Ramandeep Singh Nanda
Published

Sat 11 January 2014

←Home

Driving security for ADF essentials:Part 2

In the previous post i discussed about fortress and its directory structure. In this post i will cover the configuration for securing ADF application, using fortress API, writing your own custom ELResolver for doing permission or role checks.

Configuration: Fortress uses a properties file fortress.properties for storing configuration that it uses at runtime to communicate with the openldap server. It also uses ehcache.xml file for caching the retrieved entities from the openldap server to boost performance. Both these files need to be present in your classpath. The sample file structure for fortress.properties and ehcache.xml is shown below.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# Host name and port of LDAP DIT:
host=localhost
port=389

# These credentials are used for read/write access to all nodes under suffix:
admin.user=cn=Manager,dc=sample,dc=com
# LDAP admin root pass is encrypted using 'encrypt' target in build.xml:
admin.pw=W7T0G9hyr344K+DF8gfgA==

# This is min/max settings for LDAP administrator pool connections that have read/write access to all nodes under suffix:
min.admin.conn=10
max.admin.conn=100

# This node contains fortress properties stored on behalf of connecting LDAP clients:
#the config.realm is a node stored in ou=config
config.realm=DEFAULT
config.root=ou=Config,dc=sample,dc=com

# enable this to see trace statements when connection pool allocates new connections:
debug.ldap.pool=true

# Default for pool reconnect flag is false:
enable.pool.reconnect=true

crypto.prop=uiote12434

ehcache.config.file=ehcache.xml

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
<?xml version="1.0" encoding="UTF-8"?>

<!--
Fortress CacheManager Configuration
==========================
This ehcache.xml corresponds to a single CacheManager.
-->
<ehcache name="fortress-realm" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:noNamespaceSchemaLocation="ehcache.xsd"
         updateCheck="true" monitoring="autodetect"
         dynamicConfig="true"
        >

    <cacheManagerEventListenerFactory class="" properties=""/>

    <!--
    Default Cache configuration. These settings will be applied to caches
    created programmatically using CacheManager.add(String cacheName).
    This element is optional, and using CacheManager.add(String cacheName) when
    its not present will throw CacheException

    The defaultCache has an implicit name "default" which is a reserved cache name.
    -->
    <defaultCache
           eternal="false"
           overflowToDisk="false"
           timeToIdleSeconds="120"
           timeToLiveSeconds="120"
           diskSpoolBufferSizeMB="30"
           maxElementsOnDisk="10"
           diskPersistent="false"
           diskExpiryThreadIntervalSeconds="120"
           memoryStoreEvictionPolicy="LRU"
           />

    <!--
        Thic cache contains password policy entries.  It is used to save a read on User password policy edits. There should be one element for every tenant.
    -->
    <cache name="fortress.policies"
           maxElementsInMemory="10"
           maxElementsOnDisk="10"
           eternal="false"
           overflowToDisk="false"
           diskSpoolBufferSizeMB="2"
           timeToIdleSeconds="600"
           timeToLiveSeconds="600"
           memoryStoreEvictionPolicy="LFU"
           />

    <!--
        Contains the value OrgUnits for User and Permissions. There should be two elements for every tenant.
    -->
    <cache name="fortress.ous"
           maxElementsInMemory="2"
           maxElementsOnDisk="2"
           eternal="false"
           overflowToDisk="false"
           diskSpoolBufferSizeMB="2"
           timeToIdleSeconds="600"
           timeToLiveSeconds="600"
           memoryStoreEvictionPolicy="LFU"
           />

    <!--
        Contains the JGraphT hierarchies for RBAC roles.  There should be one element for every tenant.
    -->
    <cache name="fortress.roles"
           maxElementsInMemory="10"
           maxElementsOnDisk="10"
           eternal="false"
           overflowToDisk="false"
           diskSpoolBufferSizeMB="2"
           timeToIdleSeconds="600"
           timeToLiveSeconds="600"
           memoryStoreEvictionPolicy="LFU"
           />

    <!--
        Contains the JGraphT hierarchies for ARBAC roles. There should be one element for every tenant.
    -->
    <cache name="fortress.admin.roles"
           maxElementsInMemory="10"
           maxElementsOnDisk="10"
           eternal="false"
           overflowToDisk="false"
           diskSpoolBufferSizeMB="2"
           timeToIdleSeconds="600"
           timeToLiveSeconds="600"
           memoryStoreEvictionPolicy="LFU"
           />

    <!--
        Contains the JGraphT hierarchies for Perm OUs. There should be one element for every tenant.
    -->
    <cache name="fortress.pso"
           maxElementsInMemory="10"
           maxElementsOnDisk="10"
           eternal="false"
           overflowToDisk="false"
           diskSpoolBufferSizeMB="2"
           timeToIdleSeconds="600"
           timeToLiveSeconds="600"
           memoryStoreEvictionPolicy="LFU"
           />

