Follow

Simple RAC security

This document assumes you are familiar with building and deploying Heirloom based applications, and have a working knowledge of Tomcat or JBOSS.

It is intended as a simple set of steps to set up and test a RACF to LDAP project environment.

The following sections describe very simply how to enable RAC security using an LDAP compatible server for Tomcat and JBoss. They use the example application TESTTRAN and associated LDIF files which can be found here.

Full documentation on Heirlooms RAC support can be found here and here.

 

Configuring the web server

Tomcat

Add the following line to your catalina.sh file. Ensure the path is correct to your jaas.config file (it's part of the TESTTRANS project):

JAVA_OPTS="$JAVA_OPTS -Djava.security.auth.login.config=$CATALINA_BASE/webapps/testcics/META-INF/jaas.config"

You should add this with the other JAVA_OPTS lines or set it as a system variable, depending on your choice of server setup.

Place the following Realm information in META-INF/context.xml. Note the correlation between the appName and the settings in jaas.config. appName="ETP" requires an ETP entry in jaas.config.

<Realm className="org.apache.catalina.realm.CombinedRealm" >
<Realm className="org.apache.catalina.realm.JAASRealm" appName="ETP"
      userClassNames="com.heirloomcomputing.ecc.RACUser"
roleClassNames="com.heirloomcomputing.ecc.RACRole" />
</Realm>

 

JBOSS

Add the following section to your configuration xml file, in the security realm section. 

Hint: Search for <subsystem xmlns="urn:jboss:domain:security:1.2"> and add it as the first security domain in that section.

<security-domain name="DEMO" cache-type="default">
<authentication>
<login-module code="com.heirloomcomputing.ecc.RACLogon" flag="required"/>
</authentication>
</security-domain>

In WEB-INF/jboss-web.xml add a security domain tag , using the same security-domain as above:

<security-domain>DEMO</security-domain>

Note as per Tomcat, the domain names must be the same.

 

Configuring your LDAP server

 Install and configure your LDAP server, openLDAP is a good example. 

A sample openLDAP config file, and an LDIF file containing records this sample expects to find are located in the workdir of the TESTTRANS project.

You can import the LDIF file using Apache Directory Studio or command line tools.

 

Note in the project RAC Settings that Role group is the same name as the LDIF group that contains all users. These must match for the initial login to work.

 

Running the sample project

Build and deploy the sample TESTRAN project as per normal.

When you run the application you'll see a login dialog appear. The user in the sample LDIF file is demo/demo so use that id to log in. 

You can enter a transaction in the screen to test 'demo's access rights to it. In the sample LDIF file you'll note two transactions - READ and UPDT. The group demo is a member of has READ access to the READ transaction and ALTER transaction to the UPDT transaction. You can alter the LDIF settings, or add new transactions and group permissions to further test the system.

For example, you can change the UPDT transaction to provide only UPDATE access by modifying the uniqueMember entry as follows:

Old:

cn=DEMOGRP,ou=groups,dc=hcidemo,dc=com,businessCategory=allow:alter

New:

cn=DEMOGRP,ou=groups,dc=hcidemo,dc=com,businessCategory=allow:update

You can press F3 in the application to reset and then enter the UPDT transaction again to see the change.

The project is configured to turn logging on, and a RAC-messages.log will be produced. In Tomcat that will be in the logs directory, in JBOSS it will either be in the bin directory or the logs directory, depending on if you run from the command line, or as a service.

 

 

 

 

 

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk