Page History
...
To provide a lightweight guide for other CBIIT applications (eg, caArray) can secure their own grid services.
Technical Details
Assumptions
- JBoss 4.0.5
- JAAS
- Remote EJBs for business application integration
- caGrid 1.3
- Using BDA for JBoss container configuration of secure services
- Using Common Security Module (CSM)
Changes to Application
- Add CommonsGridLoginModule to JAAS login module (security-config.xml)
- requires
nci-commons-core
version 1.2.4 or greater see http://maven.5amsolutions.com/archiva/browse/com.fiveamsolutions/nci-commons-core - requires
jbosssx.jar
as dependency to handle encryption of pre-shared keyCode Block xml xml <login-module code="com.fiveamsolutions.nci.commons.authentication.CommonsGridLoginModule" flag="optional"> <module-option name="gridServicePrincipal">${gridServicePrincipal}</module-option> <module-option name="gridServiceCredential">${gridServiceCredential}</module-option> <module-option name="gridServicePrincipalSeparator">||</module-option> </login-module>
- Define gridServicePrincipal & gridServiceCredential properties within appropriate properties file so that the login module configuration file is properly configured as a part of the build and deployment process for your application
Code Block xml xml title Example snippet to add Maven2 properties <gridServicePrincipal>Gr1DU5er</gridServicePrincipal> <gridServiceCredential>ltHZmZ1rqYq8j2uyHEABIQ==</gridServiceCredential>
- requires
- Introduce a new grid service instance CSM Group
Update the application name'po'
to your application's nameCode Block sql sql title Sample SQL for Postgres to define a new CSM Group INSERT INTO CSM_GROUP (GROUP_NAME, GROUP_DESC, APPLICATION_ID) VALUES ('gridClient', 'Grid Service Invocation Group', (select application_id from csm_application where application_name = 'po'));
Changes to Grid Service(s)
- Alter Service Context(s) within Introduce
- Modify each service context accordingly
- Highlight Service Context, click Modify Service button
- Under Information Page, User Resource Framework Options section, check Secure
- Under Security Page (tab/button at top of dialogue), choose Custom
- Then under Secure Communication tab, check Transport Layer Security, choose Privacy for Communication Method
- Then under Authorization tab, select No for Client should connect anonymously AND select Enforce Authentication for Authorization Mechanism
- Then under Service Credentials tab, select System for Run As
- Add Service Property to your (Main Service) context within Introduce,
- Select Service Properties tab, input the following values:
Key
Default Value
Description
gridServicePrincipalSeparator
||
The separator used to encord the gridServicePrincipal and grid user's identity when Using the com.fiveamsolutions.nci.commons.authentication.CommonsGridLoginModule
- Click Add
- Select Service Properties tab, input the following values:
- Save your changes within Introduce (must be successful)
- Modify each service context accordingly
- Alter how remote services (eg, EJBs) are authenticated and authorized for each grid service request. As an example, create a
GridSecurityJNDIServiceLocator
class to authenticate using both the Grid User's Identity (eg,/O=caBIG/OU=caGrid/OU=Training/OU=Dorian/CN=coppagridtest
instead of a typical remote service user. In short, you'll base your implementation off of your existing Locator (eg,JNDIServiceLocator
) and replace existing occurrences with the newGridSecurityJNDIServiceLocator
Add Service Property to PAServices content, gridServicePrincipalSeparator w/ default value ||Tip Example GridSecurityJNDIServiceLocator implementation within COPPA PO Grid Service Example GridSecurityJNDIServiceLocator implementation within COPPA PO Grid Service