Securent Entitlement Management Solution v 3.1 GA...server1 > Process Definition > Java Virtual...

Securent Entitlement Management Solution

v 3.1 GA

JACC Agent for WebSphere

September 2007

Part No. 31GA-JACCAGENTWEBSPHERE-1

Copyright Copyright © 2006-2007 Securent, Inc. All Rights Reserved.

Restricted Rights This software and documentation is subject to and made available only pursuant to the terms of the Securent Inc. License Agreement and may be used or copied only in accordance with the terms of that agreement. It is against the law to copy the software except as specifically allowed in the agreement. This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent, in writing, from Securent, Inc.

THE SOFTWARE AND DOCUMENTATION ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND INCLUDING WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. FURTHER, Securent DOES NOT WARRANT, GUARANTEE, OR MAKE ANY REPRESENTATIONS REGARDING THE USE, OR THE RESULTS OF THE USE, OF THE SOFTWARE OR WRITTEN MATERIAL IN TERMS OF CORRECTNESS, ACCURACY,RELIABILITY, OR OTHERWISE.

JACC Agent for WebSphere Application Server

Contents Introduction ............................................................................................................ 1 Securent JACC Agent approach to protect WebSphere Server Applications........................ 1 Integrating Securent JACC Agent with WebSphere Application Server .............................. 4 Example of JACC Agent authorization process .............................................................. 5

Protecting Web Resources in WebSphere Application Server application ................. 5 Protecting EJB Resources in WebSphere Application Server application .................. 8

iii


Introduction This document explains about how Securent JACC Agent for WebSphere Application Server helps in implementing the fine-grained autherization decisions for web applications developed using Websphere Application Server.

Note: Securent JACC Agent is developed using Sun Microsystem’s Java Authorization Contract for Containers (JACC) specification that is part of Java 2 Platform, Enterprise Edition (J2EE) 1.4. JACC defines a contract between J2EE containers and authorization providers. The contract enables third-party authorization providers (like Securent JACC Agent) to plug into J2EE application servers, such as WebSphere Application Server, to make the authorization decisions when a J2EE resource is accessed. The access decisions are made through the standard java.security.Policy object. Securent JACC Agent implements the policy class, policy configuration factory class, and policy configuration interface, as per the J2EE JACC specification.

More information about the J2EE JACC specification can be found at: http://java.sun.com/j2ee/javaacc/index.html

Securent JACC Agent approach to protect WebSphere Server Applications

Websphere security providers are modules that plug into a WebSphere Server security realm to provide security services to applications. Provider determines whether access should be granted or denied to WebSphere Server resources.

If the Websphere security providers supplied with the WebSphere Server product do not fully meet your security requirements, you can supplement or replace them with custom security providers. Securent JACC Agent is a custom authorization provider for Websphere Application Server. Securent JACC Agent can be used for protecting WebSphere Application server resources like EJBs, Servlets, JSPs and WebServices.

1

http://java.sun.com/j2ee/javaacc/index.html


The above figure illustrates the following sequence of events:

1. Users that access protected resources are authorized using the Securent JACC Provider.

2. The WebSphere Application Server container uses information from the J2EE application deployment descriptor to determine the required role membership.

3. WebSphere Application Server uses the embedded Securent JACC Provider to request an authorization decision from the Securent Entitlement Server (PDP). Additional context information, when present, is also passed to the PDP. This context information is comprised of the J2EE application name and J2EE module name. If the PDP database has policies that are specified for any of the context information, the authorization server uses this information to make the authorization decision.

4. The authorization server consults the permissions that are defined for the specified user within the PDP DB.

5. The PDP returns the access decision to the embedded Securent JACC Provider.

6. WebSphere Application Server either grants or denies access to the protected method or resource, based on the decision that is returned from the PDP.

Securent JACC Provider also provides centralized administration of multiple servers.

Securent PDP PDPDB

WebSphere Application Server

WebSphere Application Server

Securent JACC Provider

Securent JACC Provider

Cell Manager

Node

LocalReplicaPDP DB

LocalReplicaPDP DB

The above figure is an example architecture showing WebSphere Application Servers secured by Securent JACC Provider.

The participating WebSphere Application Servers use a local replica of the Securent Entitlement Server to make authorization decisions for incoming requests. The local policy databases are replicas of the master policy database. Having policy database replicas on each participating WebSphere Application Server node optimizes performance when making authorization decisions and provides failover capability.

2


Although the authorization server can also be installed on the same system as WebSphere Application Server, this configuration is not illustrated in the diagram.

It is possible to have separate WebSphere Application Server profiles on the same host that is configured for different PDPs. Such an architecture requires that the profiles are configured for separate Java Runtime Environments (JRE) and therefore you need multiple JREs installed on the same host.

Securent JACC Agent authorization process is carried out in the following manner:

1. A user sends a request to the WebSphere container to access a WebSphere resource for performing a given operation.

2. The WebSphere container receives the request and invokes the method implies(protection domain, permission)on Securent JACC Provider.

3. The Securent JACC Provider extracts the subject (i.e. username) from ‘ProtectionDomain’ and the requested resource from ‘Permission’ object and in turn calls the method isUserAccessAllowed(subject,resource,action) on Securent Policy Enforcement Point (PEP).

4. The Securent PEP makes the API call to the Securent Entitlement Server (PDP) by constructing a XacmlRequest using the subject, resource and action. The API method that is called is isUserAccessAllowed(XacmlRequest).

5. The isUserAccessAllowed(XacmlRequest) method returns one of the following two boolean values:

TRUE - indicates that the requested access is permitted or FALSE - indicates that the requested access is explicitly denied

6. If the method returns true, the requested operation will be processed by the WebSphere Container. If it is false, it throws ‘Unauthorized Access’ message to the client.

