.

    It contains the following two child tags.

    Tag Description

    <name>

    Property name.

    <value> (optional)

    String property value for the property name.

5. Configuring the Security System User Information

In the default security configurations, user data is read from the accounts.xml file.

The following is the file path.

JEUS_HOME/domains/<domain name>/config/security/<security domain name>/accounts.xml

Here, <domain name> is the name of the domain and <security domain name> is the name of the security domain for which the users are managed.

5.1. Configuring XML

The XML schema of accounts.xml is accounts.xsd, which is in the JEUS_HOME/lib/schemas/jeus/supportLocale/ko directory.

In the accounts.xml file, there are 0 or more <user> and <group> tags inside the <accounts> tag. They represent a user and a group, respectively.

Security System User Information Configuration: <accounts.xml>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<accounts xmlns="http://www.tmaxsoft.com/xml/ns/jeus">
   <users>
      <user>
         <name>user1</name>
         <password>{AES}mnG6ItxFO/WQlE2YzIZ7sA==</password>
         <group>group1</group>
      </user>
      <user>
         <name>user2</name>
         <password>{DES}7dJ0KDTGQNpSnQAPYBNnmA==</password>
      </user>
      <user>
         <name>user3</name>
         <password>{DES}7dJ0KDTGQNpSnQAPYBNnmA==</password>
         <group>nested_group</group>
      </user>
      <user>
         <name>user4</name>
         <password>{SEED}dl2EePMAcnxPYbIyknuZkA==</password>
         <group>nested_group</group>
      </user>
   </users>
   <groups>
      <group>
         <description>Group1</description>
         <name>group1</name>
         <subgroup>nested_group</subgroup>
      </group>
      <group>
         <description>For NestedGroup</description>
         <name>nested_group</name>
      </group>
   </groups>
</accounts>

The following describes configuration tags.

  • <user>

    Each <user> tag has the following child tags.

    Tag Description

    <description> (optional)

    Description of the <user> (string).

    <name> (required)

    Name of the <user>. (ex : user name, user id)

    <password> (0 or more, optional)

    Password of the <user>.

    The value that is encoded by using a particular algorithm. The algorithm or encoding method applied to <password> will be specified in ’{}’. Refer to Configuring Password Security.

    <group> (0 or more, optional)

    The name of the group that the <user> belongs to. A user can be included in multiple groups. Also, the group must designate one of the groups defined in the <group> tag, described next.

  • <group>

    Each <group> tag defines a group and contains the following child tags.

    Tag Description

    <description> (optional)

    Description of the <group> (string).

    <name> (required)

    Name of the <group>.

    <subgroup> (0 or more, optional)

    Defines the nested group names so that the corresponding group role can be applied uniformly.

5.2. Using Database

This section explains how to configure authentication using the database table defined by JEUS.

The following example illustrates how to use the data source defined in JEUS.

Configuring Users Using Database: <security-domains.xml>
<?xml version="1.0" encoding="UTF-8"?>
<security-domains xmlns="http://www.tmaxsoft.com/xml/ns/jeus" version="9.0">
   . . .
   <security-domain>
      <name>MY_DOMAIN</name>
      <authentication>
         <repository-service>
            <database-repository>
               <datasource-id>auth</datasource-id>
            </database-repository>
         </repository-service>
      </authentication>
      . . .
   </security-domain>
   . . .
</security-domains>

In the previous example, the data source ID must be configured using the <datasource-id> element. The data source ID is registered in the security-domains.xml file that will be used for authentication. Authentication can also be performed by directly communicating with the database through the DriverManager without using the JDBC that is provided by JEUS. To do this, change the <datasource-id> element block of the previous example as follows.

The following example illustrates how to configure the database repository when not using the JEUS JDBC.

