Table Of Contents
CEPM JACC Agent for JBoss Portal Guide
Revised: January 17, 2011, Doc Part No: OL-19565-01
About This Document
This document explains about how CEPM JACC Agent for JBoss Portal helps in implementing the fine-grained authorization decisions for portal applications developed using JBoss Portal.
This guide is for administrators who use CEPM and are responsible for resource modelling and entitlement management.
The JACC Agent for JBoss Portal protects the following versions of JBoss Portal:
•JBoss Portal 2.4.0
•JBoss Portal 2.6.0-DR1
Note The JACC Agent is developed using Sun Microsystem's Java Authorization Contract for Containers (JACC) specification that is part of Java 2 Platform, Enterprise Edition (J2EE) 1.4. JACC defines a contract between J2EE containers and authorization providers. The contract enables third-party authorization providers (like the JACC Agent) to plug into portal application servers, such as the JBoss Portal server, to make the authorization decisions when a Portlet resource is accessed.
More information about the J2EE JACC specification can be found at:
CEPM JACC Agent Approach to Protect JBoss Server Applications
JBoss Portal security providers are modules that "plug into" a JBoss security realm to provide security services to portal applications. The provider determines whether access should be granted or denied to JBoss Portal resources, that is, portlets.
The Cisco Enterprise Policy Manager (CEPM) provides the JBoss Portal authorization provider called the JACC Agent for JBoss Portal. This authorization provider can be used for protecting JBoss Portal resources like portlets.
The JACC Agent makes calls to the Policy Decision Point (PDP) decision APIs and then gets back the appropriate result based on the decision. The important function that the JACC Agent implements is:
Method:public boolean internalCheckPermission(PortalPermission permission)
The preceding method in turn calls the following PDP API method for getting the decision information.public Boolean isUserAccessAllowed(String username,String resource,String action)
Figure 1 CEPM JACC Authorization
CEPM JACC Agent authorization process is carried out in the following manner:
1. A user or system process requests a JBoss Portal resource (Portlet) for performing a given operation to access the resource (Portlet).
2. The resource container, which handles the type of JBoss resource being requested, receives the request (for example, the Portlet container receives the request for Portlet resource).
3. The resource container calls the JBoss Security Framework, passing in the subject, the JBoss resource, and action (to provide input for the decision).
4. The JBoss Security Framework delegates the actual decision about whether the subject is entitled to perform the requested action on the JBoss Portal resource to the external authorization provider, that is, CEPM JACC Agent.
5. CEPM JACC Agent makes the API call to the PDP to get the policy decision information for that request. The API method that is called is isUserAccessAllowed() and the parameters passed to it are subject, JBoss resource, and action. The isUserAccessAllowed() method returns only one from the following possible boolean values:
–TRUE indicates that the requested access is permitted.
–FALSE indicates that the requested access is explicitly denied.
Integrating CEPM JACC Agent for JBoss Portal
To integrate the JACC agent with JBoss Portal 2.4 and 2.6, follow these steps:
Step 1 Unzip the distribution, CEPM_JACCJBOSSAgentV188.8.131.52.zip, from distribution folder. The directory where the jaccgent.zip file is unzipped is referred to as JACC_HOME directory in this document.
The JACC_HOME directory now contains the following files (unzipped from jaccagent.zip file).
Step 2 Copy CEPM JACC Agent jar file, jacc_classes.jar, from the JACC_HOME directory to the JBoss Portal directory, JBOSS_HOME\server\default\lib.
Step 3 Add the pep.jar, CEPM_Commons.jar, and papclient_classes.jar files to the classpath of the web application. This can be achieved by copying these jar files from the JACC_HOME directory to the JBoss Portal directory, the JBOSS_HOME\server\default\lib folder.
Step 4 Add the pep_config.xml file to the classpath of the web application. To do this, open the run.bat file from the \JBOSS_HOME\bin folder. In the jboss properties section, mention the pep_config.xml classpath as shown here:-DCEPM.AGENT_CONFIG= <JACC_HOME>\config\pep\pep_config.xml-Dlog4j.configuration=<JACC_HOME>\config\logging\logging.xml -DCEPM_DECISION_CACHE_CONFICEPMG=<JACC_HOME>\config\jbosscache\jbosscache.xml
Step 5 Edit the pep_config.xml file and update the values of the <applicationgroup> and <application> tags to the application group and web application for which you want to implement the security. Modify the URL value of <pdp> to the URL of the PDP Server. Also update URL value of <api> to the URL of the Policy Administration Point (PAP) Server.
