Acegi handles the security layer for KSB. Acegi uses remote method invocation to hold the application’s security context and to propagate this object through to the service layer.
There are four security types you can use to propagate the security context object:
Java
RMI
JMS
SOAP : WS-Security + Username Token + more
The CredentialsSource is an interface that helps obtain security credentials. It encapsulates the actual source of credentials. The three ways to obtain the source are:
CasCredentialsSource - Username and Cas (Proxy) Ticket
KerberosCredentialsSource - Username and Kerberos Ticket
TestCredentialsSource - Username and Password
Here is a code snippet that shows the changes needed to configure KSB security on the server side:
<bean id="ksbConfigurer" class="edu.iu.uis.eden.config.spring.KSBSpringConfigurer">
<!-- Other properties removed -->
<property name="registryUrl" value="http://..." />
<property name="services">
<list>
<bean class="edu.iu.uis.eden.messaging.SOAPServiceDefinition">
<property name="service">
<ref bean="soapService" />
</property>
<property name="localServiceName" value="soapLocalName"/>
<property name="serviceNameSpaceURI" value="soapNameSpace"/>
<property name="serviceInterface" value="org.kuali.ksb.examples.SOAPEchoService"/>
<property name="priority" value="3"/>
<property name="retryAttempts" value="1" />
<property name="busSecurity" value="false"></property>
<!-- Valid Values: BASIC, SecurityContext -->
<property name="credentialsPropagationStrategy" value="BASIC"/>
<!-- Valid Values: CAS, KERBEROS -->
<property name="credentialsSourceType" value="CAS"/>
</bean>
<bean class="edu.iu.uis.eden.messaging.JavaServiceDefinition">
<property name="service" ref="echoService"></property>
<property name="localServiceName" value="javaLocalName" />
<property name="serviceNameSpaceURI" value="javaNameSpace"/>
<property name="serviceInterface" value="org.kuali.ksb.examples.EchoService"/>
<property name="priority" value="5" />
<property name="retryAttempts" value="1" />
<property name="busSecurity" value="true" />
<!-- Valid Values: BASIC, SecurityContext -->
<property name="credentialsPropagationStrategy" value="SecurityContext"/>
<!-- Valid Values: CAS, KERBEROS -->
<property name="credentialsSourceType" value="CAS"/>
</bean>
<!-- Other services removed -->
</list>
</property>
</bean><bean id="ksbConfigurer" class="edu.iu.uis.eden.config.spring.KSBSpringConfigurer">
<!-- Other properties removed -->
<property name="registryUrl" value="http://..." />
<property name="credentialsSources">
<property name="casCredentialsSource">
<!-- Whatever properties CAS needs -->
</property>
<property name="kerberosCredentialsSource">
<!-- Whatever properties Kerberos needs -->
</property>
</property>
</bean>
Connectors are used by a client to connect to a service that is usually exposed through the KSB registry. The Service Connector factory provides a bean that holds a proxy to a remote service with some contextual information. The factory determines the type of proxy to invoke based on the service definition. The service definition used by the server is serialized to the database and de-serialized by the client. There are different types of connectors supported by KSB, most notable are SOAP and Java over HTTP.
For client applications to be able to consume secured services hosted from a Rice server, the implementer must generate a keystore. As an initial setup, KSB security relies on the creation of a keystore using the JVM keytool as follows:
The first step is to create the keystore and generate a public-private key combination for the client application. When using secured services on the KSB, we require the client applications transfer their messages digitally signed so that Rice can verify the messages authenticity. This is why we must generate these keys.
Generate your initial Rice keystore as follows:
keypass and storepass should be the same.
r1c3pw is the password used for the provided example.
This generates the keystore in a file called "rice_keystore" in the current directory and generates an RSA key with the alias of "rice". Since there is no certificate signing authority to sign our key, we must sign it ourselves. To do this, execute the following command:
keytool -selfcert -validity 9999 -alias rice -keystore rice.keystore -keypass r1c3pw -storepass r1c3pw
After the application's certificate has been signed, we must export it so that it can be imported into the Rice keystore. To export a certificate, execute the following command:
keytool -export -alias rice -file rice.cert -keystore rice.keystore -storepass r1c3pw
The client application's certificate can be imported using the following command:
keytool -import -alias rice -file client.application.cert.file -keystore rice.keystore -storepass r1c3pw
The keystore file will end up deployed wherever your keystores are stored so hang on to both of these files and don't lose them! Also, notice that we specified a validity of 9999 days for the keystore and cert. This is so you do not have to continually update these keystores. This will be determined by your computing standards on how you handle key management.
The following params are needed in the xml config to allow the ksb to use the keystore:
<param name="keystore.file">/usr/local/rice/rice.keystore</param> <param name="keystore.alias">rice</param> <param name="keystore.password"> password </param>
keystore.file - is the location of the keystore
keystore.alias - is the alias used in creating the keystore above
keystore.password - this is the password of the alias AND the keystore. This assumes that the keystore is up in such a way that these are the same.