Without Using JEUS JDBC: <security-domains.xml>
   <security-domain>
      ...
      <repository-service>
         <dbdriver-config>
            <vendor>oracle</vendor>
            <driver>oracle.jdbc.OracleDriver</driver>
            <url>jdbc:oracle:thin:@127.0.0.1:1521:ORA9I</url>
            <username>scott</username>
            <password>{base64}dGlnZXI=</password>
         </dbdriver-config>
      </repository-service>
      ...
   </security-domain>

As applications frequently establish database connections and close them in this way, there may be some drop in performance. So, it is recommended to use JEUS JDBC (<datasource-id>) to enhance performance.

The tables that are used in the database are organized as follows:

figure usertable
Database Table Structure that Stores the User Information for Subjects

If the tables do not exist in the database, create a DB table by using the JEUS_HOME/templates/security/dbrealm.sql.template file. This will initially create the user with the name 'jeus' and the password 'jeus'.

5.3. Configuring Password Security

This section describes how to check password validity, encryption algorithms, and how to manage the SecretKey file for the password security configurations.

Password Validity Check

When a user enters a password to create a new account or make changes to an existing password, the validity of the password can be checked using various restrictions (such as options to use uppercase/lowercase characters, digits, and special characters and a rule that a password name must not be identical to its ID name). This improves the security of the password.

The domain administrator can select and use either the Default Password Validator or a Custom Password Validator, which implemented by the user, by using jeusadmin commands for adding, modifying, and deleting the settings. These settings are stored in domain.xml.

  • Configuring Default Password Validator

    You can set the functionality by using the modify-default-password-validator and show-default-password-validator commands in jeusadmin. For information on the commands, refer to "Part II. Console Commands and Tools" in JEUS Reference Guide.

    [MASTER]domain1.adminServer>modify-default-password-validator -min 4 -max 10
    Default password validator is updated successfully.
    Check the results using "show-default-password-validator or modify-default-password-validator".
    [MASTER]domain1.adminServer>show-default-password-validator
    ================================================================================
    +----------------------------------------------------------------------+-------+
    |                               property                               | value |
    +----------------------------------------------------------------------+-------+
    | min length                                                           |     4 |
    | max length                                                           |    10 |
    | include special characters                                           | false |
    | include digit characters                                             | false |
    | include capital characters                                           | false |
    | include small characters                                             | false |
    | exclude user id                                                      | false |
    +----------------------------------------------------------------------+-------+
    ================================================================================

    The following describes each configuration item when the 'Validator Type' is set to 'Default Password Validator':

    Item Description

    min

    Minimum length of a password. (range: 1 ~ 255, default value: 1)

    max

    Maximum length of a password. (range: 1 ~ 255, default value: 255)

    special

    Indicates that at least one special character must be included.

    digit

    Indicates that at least one numeric value must be included.

    capital

    Indicates that at least one uppercase letter must be included.

    small

    Indicates that at least one lowercase letter must be included.

    excludeId

    Indicates that the user ID should not be included.

    Once the items are configured, the configurations are saved in domain.xml as in the following:

    Configurations for Default Password Validator: <domain.xml>
    <domain>
        . . .
        <security-manager>
            . . .
            <password-validator>
                <default-password-validator>
                    <minLength>4</minLength>
                    <maxLength>10</maxLength>
                    <force-special-character>true</force-special-character>
                    <force-digit>true</force-digit>
                    <force-capital-letter>true</force-capital-letter>
                    <force-small-letter>true</force-small-letter>
                    <deny-username>true</deny-username>
                </default-password-validator>
            </password-validator>
            . . .
        </security-manager>
        . . .
    </domain>

    After all the configurations are saved, they are dynamically applied as password rules. These rules must be met when a user creates a new password or updates an existing one.

  • Configuring Custom Password Validator

    A user can create a Custom Password Validator by implementing the jeus.util.PasswordValidator interface. The user must directly implement this interface to create a class with the desired functionality, package it into a JAR file, and place it in the 'DOMAIN_HOME/lib/application' directory.