Step 6 Add the following Mbean lines to the JBOSS_HOME\server\default\deploy\jboss-portal.sar\META-INF\jboss-service.xml file:<!-- JACC security manager and realm mapping --><mbean code="org.jboss.security.jacc.SecurityService"name="jboss.security:service=JACCSecurityService" xmbean-dd=""><xmbean><description>The JACC security Policy service</description><operation><description>The start lifecycle operation</description><name>start</name></operation><operation><description>The stop lifecycle operation</description><name>stop</name></operation></xmbean></mbean>
Step 7 Add the following lines to the JBOSS_HOME\server\default\deploy\jbossweb-tomcat55.sar\server.xml file. This enables the JaccAuthorizationRealm over the default JBossSecurityMgrRealm.<Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm"/>
Step 8 Remove the following lines from the JBOSS_HOME \server\default\deploy\ Properties-service.xml file.<mbean code="org.jboss.varia.property.SystemPropertiesService"name="jboss:type=Service,name=SystemProperties">;;;</mbean>
Step 9 Add the following lines to the JBOSS_HOME\server\default\conf\jboss_service.xml file.<!--System properties--> <mbean code="org.jboss.varia.property.SystemPropertiesService"name="jboss:type=Service,name=SystemProperties"><attribute name="Properties" >javax.security.jacc.policy.provider= com.cisco.epm.agent.jacc.jboss.CepmPolicyjavax.security.jacc.PolicyConfigurationFactory.provider= com.cisco.epm.agent.jacc.jboss.CepmPolicyFactoryorg.jboss.security.jacc.DelegatingPolicy=com.cisco.epm.agent.jacc.jboss.DelegatingPolicy</attribute><!-- Load properties from each of the given comma seperated URLs<attribute name="URLList">http://somehost/some-location.properties,./conf/somelocal.properties</attribute>--><!-- Set raw properties file style properties.<attribute name="Properties">my.project.property=This is the value of my propertymy.project.anotherProperty=This is the value of my other property</attribute>--></mbean><!--System properties-->
Step 10 Create users within CEPM who are going to use this web application under the application name that is specified in the pep_config.xml file.
Map the created users to appropriate roles in CEPM. Assign the roles to the web application and resources.
Note For creating Resources implicitly in CEPM, set the value for <record> tag to true in pep_config.xml file.For example: <record>true</record>
Note Jboss portal server has two default users as admin and user.
Step 11 Before restarting the application server, check the server ports. No PDP server port can match with application server port.
Step 12 Restart the server and run the portal application.
Step 13 After starting the server, open the URL— http://host:[jbossport]/portal. The login page will be displayed.
Step 14 Enter the username and password. (For example, user/user. You must create this user in PAP.)
Step 15 Check the functionality by restricting access to a particular portlet resource using PAP.
After authentication, when a user tries to access a secured resource (like a portlet), the user will either receive a HTTP error code 403, which indicates that access to the requested resource is denied, or the user will get the access to the requested resource based on the permissions specified within CEPM.
Integrating CEPM In-Process PDP JACC Agent for
In-process PDP is used as an alternate for PDP in case of static applications. In this case there is no pep_config.xml file. The necessary agent tag (the <jax-rpc-webservice-config> tag) is accommodated in the pdp_config.xml file.
To configure JAX-RPC Handler in the static application running in WebSphere Application Server-6.1.0, follow these steps:
Step 1 Unzip the JACCJBOSSAgentV184.108.40.206_InProcessPDP.zip file to your local machine. The unzipped folder will be your <CEPM_JACC_HOME>.
Step 2 Copy the InProcessPDP.jar, cepmjaccagent.jar, and thirdpartylib_inprocess.jar files from <CEPM_JACC_HOME> to the WebSphere-home\AppServer\lib folder.
Step 3 Open the configure.properties file from the <CEPM_JACC_HOME>/bin folder and update the following parameters:
•DOMAIN_NAME= refers to the domain name [repository name].
•CEPM.DB_SELECTION= refers to the database type. You can select Oracle, MSSQL, or DB2. If no selection is made, it will default to Oracle.
•Update the following database properties:
–CEPM.DB_URL= Database URL in the following format:
–CEPM.DB_USR= Database username
–CEPM.DB_PWD= Encrypted password
–CEPM.DB_DRIVER= Database driver name
Note The database password is configured in encrypted format in configuration files. To get an encrypted password, run the encryptor.bat(sh) file from the <CEPM_JACC_HOME>\bin folder using the following command:
For Windows—encryptor.bat JAVA_HOME Password
For Solaris/Linux—encryptor.sh JAVA_HOME Password
where JAVA_HOME is replaced with the corresponding folder path for JAVA_HOME and Password is replaced with the chosen database password. When this command is executed, an encrypted password is displayed. You must copy this encrypted password in the Password parameter of the database properties in the configure.properties file.
Step 4 Run the configure.bat(sh) file from the <CEPM_JACC_HOME>/bin folder to configure the in-process PDP. This generates a specific <jacc-agent-config> tag in the pdp_config.xml file.
Step 5 To check whether the in-process PDP is configured properly, run the InprocessPDPSampleTest.bat(sh) file from the <CEPM_JACC_HOME>/bin folder.
The remaining steps to integrate the JACC Agent with in-process PDP are same the steps to integrate the JACC Agent for JBOSS portal.
Example of the JACC Agent Authorization Process
Step 1 Login to the sample portal running in the JBoss Portal. The username entered in the login page is taken as the subject in the authorization request.
The sample portal contains three portlets, for example:
Step 2 Assume that necessary arrangements are made in the administration console by creating a resource hierarchy with sample portal as the application and portlets as resources. To control the access of all or any of the portlets of the sample portal, configure the entitlement policies by defining allow policies on all the portlets from the user-based screen as shown in Policy Creation.
Figure 2 Policy Creation
This setting reflects in the sample portal in the following way, that is, you can view all the portlets in the portal.
Figure 3 Sample Portal.
Step 3 Set a deny policy on all the three portlets (User Portlet, HelloWorld Portlet, JACCPortlet) in the administration console as shown in Deny Policy
This setting makes all the three portlets (User Portlet, HelloWorld Portlet, JACCPortlet) unavailable in the sample portal as shown in Access Denied.
Figure 5 Access Denied
Table 1 Updates to CEPM JACC Agent for JBoss Portal Guide
July 9, 2009
Minor edits and template/boilerplate updates for publication to Cisco.com
April 3, 2009
Cisco Enterprise Policy Manager (EPM) Release 220.127.116.11
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved.