Securing Applications - JBoss Enterprise Application Platform 6.2 Security Guide

Chapter 15. Application Security

15.1. About Application Security

Securing your applications is a multi-faceted and important concern for every application developer. JBoss EAP 6 provides all the tools you need to write secure applications, including the following abilities:

Section 5.9.1, “About Authentication” Section 5.11.1, “About Authorization” Section 5.13.1, “About Security Auditing” Section 5.14.1, “About Security Mapping” Section 2.1, “About Declarative Security”

Section 15.4.2.1, “About EJB Method Permissions” Section 15.4.3.1, “About EJB Security Annotations”

See also Section 18.4, “Use a Security Domain in Your Application”. Report a bug

15.2. Enabling/Disabling Descriptor Based Property Replacement

Summary

Finite control over descriptor property replacement was introduced in jboss-as-ee_1_1.xsd. This task covers the steps required to configure descriptor based property replacement.

Prerequisites

Start the JBoss Enterprise Application Platform instance. Launch the Management CLI.

Descriptor based property replacement flags have boolean values: When set to true, property replacements are enabled.

When set to false, property replacements are disabled.

Procedure 15.1. jboss-descriptor-property-replacem ent

jboss-descriptor-property-replacem ent is used to enable or disable property replacement in the following descriptors:

jboss-ejb3.xm l jboss-app.xm l jboss-web.xm l * -jm s.xm l * -ds.xm l

/subsystem=ee:write-attribute(name="jboss-descriptor-property- replacement",value=VALUE)

Procedure 15.2. spec-descriptor-property-replacem ent

spec-descriptor-property-replacem ent is used to enable or disable property replacement in the following descriptors:

ejb-jar.xm l persistence.xm l

The default value for spec-descriptor-property-replacem ent is false.

1. In the Management CLI, run the following command to confirm the value of spec-descriptor- property-replacem ent:

/subsystem=ee:read-attribute(name="spec-descriptor-property-replacement")

2. Run the following command to configure the behavior:

/subsystem=ee:write-attribute(name="spec-descriptor-property- replacement",value=VALUE)

Result

The descriptor based property replacement tags have been successfully configured. Report a bug

15.3. Datasource Security

15.3.1. About Datasource Security

The preferred solution for datasource security is the use of either security domains or password vaults. Examples of each are included below. For more information, refer to:

Security domains: Section 4.3.3.1, “About Security Domains”.

Password vaults: Section 10.11.1, “About Securing Sensitive Strings in Clear-Text Files”. Example 15.1. Security Domain Example

<security-domain>mySecurityDomain</security-domain> </security>

Example 15.2. Password Vault Example <security> <user-name>admin</user-name> <password>${VAULT::ds_ExampleDS::password::N2NhZDYzOTMtNWE0OS00ZGQ0LWE4MmEtMWNlM DMyNDdmNmI2TElORV9CUkVBS3ZhdWx0}</password> </security>

Report a bug

15.4. EJB Application Security

15.4.1. Security Identity

15.4.1.1. About EJB Security Identity

The security identity, which is also known as invocation identity, refers to the <security-identity> tag in the security configuration. It refers to the identity another EJB must use when it invokes methods on components.

The invocation identity can be either the current caller, or it can be a specific role. In the first case, the <use-caller-identity> tag is present, and in the second case, the <run-as> tag is used. For information about setting the security identity of an EJB, refer to Section 15.4.1.2, “Set the Security Identity of an EJB”.

Report a bug

15.4.1.2. Set the Security Identity of an EJB

Example 15.3. Set the security identity of an EJB to be the same as its caller

This example sets the security identity for method invocations made by an EJB to be the same as the current caller's identity. This behavior is the default if you do not specify a <security-identity> element declaration.

<ejb-jar>

<enterprise-beans> <session>

<ejb-name>ASessionBean</ejb-name>  <security-identity> <use-caller-identity/> </security-identity> </session>  </enterprise-beans> </ejb-jar>

Example 15.4. Set the security identity of an EJB to a specific role

To set the security identity to a specific role, use the <run-as> and <role-nam e> tags inside the <security-identity> tag.

<ejb-jar>

<enterprise-beans> <session>

<ejb-name>RunAsBean</ejb-name>

<security-identity> <run-as>

<description>A private internal role</description> <role-name>InternalRole</role-name>

</run-as> </security-identity> </session> </enterprise-beans>  </ejb-jar>

By default, when you use <run-as>, a principal named anonym ous is assigned to outgoing calls. To assign a different principal, uses the <run-as-principal>.

<ejb-name>RunAsBean</ejb-name> <security-identity>

<run-as-principal>internal</run-as-principal> </security-identity>

</session>

In document JBoss Enterprise Application Platform 6.2 Security Guide (Page 194-198)