    The jeus.util.PasswordValidator interface is as follows:

    public interface PasswordValidator {
           boolean validatePassword(String id, String password);
    }

    For a class that implements the PasswordValidator interface, the validatePassword(String id, String password) method takes as parameters the ID and password of the user who creates an account or changes the password. The method then checks the validity of the password and returns either true or false depending on the validation result.

    Once the JAR file containing the class is placed in the DOMAIN_HOME/lib/application directory, use jeusadmin commands to configure a Custom Password Validator.

    This item can be configured using the jeusadmin commands related to Custom Password Validator, which are add-custom-password-validator, remove-custom-password-validator, and show-custom-password-validator. For information about the commands, refer to "Part II. Console Commands and Tools" in JEUS Reference Guide.

    [MASTER]domain1.adminServer>add-custom-password-validator -class MyValidator
    Custom password validator [MyValidator] is added successfully.
    Check the results using "show-custom-password-validator".
    [MASTER]domain1.adminServer>show-custom-password-validator
    ================================================================================
    +------------------------------------------------------------------------------+
    |                     custom password validator class names                    |
    +------------------------------------------------------------------------------+
    | MyValidator                                                                  |
    +------------------------------------------------------------------------------+
    ================================================================================

    Once the item is configured, the configuration is saved in domain.xml as in the following:

    Configurations for Custom Password Validator: <domain.xml>
    <domain>
        . . .
        <security-manager>
            . . .
            <password-validator>
                <custom-password-validator>
                    <class-name>MyValidator</class-name>
                    <class-name>MyValidator2</class-name>
                </custom-password-validator>
            </password-validator>
            . . .
        </security-manager>
        . . .
    </domain>

    The server must be restarted for the Custom Password Validator configuration to take effect. After the server restart, the password rules must be met when a user creates a new password or updates an existing one. If more than one class has been defined to Custom Password Validator, all password rules contained in all the classes must be met for password validation.

    The server will not restart if there is no JAR file of the user-defined class in the DOMAIN_HOME/lib/application directory. In this case, the user must set the relevant items in domain.xml correctly for the server to restart.

Encryption Algorithms

When configuring a user, the user password must be set. The password can be stored in plain-text, but for security reasons, it is better to encrypt the password using an encryption algorithm.

It is recommended to use a one-way encryption algorithm in accordance with the national encryption guidelines of Korea.

Passwords can be encrypted by using the set-password command in jeusadmin, or directly by using JEUS_HOME/bin/encryption.

To manually encrypt the password, use the following format.

{algorithm}encrypted password

The key value of the symmetric-key algorithm is stored in JEUS_HOME/domains/<domain name>/config/security/security.key.

The following are descriptions of algorithms that can be used for password encryption.

Item Description

AES/DES/DESede/SEED/Blowfish

cryptographic symmetric-key algorithm.

base64

Encoding algorithm. Since the information encrypted in Base64 can be easily decoded by any one, it is not secure.

SHA

Hash algorithm. This one-way encryption algorithm cannot be decrypted.

SSHA

Salted Hash Algorithm. This one-way encryption algorithm cannot be decrypted. It enhances the conventional hash algorithm by adding salting, which significantly increases resistance to reversal through rainbow tables.

The user can specify the key size for an encryption algorithm. The key size is managed as a global system property by an administrator.

The default key size is 256 bits and can be changed using the jeus.security.keylength system property. For example, the "-Djeus.security.keylength=256" option allows an encryption algorithm with a 256-bit key.

If the key size set with the system property is larger than the maximum size supported by an encryption algorithm, the supported maximum size will be used. For example, since AES supports only 128-bit, 192-bit, and 256-bit keys, AES512 will become AES256.

If a specified key size is smaller than the maximum size supported by an encryption algorithm, but is not a valid size, EncryptionException occurs. For example, since AES supports only 128-bit, 192-bit, and 256-bit keys, the AES200 setting causes EncryptionException.

