当前位置:编程学习 > JAVA >>

Java SE security tutorial - Step 2

Building on the previous step, the following topic shows how to implement client authentication in a distributed eXtreme Scale environment.

Before you begin
Be sure that you have completed Java SE security tutorial - Step 1.
About this task
With client authentication enabled, a client is authenticated before connecting to the eXtreme Scale server. This section demonstrates how client authentication can be done in an eXtreme Scale server environment, including sample code and scripts to demonstrate.
As any other authentication mechanism, the minimum authentication consists of the following steps:
The administrator changes configurations to make authentication a requirement.
The client provides a credential to the server.
The server authenticates the credential to the registry.
Procedure
Client credential

A client credential is represented by a com.ibm.websphere.objectgrid.security.plugins.Credential interface. A client credential can be a user name and password pair, a Kerberos ticket, a client certificate, or data in any format that the client and server agree upon. Refer to Credential API documentation for more details.

This interface explicitly defines the equals(Object) and hashCode() methods. These two methods are important because the authenticated Subject objects are cached by using the Credential object as the key on the server side.

eXtreme Scale also provides a plug-in to generate a credential. This plug-in is represented by the com.ibm.websphere.objectgrid.security.plugins.CredentialGenerator interface, and is used to generate a client credential. This is useful when the credential is expirable. In this case, the getCredential() method is called to renew a credential. Refer to CredentialGenerator API Documentation for more details.

You can implement these two interfaces for eXtreme Scale client runtime to obtain client credentials.

This sample uses the following two sample plug-in implementations provided by eXtreme Scale.

com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredential
com.ibm.websphere.objectgrid.security.plugins.builtins.UserPasswordCredentialGenerator
For more information about these plug-ins, see Client authentication programming

Server authenticator
After the eXtreme Scale client retrieves the Credential object using the CredentialGenerator object, this client Credential object is sent along with the client request to the eXtreme Scale server. The eXtreme Scale server authenticates the Credential object before processing the request. If the Credential object is authenticated successfully, a Subject object is returned to represent this client.
This Subject object is then cached, and it expires after its lifetime reaches the session timeout value. The login session timeout value can be set by using the loginSessionExpirationTime property in the cluster XML file. For example, setting loginSessionExpirationTime="300" makes the Subject object expire in 300 seconds.

This Subject object is then used for authorizing the request, which is shown later.
An eXtreme Scale server uses the Authenticator plug-in to authenticate the Credential object. Refer to Authenticator API Documentation for more details.

This example uses an eXtreme Scale built-in implementation: KeyStoreLoginAuthenticator, which is for testing and sample purposes (a key store is a simple user registry and should not be used for production). For more information, see the topic on authenticator plug-in under Client authentication programming.

This KeyStoreLoginAuthenticator uses a KeyStoreLoginModule to authenticate the user with the key store by using the JAAS login module "KeyStoreLogin". The key store can be configured as an option to the KeyStoreLoginModule class. The following example illustrates the keyStoreLogin alias configured in the JAAS configuration file og_jaas.config:

KeyStoreLogin{ com.ibm.websphere.objectgrid.security.plugins.builtins.KeyStoreLoginModule required      keyStoreFile="../security/sampleKS.jks" debug = true; };
The following commands create a key store sampleKS.jks in the %OBJECTGRID_HOME%/security directory with the password as sampleKS1. Also, three user certificates representing the administrator user, the manager user, and the cashier user are created with their own passwords.
Navigate to the eXtreme Scale root directory.
cd objectgridRoot
Create a directory called "security".
mkdir security
Navigate to the newly created security directory.
cd security
Use keytool (in the javaHOME/bin directory) to create a user "administator" with password "administrator1" in the key store sampleKS.jks.
keytool -genkey -v -keystore ./sampleKS.jks -storepass sampleKS1  -alias administrator -keypass administrator1  -dname CN=administrator,O=acme,OU=OGSample -validity 10000
Use keytool (in the javaHOME/bin directory) to create a user "manager" with password "manager1" in the key store sampleKS.jks.
keytool -genkey -v -keystore ./sampleKS.jks -storepass sampleKS1  -alias manager -keypass manager1  -dname CN=manager,O=acme,OU=OGSample -validity 10000
Use keytool (in the javaHOME/bin directory) to create a user "cashier" with password "cashier1" in the key store sampleKS.jks.
keytool -genkey -v -keystore ./sampleKS.jks -storepass sampleKS1  -alias cashier -keypass cashier1 -dname CN=cashier,O=acme,OU=OGSample  -validity 10000
The client security configuration is configured in the client properties file. Use the following command to create a copy in the %OBJECTGRID_HOME%/security directory:

Change to the security directory.
cd objectgridRoot/security
Copy the sampleClient.properties file to the client.properties file.
cp ../properties/sampleClient.properties client.properties
The following properties are highlighted in the client.properties file in the security directory.
securityEnabled: Setting securityEnabled to true (default value) enables the client security, which includes authentication.
credentialAuthentication: Set credentialAuthentication to Supported (default value), which means the client supports credential authentication.
transportType: Set transportType to TCP/IP, which means no SSL will be used.
singleSignOnEnabled: Set it to false (default value). Single sign-on is not available.
Server security configuration

The server security configuration is specified in the security descriptor XML file and the server security property file.

The security descriptor XML file describes the security properties common to all servers (including catalog servers and container servers). One property example is the authenticator configuration which represents the user registry and authentication mechanism.
Here is the security.xml file to be used in this sample:

<?xml version="1.0" encoding="UTF-8"?> <securityConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"      xsi:schemaLocation="www.zzzyk.com../objectGridSecurity.xsd"  xmlns="www.zzzyk.com">   <security securityEnabled="true" loginSessionExpirationTime="300" >                  <authenticator className ="com.ibm.websphere.objectgrid.security.plugins.builtins.       KeyStoreLoginAuthenticator">         </authenticator>     </security>   </securityConfig><

补充:综合编程 , 安全编程 ,
CopyRight © 2012 站长网 编程知识问答 www.zzzyk.com All Rights Reserved
部份技术文章来自网络,