JRun Administrator's Guide
JRun Security

Using the default JRun security mechanism

JRun ships with a default login module and user store that you can use for testing, development, and deployment. This section describes architecture and usage for the default security mechanism.

The following figure provides an overview of the default JRun security architecture:

The default JRun security implementation includes the following components:

• XMLLoginModule  Performs authentication and authorization using the JRunUserManager service to access user and role information from an XML-format user and role store.
• JRunUserManager service  Includes methods for authentication and authorization. Also includes methods to dynamically add, modify, and delete users and roles from the user store.
• User store  Contains user definitions, role definitions, and user-role assignments. The default user store is SERVER-INF/jrun-users.xml.
• The auth.config file  Specifies the login modules that a JRun server uses for authentication and authorization.

XMLLoginModule

XMLLoginModule, the default JRun login module, runs within JAAS and is called by the JRunSecurityManager service to handle all authentication and authorization. This login module authenticates or authorizes users based on specifications in a JRun server's user store (SERVER-INF/jrun-users.xml by default). It uses the JRunUserManager service to access the user store, calling JRunUserManager methods to access information, much like a JDBC-based login module might use SQL to access user and role information from a relational database.

JRun also ships with login modules that perform authentication and authorization using information stored in a relational database, LDAP directory, or Windows. For more information, see "Integrating with an existing security mechanism".

User manager

XMLLoginModule, the default JRun login module, relies on the JRunUserManager service to access the JRun-specific XML-based user store for user-password authentication and user-role authorization. JRunUserManager also provides functionality that updates the user store dynamically. The default JRunUserManager service is specific to XMLLoginModule. If you create a custom login module, you can implement a site-specific user manager for dynamic user store update. However, this is an application-specific consideration, and in most cases, customized security implementations do not require this functionality.

For information on creating a customized JRunUserManager service, see "Defining a custom user manager".

User store

The default security mechanism's user store is an XML-format file that includes elements for user and role definitions, as follows:

XML element	Description
jrun-users	Root element.
encryption	Specifies whether passwords are encrypted.
user	Wraps a user definition. Contains the following subelements: username password
role	Wraps a role name and the list of users assigned to the role. Contains the following subelements: rolename username

You use the JMC to add, modify, and delete users and roles in the user store. For more information, see the JMC online Help.

Note:   To enable user access to the JMC, add them to the jmcadmin role.

By default, each JRun server has a separate user store; the default name and location for the user store is jrun_server/SERVER-INF/jrun-users.xml. You can share a user store among JRun servers.

You can use the JMC to define users, roles, and user-role assignments, however, you can also modify the jrun-users.xml file using a text editor.

The name and location of the user store is controlled by the securityStore attribute of the JRunUserManager service in the jrun.xml file. In a clustered environment, you must ensure that jrun-users.xml files are replicated across all the JRun servers in a cluster.

Example

The following is an example jrun-users.xml file:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE jrun-users PUBLIC "-//Macromedia Inc.//DTD jrun-users 4.0//EN"
"http://jrun.macromedia.com/dtds/jrun-users.dtd">
<jrun-users>
     <encryption>false</encryption>
     <user>
       <username>admin</username>
       <password>admin</password>
     </user>
�����<user>
        <username>Flash</username>
        <password>Flashpass</password>
      </user>          
�����<user>
       <username>jmsuser</username>
       <password>jmsuser</password>
     </user>
     <user>
        <username>AxisUser</username>
        <password>AxisPassword</password>
      </user>          
     <role>
       <rolename>jmcadmin</rolename>
       <username>admin</username>
     </role>
�����<role>
      <rolename>FlashRole</rolename>
      <username>Flash</username>
     </role>
�����<role>
      <rolename>AxisRole</rolename>
      <username>AxisUser</username>
     </role>
</jrun-users>

The auth.config file

In the same way that a JRunUserManager service attribute specifies the user store, the JRunSecurityManager service's authConfig attribute defines the name and location of the file that specifies login modules. By default, this is jrun_server/SERVER-INF/auth.config. This file contains sections that specify login modules for users and roles.

The sections also specify parameters that JRun passes to the login module's initialize method. The first parameter, however, specifies how JAAS handles multiple login modules and is not passed to the initialize method. Use one of the following values for the first parameter:

• Requisite  The login module is required to succeed. If it succeeds, authentication continues with other login modules in the list. If it fails, control is returned to the JRun security manager and JAAS does not call other login modules in the list.
• Required  The login module is required to succeed. Regardless of its success or failure, authentication continues with other login modules in the list.
• Sufficient  The login module is not required to succeed. If it succeeds, JAAS returns control to the JRun security manager and does not call other login modules in the list. If it fails, JAAS calls other login modules in the list.
• Optional  The login module is not required to succeed. Regardless of its success or failure, authentication continues with other login modules in the list.

For authentication to succeed, all required and requisite login modules must succeed. If a sufficient login module is configured and succeeds, then only the required and requisite login modules prior to the sufficient login module must have succeeded for authentication to succeed. If no required or requisite login modules are defined for a JRun server, then at least one sufficient or optional login module must succeed.

By default, JRun uses XMLLoginModule for both users and roles, as the following default auth.config file shows:

defaultUser

 {
   jrun.security.XMLLoginModule required userManagerName="JRunUserManager" mode="USER";
 };
defaultRole
 {
   jrun.security.XMLLoginModule required userManagerName="JRunUserManager" mode="ROLE";
 };

Encryption

The default JRun security mechanism lets you use encrypted or unencrypted passwords. That is, all passwords must be plain-text or all passwords must be encrypted. You enable password encryption in the JMC. Alternatively, you can specify yes for the encryption element in the jrun-users.xml file. When encryption is enabled, any new passwords created in the JMC are encrypted using UNIX password encryption.

JRun also supplies a command-line utility that lets you create encrypted passwords for existing users in the jrun-users.xml file. The utility takes a password and returns the encrypted password to System.out. Copy the encrypted password and paste it into the jrun-users.xml file using a text editor.

Note:   Although you can specify a password of any length, the utility encrypts the first eight characters only.

To use the password encryption utility, jrun_root/lib/jrun.jar must be in your classpath. Invoke the password encryption utility using the following command:

java jrun.security.JRunCrypterImpl plain-text-password

For example, the following command returns the encrypted password for benbob (do not copy the square brackets):

C:\JRun4\lib>java -classpath ./jrun.jar jrun.security.JRunCrypterImpl benbob

[benbob] => [hxH15XzpDckzU]

Note:   To use the Twofish encryption mechanism instead of the default UNIX encryption, set the encrypterClass attribute of JRunUserManagerService in the jrun.xml file to jrun.security.JRunCrypterForTwofish and encrypt passwords using jrun.security.JRunCrypterForTwofish instead of jrun.security.JRunCrypterImpl.

Send me an e-mail when comments are added to this page | Comment Report

Current page: http://livedocs.adobe.com/jrun/4/JRun_Administrators_Guide/authentic3.htm

Add Comment