After the system property is modified, passwords must be initialized.

SecretKey File Management Using the Master Password

When encrypting a password using the encryption tool (located in JEUS_HOME/bin), the SecretKey information that is applied to an encryption file can be stored in security.key file grouped by algorithm types. A master password can be used to encrypt the security.key file.

The security.key file is placed in the following path. When configuring a domain environment, the security.key file must be moved to another node.

JEUS_HOME/domains/<domain name>/config/security/security.key

When you encrypt the DB password, which needs to be registered in JEUS, a client needs a key to decrypt it. At this point, you can configure the secret key file path by using the system property.

When the master password is specified in the secret key file, this master password can also be configured using the system property. The property name for the key path is jeus.security.keypath. To specify the master password, use the jeus.security.master property. These properties can also be used when starting JEUS. However, for security reasons, it is recommended to use the prompt (standard input) to enter the master password.

5.4. Cached Login Information

The user information must be entered when starting a server using the JEUS script or by accessing the server using jeusadmin. In such case, the user information can be cached so that the user information does not need to be entered every time.

The information is stored encrypted in AES in USER_HOME/.jeusadmin/.jeuspasswd. The JEUS_HOME/bin/security.key file is used for encoding and decoding. Since the AES encoding is used to store sensitive user information, ID/password, it is not recommended for use.

Only the login information, that was authenticated, is stored in the cache.

When executing the connect command in jeusadmin or JEUS script at server startup, if the option -cachelogin is added with the user information, the login information will be stored in the file. When JEUS script is used, the login information is stored using the key, <domain name>:<server name>.

When JEUS script is executed, if login information with the same domain and server name exists, the user information will be automatically filled without having to re-enter the user information. If the user manually enters the information, even if there is already cached login information, the cached information will be ignored.

The following example shows the stored login information.

#Warning: We don't recommend to use this on Production Environment.
domain1:user1 gEPaqBz6BaAxWxdSXf8wZNPLsWkysgcov/KJnHvDeduKRvTAOb7F6zRaPHc2zLBUIUi46FQFWnl4mQiEIUbG9UEe4yZrsRri7yS9qi+7EwA=

The stored login information can be deleted using the remove-login-cache command, an off-line jeusadmin command.

6. Configuring Security System Policies

When configuring default securities, the policy data (authorization data) is read from the file, policies.xml.

The file is in the following path.

JEUS_HOME/domains/<domain name>/config/security/<security domain name>/policies.xml

<domain name> is the domain name, and <security domain name> is the domain name where the policy will be applied.

6.1. Configuring XML

The XML schema of the policies.xml file is policies.xsd, and it is in the JEUS_HOME/lib/schemas/jeus/supportLocale/ko directory. policies.xml can contain 0 or more <policy> tags. Each <policy> tag represents an individual policy (authorization data).

Security System Policy Configuration: <policies.xml>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<policies xmlns="http://www.tmaxsoft.com/xml/ns/jeus">
   <policy>
      <role-permissions>
         <role-permission>
            <principal>user1</principal>
            <role>administrator</role>
         </role-permission>
         <role-permission>
            <principal>user1</principal>
            <role>teller</role>
            <actions>9:00-17:00</actions>
            <classname>
               jeus.security.resource.TimeConstrainedRolePermission
            </classname>
         </role-permission>
      </role-permissions>
      <resource-permissions>
         <context-id>default</context-id>
         <resource-permission>
            <role>teller</role>
            <resource>bankdb</resource>
            <actions>select, update</actions>
         </resource-permission>
         <resource-permission>
            <role>administrator</role>
            <resource>jndi</resource>
            <actions>modify, delete</actions>
         </resource-permission>
         <resource-permission>
            <resource>jndi</resource>
            <actions>lookup</actions>
            <unchecked/>
         </resource-permission>
         <resource-permission>
            <role>administrator</role>
            <resource>jeus.*</resource>
            <actions>*</actions>
         </resource-permission>
      </resource-permissions>
   </policy>
</policies>

The following describes configuration tags.

