[an error occurred while processing this directive]

Cisco Policy Enforcement Point

CEPM JACC Agent for JBoss Portal Guide

Hierarchical Navigation

Downloads

 Feedback

Table Of Contents

CEPM JACC Agent for JBoss Portal Guide

Contents

About This Document

Objective

Audience

Introduction

CEPM JACC Agent Approach to Protect JBoss Server Applications

Integrating CEPM JACC Agent for JBoss Portal

Integrating CEPM In-Process PDP JACC Agent for
JBoss Portal

Example of the JACC Agent Authorization Process

Documentation Updates

Related Documentation

Obtaining Documentation and Submitting a Service Request


CEPM JACC Agent for JBoss Portal Guide

Revised: January 17, 2011, Doc Part No: OL-19565-01

Contents

About This Document

Introduction

CEPM JACC Agent Approach to Protect JBoss Server Applications

Integrating CEPM JACC Agent for JBoss Portal

Integrating CEPM In-Process PDP JACC Agent for JBoss Portal

Example of the JACC Agent Authorization Process

About This Document

Objective

This document explains about how CEPM JACC Agent for JBoss Portal helps in implementing the fine-grained authorization decisions for portal applications developed using JBoss Portal.

Audience

This guide is for administrators who use CEPM and are responsible for resource modelling and entitlement management.

Introduction

The JACC Agent for JBoss Portal protects the following versions of JBoss Portal:

JBoss Portal 2.4.0

JBoss Portal 2.6.0-DR1

Note The JACC Agent is developed using Sun Microsystem's Java Authorization Contract for Containers (JACC) specification that is part of Java 2 Platform, Enterprise Edition (J2EE) 1.4. JACC defines a contract between J2EE containers and authorization providers. The contract enables third-party authorization providers (like the JACC Agent) to plug into portal application servers, such as the JBoss Portal server, to make the authorization decisions when a Portlet resource is accessed.

More information about the J2EE JACC specification can be found at:

http://java.sun.com/j2ee/javaacc/index.html

CEPM JACC Agent Approach to Protect JBoss Server Applications

JBoss Portal security providers are modules that "plug into" a JBoss security realm to provide security services to portal applications. The provider determines whether access should be granted or denied to JBoss Portal resources, that is, portlets.

The Cisco Enterprise Policy Manager (CEPM) provides the JBoss Portal authorization provider called the JACC Agent for JBoss Portal. This authorization provider can be used for protecting JBoss Portal resources like portlets.

The JACC Agent makes calls to the Policy Decision Point (PDP) decision APIs and then gets back the appropriate result based on the decision. The important function that the JACC Agent implements is:

Class: 

org.jboss.portal.security.spi.auth.PortalAuthorizationManager

Method: 

public boolean internalCheckPermission(PortalPermission permission)

The preceding method in turn calls the following PDP API method for getting the decision information. 

public Boolean isUserAccessAllowed(String username, 

                                   String resource, 

                                   String action)

Figure 1 CEPM JACC Authorization

CEPM JACC Agent authorization process is carried out in the following manner:

1. A user or system process requests a JBoss Portal resource (Portlet) for performing a given operation to access the resource (Portlet).

2. The resource container, which handles the type of JBoss resource being requested, receives the request (for example, the Portlet container receives the request for Portlet resource).

3. The resource container calls the JBoss Security Framework, passing in the subject, the JBoss resource, and action (to provide input for the decision).

4. The JBoss Security Framework delegates the actual decision about whether the subject is entitled to perform the requested action on the JBoss Portal resource to the external authorization provider, that is, CEPM JACC Agent.

5. CEPM JACC Agent makes the API call to the PDP to get the policy decision information for that request. The API method that is called is isUserAccessAllowed() and the parameters passed to it are subject, JBoss resource, and action. The isUserAccessAllowed() method returns only one from the following possible boolean values:

TRUE indicates that the requested access is permitted.

FALSE indicates that the requested access is explicitly denied.

Integrating CEPM JACC Agent for JBoss Portal

To integrate the JACC agent with JBoss Portal 2.4 and 2.6, follow these steps:

Step 1 Unzip the distribution, CEPM_JACCJBOSSAgentV3.3.0.0.zip, from distribution folder. The directory where the jaccgent.zip file is unzipped is referred to as JACC_HOME directory in this document.