    <!--
        Contains the JGraphT hierarchies for User OUs.  There should be one element for every tenant.
    -->
    <cache name="fortress.uso"
           maxElementsInMemory="10"
           maxElementsOnDisk="10"
           eternal="false"
           overflowToDisk="false"
           diskSpoolBufferSizeMB="2"
           timeToIdleSeconds="600"
           timeToLiveSeconds="600"
           memoryStoreEvictionPolicy="LFU"
           />

    <!--
        Searchable cache contains Role<->DSD mapping.  This configuration sets a fairly long TTL of 1 hour.
    -->
    <cache name="fortress.dsd"
           maxElementsInMemory="1000"
           maxElementsOnDisk="10"
           eternal="false"
           overflowToDisk="false"
           diskSpoolBufferSizeMB="20"
           timeToIdleSeconds="3600"
           timeToLiveSeconds="3600"
           memoryStoreEvictionPolicy="LFU">
           <searchable>
               <searchAttribute name="member" expression="value.getMember()"/>
               <searchAttribute name="name" expression="value.getName()"/>
               <searchAttribute name="contextId" expression="value.getContextId()"/>
           </searchable>
        </cache>

    <!--
        Cache contains Role<->SSD mapping.
    -->
    <cache name="fortress.ssd"
           maxElementsInMemory="1000"
           maxElementsOnDisk="10"
           eternal="false"
           overflowToDisk="false"
           diskSpoolBufferSizeMB="20"
           timeToIdleSeconds="600"
           timeToLiveSeconds="600"
           memoryStoreEvictionPolicy="LFU"
           />

</ehcache>


Library Dependencies:


You will need the following jars in your classpath which can be added as maven dependencies.


fortress-RC34.jar


ehcache-core.jar (version 2.6.0)


jasypt.jar (version 1.8)


commons-lang (version 2.6)


commons-configuration (version 1.10)


jgrapht-jdk (version 0.7.3)


slf4j-api


unboundid-ldapsdk-2.3.5.jar



This basically finishes your configuration.



Brief overview of fortress java API:- Though the java docs link i provided in the previous post should be apt. I will just provide a brief overview of the major API classes or interfaces.



  1. AdminMgr: Use the implementation of this class for managing users, application roles management, application permission managment.
  2. DelAdminMgr: This is used to perform action on ARBAC entities. You use this for organization creation, admin roles and permission management.
  3. ReviewMgr: Use this for seaching existing users, roles, permissions or permission objects.
  4. DelReviewMgr: Use this for searching organizations, searching roles.
  5. PwPolicyMgr: this can be used for managing password policies for user entities.
  6. AccessMgr: this is used to authenticate user and check for his/her access to a particular permission or role.
  7. DelAccessMgr: this can be used to check for applicable admin permissions and admin roles.

To instantiate each of the objects you can use the corresponding factory class. For example to get a AdminMgr implementation you use the following method.


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
private AdminMgr createAndGetAdminMgr() {
    String methodName = Thread.currentThread().getStackTrace()[1].getMethodName();
    AdminMgr mgr = null;
    try {
        mgr = AdminMgrFactory.createInstance(GlobalIds.HOME);
    } catch (SecurityException e) {
        logger.severe("[" + methodName + "]" + "Unable to create AdminMgr Instance", e);
        throw new RuntimeException("Unable to create AdminMgr Instance", e
                                        );
    }
    return mgr;
}

After you have obtained the instance you can perform the corresponding operations on it.



Securing your application:


Although fortress comes with its security realm for tomcat or jboss. If you’d like to customize the login process you can do so using its API.



Login Process:


In your login method of the servlet or managed bean you use the following method to authenticate and create user session.


1
Session rbacSession= acMgr.createSession(user, false);


This method will validate the user’s password and temporal constraints. It will throw exception in case the user’s password is expired and warning if the user’s password is about to expire and user is using grace login. the way to handle these scenarios would be that if a user’s password is about to expire display this information to him/her by providing option to changePassword or continue to the application.



login_flow


The following method is a sample for the login process:


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
public String doLogin() {
    String un = (String)userName.getValue();
    char[] pw = ((String)password.getValue()).toCharArray();
    //my custom utility class that contains utility methods for fortress
    LDAPOperations ops=new LDAPOperations();
    AccessMgr acMgr=ops.createAndGetAccessMgr();
   Map pfsScope=ADFContext.getCurrent().getPageFlowScope();
    FacesContext context = FacesContext.getCurrentInstance();
    HttpSession session=(HttpSession)context.getExternalContext().getSession(true);
    //check whether RBACSESSION already exists if so redirect the user to the home page
    if(session.getAttribute("RBACSESSION")!=null){
        return "success";
        }
    User user=new User();
    user.setUserId(un);
    user.setPassword(pw);
    try {
       Session rbacSession= acMgr.createSession(user, false);
       if(rbacSession!=null)
       {
           //check for warnings if they contain password expiration warning warn him of the same
           //and provide option to change the password
            List<Warning> warnings=rbacSession.getWarnings();
            if(warnings!=null && !warnings.isEmpty())
            {
                Iterator <Warning> it=warnings.iterator();
                while(it.hasNext()){
                   Warning warning=it.next();
                    if(warning.getId()==GlobalPwMsgIds.PASSWORD_EXPIRATION_WARNING){
                        pfsScope.put("errorMessage",warning.getMsg());
                        session.setAttribute("RBACSESSION", rbacSession);
                         ExtendedRenderKitService erks =
                            Service.getRenderKitService(context, ExtendedRenderKitService.class);
                            //show popup
                            erks.addScript(context,"AdfPage.PAGE.findComponent('"+popUp.getClientId()+"').show();");
                            pfsScope.put("expireWarning",Boolean.TRUE);
                            return "";
                        }
                }
            }
            session.setAttribute("RBACSESSION", rbacSession);
            context.responseComplete();
            return "success";
        }

    } catch (PasswordException e) {
        //this means the user's password was reset by admin and hence redirect user to change his password afterward you can log him out
        if(e.getErrorId()==GlobalErrIds.USER_PW_RESET){
            if(session!=null){
                //temporary user id and user's pw policy which can be shown on the change password page
                session.setAttribute("userIdTemp", un);
                List<User> users=new ArrayList();
                users=ops.searchUsers(un);
                String pwPol=users.get(0).getPwPolicy();
                session.setAttribute("pwPol", pwPol);
                context.responseComplete();
                return "changePassword";
            }
        }  else{
        loginLogger.fine("Login Failed due to authentication failure"+e.getMessage(),e);
        pfsScope.put("errorMessage","Login Failed due to authentication failure"+e.getMessage());
        }

    }
    catch (ValidationException e) {
                loginLogger.severe("User is not allowed access"+e.getMessage(),e);
                pfsScope.put("errorMessage","User is not allowed access"+e.getMessage());
            }
    catch (FinderException e) {
                loginLogger.severe("User does not exist"+e.getMessage(),e);
                pfsScope.put("errorMessage","User does not exist in the system");
            }
    catch (SecurityException e) {
              loginLogger.fine("Authentication failed due to"+e.getMessage(),e);
                pfsScope.put("errorMessage","System Error Occured"+e.getMessage());
             }
    ExtendedRenderKitService erks =
    Service.getRenderKitService(context, ExtendedRenderKitService.class);
    //show popup
    erks.addScript(context,"AdfPage.PAGE.findComponent('"+popUp.getClientId()+"').show();");
    return "";
}

Here the utility class LDAPOperations is a custom class written by me which in turn uses fortress API’s to access the information.



Checking permissions and roles:



To perform runtime role or permission checks you can use the following methods.


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
public static boolean isUserInRole(String roleName,Session rbacSession){
    boolean userInRole=false;
    List<UserRole> roles=rbacSession.getRoles();
    List<UserAdminRole> adminRoles=rbacSession.getAdminRoles();
 //check both in admin and normal roles
    if(roles!=null&&!roles.isEmpty()){
    Iterator it=roles.iterator();
    while(it.hasNext()){
        UserRole role=(UserRole)it.next();
        if(role.getName().equals(roleName)){
            return true;
            }
        }
    }
        if(adminRoles!=null&&!adminRoles.isEmpty()){
        Iterator it=adminRoles.iterator();
        while(it.hasNext()){
            UserAdminRole role=(UserAdminRole)it.next();
            if(role.getName().equals(roleName)){
                return true;
                }
            }
        }
    return userInRole;
    }

To check for permissions:-

If its a admin permission you use DelAccessMgr for a normal permission you use a AccessMgr instance.



1
2
3
4
5
6
7
8
DelAccessMgr delMgr=ops.createAndGetDelAccessMgr();
Permission permn=new Permission();
permn.setAdmin(true);
 //This is a top level object under which individual permissions are stored
permn.setObjectName("taskflowId");
 permn.setOpName("view");
 //returns true if user has access to the permission else returns false.
delMgr.checkAccess(rbacSession, permn);


That is all fine but then one may ask ADF security provides me with el methods such as isUserInRole and SecurityContext.taskflowViewable etc. To accomplish the same here you can implement your own custom ELResolver.


I will cover the same in the next post.

Go Top
comments powered by Disqus