  • <role-permissions> (0 or 1)

    Provides information about principal-to-role mappings. Multiple <role-permission> tags are nested inside this tag.

    The <role-permission> tag consists of the following child tags.

    Tag Description

    <principal> (0 or more)

    Principal name that owns the current role-permission.

    <role> (1ea, required)

    Role name.

    <actions> (optional)

    Actions for the Role.

    <classname> (optional)

    The Java class name that implements java.security.Permission, which will be used for role permission. If omitted, by default, jeus.security.resource.RolePermission is used. For more information about configuring Custom Permission, refer to "Custom Permission Implementation and Configurations".

    <excluded> (optional)

    Empty tag ( <xxx/> )with no value. If specified, the role permission is excluded (this means that the role implied by the permission will be granted to no one).

    <unchecked> (optional)

    Empty tag. If specified, the role permission is unchecked (this means that the role implied by the permission will be granted to everyone).

  • <resource-permissions> (0 or more)

    These tags contain information about role-to-resource mapping as follows:

    • <context-id> (optional)

      Context ID (string). Context is the scope for authorization checks. The default Context ID for JEUS resources used by JEUS system is "default".

    • <resource-permission> (0 or more)

      The <resource-permission> tag consists of the following tags.

      Tag Description

      <role> (0 or more)

      Role name that owns the current resource-permission.

      <resource> (1ea, required)

      Resource name.

      <actions> (optional)

      Actions for the resource.

      <classname> (optional)

      The Java class name that implements java.security.Permission which will be used for Resource Permission. If omitted, jeus.security.resource.ResourcePermission is used by default. For more information about configuring Custom Permission, refer to "Custom Permission Implementation and Configurations".

      <excluded> (optional)

      Empty tag with no value. If specified, the resource permission is excluded. (this means that the resource implied by the permission will be granted to no one).

      <unchecked> (optional)

      Empty tag with no value. If specified, the resource permission is unchecked. (this means that the resource implied by the permission will be granted to everyone).

Normally the policies.xml file is exclusively used to configure permissions for JEUS Server Resource (like JNDI, JMS, Security Server, etc.), and not for Jakarta EE applications and modules. To configure Jakarta EE application and module permissions, you should use various DD (deployment descriptor) files. For more information, refer to Configuring Security in Applications and Modules.

Custom Permission Implementation and Configurations

Whenever a permission (role permissions or resource permissions) is added to the policies.xml file, the Java class name of the permission must be specified. This is the name of a Java class that extends the java.security.Permission abstract class. Create a customized implementation subclass that extends the java.security.Permission Permission class, and specify the implementation class name in the <classname> tag of policies.xml.

This sub-section describes how to develop a new customized role permission that meets the following requirements. The new role permission should imply another role permission only if the following two conditions are met.

  • The other role has the same role name as this permission.

  • The current time is between the specified time limits (example: 9 am and 5 pm).

The following shows an example of a banking application where a role permission grants the principal user2 the teller role only during the 9 to 5 business hours.

  1. Create the Custom Permission. Then, compile the class with javac and set the class path within the JEUS server class path. Configure the Permission in the policies.xml file. The following implements the Custom Permission class that meets the aforementioned requirements. Code details have been omitted.

