Sunday, January 31, 2010

JBoss container managed basic authentication

These days I am working on an ACS (Automatic Configuration System) which runs on a JBoss app server. So, yesterday I configured the server for cotnainer-managed authentication. Here is a straight forward tutorial to demonstrate how to secure your applications which hosted in JBoss by BASIC authentication methods. Container-managed authentication methods control how a user's credentials are verified when a web app's protected resource is accessed. This is a straight forward tutorial that shows how to configure JBoss application server to protect resources by a role based simple mechanism. By receiving any request to the protected resources JBoss asks web browser for a username and password. With this authentication method, all passwords are sent across the network in base64-encoded text. This could be fine to review the commented parts of JBoss configurations to find some more facilities If you need.

First step, web.xml modifications
Find the web.xml in the WEB-INF folder of your deployed ear application. This could be find in somewhere like this depends on the OS you use. Add below lines at the bottom of web.xml just before tag.

<security-constraint>
<web-resource-collection>
<web-resource-name>ossmanager</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ossmanager</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>OSS Security</realm-name>
</login-config>

<security-role>
<description>ossmanager is the role required to access under oss</description>
<role-name>ossmanager</role-name>
</security-role>

<security-role>
<description>cpeowner is the role required to access under cpeowner</description>
<role-name>cpeowner</role-name>
</security-role>

Second step, joss-web.xml modifications
Right besides web.xml in the WEB-INF folder you can find jboss-web.xml to add below lines in. Note, datak-oss is the context of the application and acs-security-policy is the optional name that you call your security policy using it.

<jboss-web>
<context-root>datak-oss</context-root>
<security-domain>java:/jaas/acs-security-policy</security-domain>
</jboss-web>

Third step, login-config.xml modifications
Find login-config.xml in server/default/conf folder and add below lines at the proper place.

<application-policy name ="acs-security-policy" >
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties">acs-users.properties</module-option>
<module-option name="rolesProperties">
acs-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>

Create acs-users.properties and acs-roles.properties text files into the WEB-INF/classes/ the same as below:

acs-users.properties:
amir=takeiteasy

kamran=mamooshi

acs-roles.properties:
amir=ossmanager,cpeowner
kamran=cpeowner

Exclude a URL by adding a blank security-constraint
I added this part two days later. Because the project manager asked me to exclude a certain URL (/cpe) from the secured zone. I have performed it just adding a new without role constraint. Below code added an excluded path to the secured zone, which every anonymous user can access it. Add below security-constraint to the web.xml the same as security-constraint that you added before.

<security-constraint>
<web-resource-collection>
<web-resource-name>CPE</web-resource-name>
<url-pattern>/cpe/*</url-pattern>
</web-resource-collection>
</security-constraint>

Saturday, January 30, 2010

Make programming a bit easier in Linux

Restarting services or killing them are the must repeated activities that I have to do during current project. Running maven commands and deleting '.svn' folders are so easy but those take time too. By the other hand all of them should accomplish in the operating system shell. Sometimes more than ten times per a day I have ran this commands. Moreover, everyone knew that it could be much easier to develop simple Linux bash scripts or define Aliases which contains more usage commands. Then, I developed below scripts and define some aliases to make it easier.

killj.sh is a bash script which kills my Java processes that consists 'javaagent' keyword. The application needs 'javaagent' as VM parameter; so, I am looking for it to kill the right process.
#!/bin/bash
for i in `ps -ef | grep javaagent | cut -c10-14`
do
/bin/kill $i
echo " $i has killed."
done
if [ $(ps ax | grep -c javaagent) -gt 1 ] ; then
echo "NOTE: There are more alive java process yet!!!"
else
echo "DONE"
fi

rmsvn.sh removes .svn folders recursively.
#!/bin/bash
echo
echo "Warning!!!"
echo "CHECK BELOW PATH. This will remove all .svn folders recursively!!!"
pwd
read -p "Are you sure (yes/no)? "
[ "$REPLY" == "yes" ] && rm -rf `find . -type d -name .svn` && echo "all .svn folders have been removed!!!"

Also I added below lines at the end of .bashrc file:
alias lt='ls -alt | head -20'
alias ld="ls -al -d * | egrep '^d'"
alias c="mvn clean"
alias ci="mvn -Pdev -DskipTests clean install"
alias i="mvn -Pdev -DskipTests install"
alias jkill="/bin/killj.sh"
alias rmsvn="/bin/rmsvn.sh"
alias go="cd /home/amir/projects/company/jcb2"
alias dpiproxy="sudo cp -f /etc/tor/torrc.dpi /etc/tor/torrc"
alias noproxy="sudo cp -f /etc/tor/torrc.noproxy /etc/tor/torrc"
alias tor="sudo /etc/init.d/tor restart"

Now, compiling, cleaning and killing processes are much easier...

Friday, January 29, 2010

Port mapping in Linux in Ubuntu and CentOS

If you used to setup web servers under windows easily, you will find Linux doesn't show itself bared on the network. Indeed, Linux has its own secured solutions to let your web servers listen to the 80 port. In fact, you can not use the ports under 1024 for the individual users. Because they belongs to the super user. Moreover, its recommended to run web servers with a limited user. So, the best way to run HTTP listeners on 80 port is to map upper than 1024 ports 80 port.
Last week I worked with a JBoss application server which has ran on 8080 port. In addition, the client needed to run it on 80 port, without any modification on JBoss settings. I make it so easily by running 3 iptable commands which I found in some tutorials on the web.

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

sudo iptables -I INPUT -p tcp --dport 8080 -j ACCEPT

sudo iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080

NOTE: if you dont put -o lo option for the last command, all outgoing requestes will rout to the 8080 port on the localhost.

Finally you should save new rules into disk. below command persists changes.

sudo iptables-save > iptable.rules

Moreover you need to make sure rules will loaded in the next start up. So, add below line into /etc/network/interfaces after iface command:

pre-up iptables-restore < /etc/iptable.rules


If you are using CentOS then it is enough to run below command to persist iptables rules:

/sbin/service iptables save

Restart the network connection and enjoy it.