JBoss.orgCommunity Documentation

Next

JBoss AS 6.0 Security Guide

Security with JBoss Application Server 6

by Anil Saldhana, Marcus Moyses, and Stefan Guilhen

This book is the JBoss Application Server 6 Security Guide.

I. Security Overview

1. J2EE Declarative Security Overview

1.1. Security References
1.2. Security Identity
1.3. Security roles
1.4. EJB method permissions
1.5. Web Content Security Constraints
1.6. Enabling Declarative Security in JBoss

2. Introduction to JAAS

2.1. The JAAS Core Classes

2.1.1. The Subject and Principal Classes
2.1.2. Authentication of a Subject

3. JBoss Security Model

3.1. Enabling Declarative Security in JBoss Revisited

4. The JBoss Security Extension Architecture

4.1. How the JaasSecurityManager Uses JAAS

4.2. The JaasSecurityManagerService MBean

4.2.1. The JNDIBasedSecurityManagement Bean

4.3. The JaasSecurityDomain Bean

II. Security Domains and Components

5. Static Security Domains

6. Loading Static Security Domains

7. Dynamic Security Domains

8. Authorization Stacks

9. Deployment-level Role Mapping

10. JBoss Login Modules

10.1. Using Modules

10.1.1. Password Stacking
10.1.2. Password Hashing
10.1.3. Unauthenticated Identity
10.1.4. Principal Class
10.1.5. UsersRolesLoginModule
10.1.6. DatabaseServerLoginModule
10.1.7. LdapLoginModule
10.1.8. LdapExtLoginModule
10.1.9. BaseCertLoginModule
10.1.10. IdentityLoginModule
10.1.11. RunAsLoginModule
10.1.12. ClientLoginModule

10.2. Custom Modules

10.2.1. Custom LoginModule Example

III. Encryption and Security

11. Java Security Manager

12. Encrypting EJB connections with SSL

12.1. SSL Encryption overview

12.1.1. Key pairs and Certificates

12.2. Generate encryption keys and certificate

12.2.1. Generate a self-signed certificate with keytool
12.2.2. Configure a client to accept a self-signed server certificate

12.3. EJB3 Configuration

12.3.1. Create a secure remoting connector for EJB3
12.3.2. Configure EJB3 Beans for SSL Transport

12.4. EJB2 Configuration

13. Masking Passwords in XML Configuration

13.1. Password Masking Overview
13.2. Generate a key store and a masked password
13.3. Encrypt the key store password
13.4. Create password masks
13.5. Replace clear text passwords with their password masks
13.6. Changing the password masking defaults

14. Overriding SSL Configuration

15. Encrypting Data Source Passwords

15.1. Secured Identity

15.1.1. Encrypt the data source password
15.1.2. Create an application authentication policy with the encrypted password
15.1.3. Configure the data source to use the application authentication policy

15.2. Configured Identity with Password Based Encryption

16. Encrypting the Keystore Password in a Tomcat Connector

16.1. Medium Security Usecase

17. Using LdapExtLoginModule with JaasSecurityDomain

18. Firewalls

19. Secure Remote Password Protocol

19.1. Understanding the Algorithm
19.2. Configure Secure Remote Password Information
19.3. Secure Remote Password Example

20. Consoles and Invokers

20.1. JMX Console

20.2. Admin Console

20.3. HTTP Invokers

20.4. JMX Invoker

20.5. Remote Access to Services, Detached Invokers

20.5.1. A Detached Invoker Example, the MBeanServer Invoker Adaptor Service

NextPart I. Security Overview