    Custom Permission Class: <TimeConstrainedRolePermission.java>
    package jeus.security.resource;
    
    import java.security.Permission;
    import java.util.Calendar;
    import java.util.StringTokenizer;
    
    /**
     * A time-constrained Role permission.
     * <p>
     * With this permission implementation you can express
     * things such as "X can only be in the role Y between
     * 09:00 AM to 05:00 PM".
     */
    public class TimeConstrainedRolePermission extends RolePermission {
        private String timeConstraint = "*";
        private int startTime = Integer.MIN_VALUE;
        private int endTime = Integer.MAX_VALUE;
    
        public TimeConstrainedRolePermission(String roleName) {
            this(roleName, "*");
        }
    
        public TimeConstrainedRolePermission(String roleName, String timeConstraint)
        {
            super(roleName);
            if (timeConstraint != null) {
                this.timeConstraint = timeConstraint;
                parseTimeConstraint();
            }
        }
    
        private void parseTimeConstraint() {
            . . .
        }
    
        public boolean equals(Object anotherObject) {
            . . .
        }
    
        public int hashCode() {
            . . .
        }
    
        public String getActions() {
            return timeConstraint;
        }
    
        public boolean implies(Permission anotherPermission) {
            if (this.timeConstraint.equals("*")) {
                return super.implies(anotherPermission);
            } else {
                Calendar cal = Calendar.getInstance();
                int curHour = cal.get(Calendar.HOUR_OF_DAY);
                int curMinute = cal.get(Calendar.MINUTE);
                int now = curHour * 60 + curMinute;
                if (now >= this.startTime && now <= this.endTime) {
                    return super.implies(anotherPermission);
                } else {
                    return false;
                }
            }
        }
    }

    The previous class inherits the jeus.security.resource.RolePermission class, which in turn inherits the java.security.Permission class. This structure promotes code reusability.

    It is also possible to create another java.security.Permission class by inheriting the TimeConstrainedRolePermission class.

    In the previous example, there are two types of constructors.

    • The first has one parameter (role name).

    • The second has two parameters (role name, time constraint)

      In java.security.Permission class, the first parameter is name, and the second parameter is actions. Some permission implementation classes omit the second constructor that receives the actions parameter.

      • The actions parameter contains the valid time period for the permission, and it has the value “09:00-17:00”.

      • The name parameter represents the role name, such as administrator or teller.

      The heart of the implementation is in the "implies(Permission anotherPermission)" method, which first checks whether the current system time is within the given time constraints. And, if so, it delegates the call to the super class by calling the super.implies() method, and if not, it returns "false". All implies(..) method should return a boolean value, and whether the relevant Permission implies the Permission object passed to it.

      1. For more information about the implies() method and the abstract class java.security.Permission, refer to Java SE Javadoc documents.

      2. For more information about jeus.security.resource.RolePermission, jeus.security.resource.TimeConstrainedRolePermission, and jeus.security.resource.ResourcePermission classes, refer to References and jeus.security.resource package in JEUS Security Javadoc.

  2. Configure the policies.xml file to use permissions.

    Custom Permission Class: <policies.xml>
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <policies xmlns="http://www.tmaxsoft.com/xml/ns/jeus">
       <policy>
          <role-permissions>
             <role-permission>
                <principal>user2</principal>
                <role>administrator</role>
                <actions>9:00-17:00</actions>
                <classname>
                   jeus.security.resource.TimeConstrainedRolePermission
                </classname>
             </role-permission>
          </role-permissions>
          <resource-permissions>
             <context-id>default</context-id>
             <resource-permission>
                <role>administrator</role>
                <resource>jeus.*</resource>
                <actions>*</actions>
             </resource-permission>
          </resource-permissions>
       </policy>
       . . .
    </policies>

    The user, user2, is in the administrator role during the business hours of 9 am to 5 pm. The administrator role has the right to perform any actions (‘*’) on all JEUS resources (‘jeus.*’). Therefore, user2 can perform any operations on all JEUS resources during the business hours.

    The previous rule also applies when configuring JEUS DD file in Jakarta EE application and module. Naturally, the rule also applies to role-to-resource permission and to principal-to-role permission as shown in the previous example. For more information about using customized permissions in JEUS DD, refer to Configuring Security in Applications and Modules.