The JACC_HOME directory now contains the following files (unzipped from jaccagent.zip file).

jacc_classes.jar

CEPM_Commons.jar

pep.jar

papclient_classes.jar

pep_config.xml

JACC_Readme.txt

Step 2 Copy CEPM JACC Agent jar file, jacc_classes.jar, from the JACC_HOME directory to the JBoss Portal directory, JBOSS_HOME\server\default\lib.

Step 3 Add the pep.jar, CEPM_Commons.jar, and papclient_classes.jar files to the classpath of the web application. This can be achieved by copying these jar files from the JACC_HOME directory to the JBoss Portal directory, the JBOSS_HOME\server\default\lib folder.

Step 4 Add the pep_config.xml file to the classpath of the web application. To do this, open the run.bat file from the \JBOSS_HOME\bin folder. In the jboss properties section, mention the pep_config.xml classpath as shown here: 

-DCEPM.AGENT_CONFIG= <JACC_HOME>\config\pep\pep_config.xml

-Dlog4j.configuration=<JACC_HOME>\config\logging\logging.xml 
-DCEPM_DECISION_CACHE_CONFICEPMG=<JACC_HOME>\config\jbosscache\jbosscache.xml

Step 5 Edit the pep_config.xml file and update the values of the <applicationgroup> and <application> tags to the application group and web application for which you want to implement the security. Modify the URL value of <pdp> to the URL of the PDP Server. Also update URL value of <api> to the URL of the Policy Administration Point (PAP) Server.

Step 6 Add the following Mbean lines to the JBOSS_HOME\server\default\deploy\jboss-portal.sar\META-INF\jboss-service.xml file: 

   <!-- JACC security manager and realm mapping -->

   <mbean code="org.jboss.security.jacc.SecurityService"

          name="jboss.security:service=JACCSecurityService" xmbean-dd="">              

            <xmbean>

             <description>The JACC security Policy service</description>

                <operation>

                   <description>The start lifecycle operation</description>

                   <name>start</name>

                </operation>

                  <operation>

                    <description>The stop lifecycle operation</description>

                    <name>stop</name>

                </operation>

          </xmbean>

    </mbean>

Step 7 Add the following lines to the JBOSS_HOME\server\default\deploy\jbossweb-tomcat55.sar\server.xml file. This enables the JaccAuthorizationRealm over the default JBossSecurityMgrRealm. 

<Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm"/>

Step 8 Remove the following lines from the JBOSS_HOME \server\default\deploy\ Properties-service.xml file. 

<mbean code="org.jboss.varia.property.SystemPropertiesService" 

	     name="jboss:type=Service,name=SystemProperties">

                  ;;;

</mbean>

Step 9 Add the following lines to the JBOSS_HOME\server\default\conf\jboss_service.xml file. 

 
   <!--System properties--> 
        <mbean code="org.jboss.varia.property.SystemPropertiesService" 

	            name="jboss:type=Service,name=SystemProperties">

	            <attribute name="Properties" >

              javax.security.jacc.policy.provider=  
				com.cisco.epm.agent.jacc.jboss.CepmPolicy

                 javax.security.jacc.PolicyConfigurationFactory.provider= 
  		 		com.cisco.epm.agent.jacc.jboss.CepmPolicyFactory

	 			org.jboss.security.jacc.DelegatingPolicy=

				com.cisco.epm.agent.jacc.jboss.DelegatingPolicy

            </attribute>

            <!-- Load properties from each of the given comma seperated  
                 URLs

             <attribute name="URLList">

                        http://somehost/some-location.properties,

                             ./conf/somelocal.properties

             </attribute>

            -->

            <!--  Set raw properties file style properties.


              <attribute name="Properties">

                 my.project.property=This is the value of my property

                 my.project.anotherProperty=This is the value of my other  
                 property

              </attribute>

             -->

         </mbean>

  <!--System properties-->

Step 10 Create users within CEPM who are going to use this web application under the application name that is specified in the pep_config.xml file.

Map the created users to appropriate roles in CEPM. Assign the roles to the web application and resources.

Note For creating Resources implicitly in CEPM, set the value for <record> tag to true in pep_config.xml file.For example: <record>true</record>

Note Jboss portal server has two default users as admin and user.

Step 11 Before restarting the application server, check the server ports. No PDP server port can match with application server port.

Step 12 Restart the server and run the portal application.

Step 13 After starting the server, open the URL— http://host:[jbossport]/portal. The login page will be displayed.