3


Integrating Securent JACC Agent with WebSphere Application Server

Following are the steps to integrate JACC agent with WebSphere Application Server.

1. Unzip file SecurentJACCAgent.zip to directory.

2. Copy securentjaccagent.jar, pep.jar, and papclient_classes.jar to the directory - WebSphere\AppServer\lib\

3. Edit pep_config.xml file.

• Provide PDP configuration details.

• Edit tag and set the values for application group and application to be protected.

− Edit tag with the required application group and

− Edit tag with the required application to be protected.

• Edit tag for protecting web resources like jsps, servlets, actions, etc. and provide value as webapp and set attribute - enableaction=true. This setting will protect all web resources and actions (If set to false, then the web resources in the application will not be protected).

• You can also edit tag for protecting EJB resources like ejb beans, ejb method, etc. and provide value as ejb and set attribute - enableaction=true. This setting will protect all ejb resources (If set to false, then the ejb resources in the application will not be protected).

• Edit tag. You can set its value to either session or request. (Source should be the place from where the user is to be recoginsed. Example: Session,request etc.)

• Edit tag to use the attribute key name in the session or request.

4. Start the WebSphere Application server.

5. Open the Websphere Server Console (e.g. http://IPAdrress:Port/ibm/console).

6. From the WebSphere Application Server administrative console, click the link Security > Secure administration, applications, and infrastructure

7. A screen will be displayed on the right side. Click the link External Authorization Providers

8. A screen will be displayed. Click the link External JACC Provider

9. A screen will be displayed. Set the following values for the fields as explained below.

• Name = securent JACC Authorizer • Description = Securent • Policy class name = net.securent.agent.jacc.websphere.SecurentPolicy • Policy configuration factory class name =

net.securent.agent.jacc.websphere.SecurentPolicyFactory • Role configuration factory class name = [blank] • Provider initialization class name = [blank]

4

http://IPAdrress:Port/ibm/console


10. Click Apply and then click Save (in the top section of the screen).

11. Select radio button External Authorization using a JACC Provider

12. Click Apply and then click Save (in the top section of the screen).

13. Select the checkbox for Enable Application Security under Application Security.

14. Select the checkbox for Enable Administrative Security under Application Security.

15. Click Apply and then click Save (on Top of the screen)

16. Application and application group mentioned in pep_config.xml should be created in Securent PAP. The links under application and application group need to be created as resources. Note: In pep_config.xml file, if the value for tag is set to true, then PAP will automatically create resources while you are accessing particular page or action in the WebSphere application that is protected by Securent EMS. If value for tag is set to false, then you need to create resources manually in PAP Console.

Note: Create environment variable by name securent.agentconfig and value having the directory path: \pep_config.xml under Application servers > server1 > Process Definition > Java Virtual Machine > Custom Properties. Click new button. Enter the above mentioned environment variables and click Apply and then click Save.

Example of JACC Agent authorization process Following is the example of a customized JACC Agent authorization process.

Protecting Web Resources in WebSphere Application Server application Securent JACC Agent for WebSphere protects the Web Resources like JSPs, Servlets, HTML files, CSS files, etc. Following example describes the same.

1. Login to the sample application running on the WebSphere Application Server. The user name entered in the login page will be taken as the subject in the authorization request.

2. The sample Websphere application contains the following two resources which we want to protect.

a. images

b. GalleryMenu JSP

3. Assume that necessary arrangements are made in the Securent Administration Console by creating a resource hierarchy for the sample application having images and GalleryMenu JSP as resources.

Configure the entitlement policies for resources - images and GalleryMenu JSP - by defining Allow policies on them for the Role of External Users, as shown in the following Resource Based Entitlement screen in the PAP Console.

5


4. Because of the above setting in PAP console, the sample application will show the two resources - images and GalleryMenu JSP.

5. Now set Deny policy on the two resources - images and GalleryMenu JSP - for the Role of External Users, as shown in the following Resource Based Entitlement screen in the PAP Console.

6


6. This setting will effect in non-availability of the two resources - images and GalleryMenu JSP in the sample WebSphere application as shown below.

7


Protecting EJB Resources in WebSphere Application Server application Securent JACC Agent for WebSphere can also be used to protect EJB resources. Following example describes the same.

1. Deploy EJB application - EjbClient - in the WebSphere application server.

2. In the PAP Console, create EjbClient_war application under Prime Group.

3. In the pep_config.xml file set the values:

*

true

4. Now access the EJB application that is deployed in the WebSphere Application Server.

5. In the PAP, the EJB resources will now get created under Ejbclient_war application.

Here, the resource hierarchy shows the Servlets and EJB methods present in the deployed WAR file. The EJB class name is HelloBean and it has three user defined methods - sayHello, sayHai and sayByee.

6. Set Allow policy for the Role External Users for the application EjbClient_war.

8


7. Now access the EJB application that is deployed in the WebSphere Application Server. The browser displays the following information.

8. In the PAP Console, set Deny policy for the two EJB method resources - HelloBean sayHello and HelloBean sayHai - for the Role External Users for the application EjbClient_war.

9


9. Now access the EJB application that is deployed in the WebSphere Application Server. The browser displays the following information.

10

IntroductionSecurent JACC Agent approach to protect WebSphere Server ApplicationsIntegrating Securent JACC Agent with WebSphere Application ServerExample of JACC Agent authorization processProtecting Web Resources in WebSphere Application Server applicationProtecting EJB Resources in WebSphere Application Server application

Date post:	17-Sep-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Securent Entitlement Management Solution v 3.1 GA...server1 > Process Definition > Java Virtual...

Documents