6.2. Using Database

In order to configure the policy using a database, domain service must be configured in the security-domains.xml file as in the following. In order to directly use the driver manager, add the <dbdriver-config> tag, instead of the <datasource-id> tag, as for the authentication setting. However, it is recommended to use JEUS JDBC data source for performance benefits.

Configuring Policies Using Database: <security-domains.xml>
<?xml version="1.0" encoding="UTF-8"?>
<security-domains xmlns="http://www.tmaxsoft.com/xml/ns/jeus" version="9.0">
   ...
   <security-domain>
      <name>MY_DOMAIN</name>
      <authorization>
         <repository-service>
            <database-repository>
               <datasource-id>auth</datasource-id>
            </database-repository>
         </repository-service>
      </authorization>
      . . .
   </security-domain>
   . . .
</security-domains>

A URL, username, and password to access the JDBC driver, which accesses the database, are required to use the AuthenticationRepositoryService that uses a database.

In the following example, a password that is encoded in Base 64 must be entered to access the Oracle DB. When entering a password applied with a certain encryption algorithm or encoding method, use the same method as for user password of accounts.xml.

The tables that are used in the database are organized as follows:

figure policytable
Database Table Structure to Save Policies

If the tables do not exist in the database, create a DB table by using the JEUS_HOME/templates/security/dbrealm.sql.template file. The basic policy is granted the administrator role in “SYSTEM_DOMAIN”, thereby possessing Resource authority for “jeus.*”. The default principal included in the administrator role is jeus as mentioned in Using Database .

7. Configuring Additional Settings

This section describes how to add additional configurations other than subject and policy.

7.1. Configuring Java SE SecurityManager

The use of a JavaSE SecurityManager in JEUS can increase the platform reliability, but might undermine the performance. Usually, all core JEUS codes as well as the Jakarta EE application and module code deployed to JEUS may be treated as completely “trusted” code, and thereby avoid the overhead incurred by the SecurityManager. This mode of operation, with no SecurityManager, is the default mode in JEUS.

However, there may be cases where the increased reliability and code-level security provided by a JavaSE SecurityManager is considered more important than the performance enhancement.

For example, the administrator may have to deploy some untested or otherwise suspicious Jakarta EE applications or modules to JEUS. In such case, it may be desirable to protect your machines and environment by boosting the code level protection at the expense of performance by using JavaSE SecurityManager.

In order to use a JavaSE SecurityManager with JEUS, define jvm-option in the domain.xml file for a particular server as follows.

-Djava.security.manager
-Djava.security.policy=${JEUS_HOME}/domains/domain1/config/security/policy(for UNIX)

The policy file is JEUS_HOME/domains/<domain name>/config/security/policy and the its content is as follows:

Java SE SecurityManager Configurations: <policy>
grant codeBase "file:${jeus.home}/lib/system/*" {
   permission java.security.AllPermission;
};

grant {
   permission java.net.SocketPermission "127.0.0.1:1024-",
   "connect, accept, connect, listen, resolve";
   permission java.security.SecurityPermission "runTrustedLogin", "read";
   permission java.security.SecurityPermission "loginCodeSubject", "read";
   permission java.security.SecurityPermission "putProviderProperty.*";
   permission java.security.SecurityPermission "insertProvider.*";
   permission javax.management.MBeanPermission "*", "*";
};

The JavaSE SecurityManager is completely independent from JEUS security system. The JEUS security system does not provide protection at the code level (permission configuration that can execute code), but instead it provides security at the user level (the identity of the process that is running and what it is allowed to do).

The only overlap between the two is that, under special conditions, the JEUS security system can check with the JavaSE SecurityManager for some code level permission (see above) in order to protect JEUS from malicious or bug-filled Servlet and EJB code.

7.2. Configuring JACC Provider

For details of configuring the JACC 2.0, refer to Using JACC Provider.

7.3. Configuring information to Grant Identity

If IdentityAssertionService is supported, it is read from the cert-user-map.xml file that contains the mapping information between a certificate and user. The file is in the following location.