Step 14 Enter the username and password. (For example, user/user. You must create this user in PAP.)

Step 15 Check the functionality by restricting access to a particular portlet resource using PAP.

After authentication, when a user tries to access a secured resource (like a portlet), the user will either receive a HTTP error code 403, which indicates that access to the requested resource is denied, or the user will get the access to the requested resource based on the permissions specified within CEPM.

Integrating CEPM In-Process PDP JACC Agent for
JBoss Portal

In-process PDP is used as an alternate for PDP in case of static applications. In this case there is no pep_config.xml file. The necessary agent tag (the <jax-rpc-webservice-config> tag) is accommodated in the pdp_config.xml file.

To configure JAX-RPC Handler in the static application running in WebSphere Application Server-6.1.0, follow these steps:

Step 1 Unzip the JACCJBOSSAgentV3.3.0.0_InProcessPDP.zip file to your local machine. The unzipped folder will be your <CEPM_JACC_HOME>.

Step 2 Copy the InProcessPDP.jar, cepmjaccagent.jar, and thirdpartylib_inprocess.jar files from <CEPM_JACC_HOME> to the WebSphere-home\AppServer\lib folder.

Step 3 Open the configure.properties file from the <CEPM_JACC_HOME>/bin folder and update the following parameters:

DOMAIN_NAME= refers to the domain name [repository name].

CEPM.DB_SELECTION= refers to the database type. You can select Oracle, MSSQL, or DB2. If no selection is made, it will default to Oracle.

Update the following database properties:

CEPM.DB_URL= Database URL in the following format:
jdbc:oracle:thin:@hostName:portName:databaseName

CEPM.DB_USR= Database username

CEPM.DB_PWD= Encrypted password

CEPM.DB_DRIVER= Database driver name

Note The database password is configured in encrypted format in configuration files. To get an encrypted password, run the encryptor.bat(sh) file from the <CEPM_JACC_HOME>\bin folder using the following command:

For Windows—encryptor.bat JAVA_HOME Password

For Solaris/Linux—encryptor.sh JAVA_HOME Password

where JAVA_HOME is replaced with the corresponding folder path for JAVA_HOME and Password is replaced with the chosen database password. When this command is executed, an encrypted password is displayed. You must copy this encrypted password in the Password parameter of the database properties in the configure.properties file.

Step 4 Run the configure.bat(sh) file from the <CEPM_JACC_HOME>/bin folder to configure the in-process PDP. This generates a specific <jacc-agent-config> tag in the pdp_config.xml file.

Step 5 To check whether the in-process PDP is configured properly, run the InprocessPDPSampleTest.bat(sh) file from the <CEPM_JACC_HOME>/bin folder.

The remaining steps to integrate the JACC Agent with in-process PDP are same the steps to integrate the JACC Agent for JBOSS portal.

Example of the JACC Agent Authorization Process

Step 1 Login to the sample portal running in the JBoss Portal. The username entered in the login page is taken as the subject in the authorization request.

The sample portal contains three portlets, for example:

User Portlet

HelloWorld Portlet

JACCPortlet

Step 2 Assume that necessary arrangements are made in the administration console by creating a resource hierarchy with sample portal as the application and portlets as resources. To control the access of all or any of the portlets of the sample portal, configure the entitlement policies by defining allow policies on all the portlets from the user-based screen as shown in Policy Creation.

Figure 2 Policy Creation

This setting reflects in the sample portal in the following way, that is, you can view all the portlets in the portal.

Figure 3 Sample Portal.

Step 3 Set a deny policy on all the three portlets (User Portlet, HelloWorld Portlet, JACCPortlet) in the administration console as shown in Deny Policy

Figure 4

Deny Policy

This setting makes all the three portlets (User Portlet, HelloWorld Portlet, JACCPortlet) unavailable in the sample portal as shown in Access Denied.

Figure 5 Access Denied

Documentation Updates

Table 1 Updates to CEPM JACC Agent for JBoss Portal Guide

Date
Description

July 9, 2009

Minor edits and template/boilerplate updates for publication to Cisco.com

April 3, 2009

Cisco Enterprise Policy Manager (EPM) Release 3.3.0.0


Related Documentation

CEPM_User_Guide_V3.3.0.0.pdf

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2009 Cisco Systems, Inc. All rights reserved.

[an error occurred while processing this directive]