JEUS_HOME/domains/<domain name>/config/security/<security domain name>/

Here, <domain name> is the name of the domain and <security domain name> is the name of the security domain for which the users are managed.

The XML schema of user-cert-map.xml is user-cert-map.xsd, and its path is JEUS_HOME/lib/schmas/jeus/supportLocale/ko.

In the file, the parent tag, <cert-user>, can have <user>, <cert>, and multiple <cert-user> child tags. Each contains the property information for user to certificate mapping.

Configuring Information to Grant Identity: <cert-user-map.xml>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cert-user-map xmlns="http://www.tmaxsoft.com/xml/ns/jeus">
   <cert-user>
      <username>user1</username>
      <cert>
         <subjectDN>user1DN</subjectDN>
      </cert>
   </cert-user>
</cert-user-map>

Each <cert-user> tag has the following child tags.

  • <username> (required)

    The user name that is mapped to an attribute value of the certificate. (Ex: User name, User ID)

  • <cert>

    Each <cert> tag has the following child tags, which define the certificate mapping information for the user. It defines the value that maps to user name using child attribute value that ensure a unique ID for granting the identity of the certificate, which is included in the truststore file.

    Tag Description

    <alias> (optional)

    Defines the alias for certificate within the keystore. (string)

    <subjectDN> (optional)

    Defines the subejctDN for certificate the within keystore. (string)

    <SKI> (optional)

    Defines the SKI for certificate within the keystore. (string)

    <issuer> (optional)

    Defines the certificate issuer within the keystore. (string)

    <serialNo> (optional)

    Defines the certificate serial number within the keystore. (string)

7.4. Configuring Identity Certificate Information

The JEUS security system provides an API, through the UserCertMappingService, that can be used to obtain certificate information of the authenticated user’s identity. If UserCertMappingService class is supported, the user data is read from the user-cert-map.xml file, where additional mapping information exists for the certificate grouped by users. The file is in the following path.

JEUS_HOME/domains/<domain name>/config/security/<security domain name>/

Here, <domain name> is the name of the domain and <security domain name> is the name of the security domain for which the users are managed.

The XML schema of user-cert-map.xml is user-cert-map.xsd, and its path is JEUS_HOME/lib/schmas/jeus/supportLocale/ko.

In the file, the parent tag, <user-cert-map>, can have 0 or more <user-cert> tags. Each contains the property information to obtain a user certificate from the Keystore file.

Configuring the Certificate Information for Identity: <user-cert-map.xml>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<user-cert-map xmlns="http://www.tmaxsoft.com/xml/ns/jeus">
   <user-cert>
      <username>user1</username>
      <alias>alias1</alias>
      <keypassword>changeit</keypassword>
      <secretkey>
         <keyname>testkeypass</keyname>
         <keyalgorithm>AES</keyalgorithm>
         <keyvalue>bjhTUjJvSXRTOGlkVEdlNHJnM2N3VnljSDZXV0JkYz0=</keyvalue>
      </secretkey>
   </user-cert>
</user-cert-map>

Each <user-cert> tag has the following child tags.

  • <username> (required)

    Defines the user name for the certificate within the keystore. Since this is the primary identity, it must be unique. (ex: user name, user ID)

  • <alias> (required)

    Defines the alias for certificate within the keystore.

  • <keypassword> (optional)

    Defines the keypassword to obtain the private key of the certificate within the keystore. (ex: changeit)

  • <secretkey> (optional)

    Defines the private key.

    Each <secretkey> tag has the following child tags.

    Tag Description

    <keyname> (required)

    Defines the name of the private key. The keyname inside <user-cert-map> tag must be unique. (string)

    <keyalgorithm> (required)

    Indicates the key algorithm for the private key. (string)

    <keyvalue> (required)

    Shows the private key value in the Base64 format.