Group items matching

in title, tags, annotations or url

file listed under the filename parameter can be deployed to the server using the deploy goal

deploy

redeploy

undeploy

<phase>install</phase>

<goal>deploy</goal>

Deploying other artifacts

possible to deploy other artifacts that are not related to your deployment, e.g. database drivers:

<phase>install</phase>

<goal>deploy-artifact</goal>

<configuration> <groupId>postgresql</groupId> <artifactId>postgresql</artifactId> <name>postgresql.jar</name> </configuration>

artifact must be already listed as a dependency in the projects pom.xml.

Deploying your application in domain mode.

add the domain tag as well as specify at least one server group.

<domain> <server-groups> <server-group>main-server-group</server-group> </server-groups> </domain>

length must be at least 128 bits (16 bytes)

Session ID Length

Session ID Name Fingerprinting

Session ID Properties

Session ID Entropy

must be unpredictable (random enough) to prevent guessing attacks

good PRNG (Pseudo Random Number Generator) must be used

must provide at least 64 bits of entropy

Session ID Content (or Value)

content (or value) must be meaningless

identifier on the client side

meaning and business or application logic associated to the session ID must be stored on the server side

session objects or in a session management database or repository

create cryptographically strong session IDs through the usage of cryptographic hash functions such as SHA1 (160 bits).

Session Management Implementation

defines the exchange mechanism that will be used between the user and the web application to share and continuously exchange the session ID

token expiration date and time

This is one of the reasons why cookies (RFCs 2109 & 2965 & 6265 [1]) are one of the most extensively used session ID exchange mechanisms, offering advanced capabilities not available in other methods

Transport Layer Security

use an encrypted HTTPS (SSL/TLS) connection for the entire web session

process where the user credentials are exchanged.

“Secure” cookie attribute

must be used to ensure the session ID is only exchanged through an encrypted channel

never switch a given session from HTTP to HTTPS, or viceversa

should not mix encrypted and unencrypted contents (HTML pages, images, CSS, Javascript files, etc) on the same host (or even domain - see the “domain” cookie attribute)

should not offer public unencrypted contents and private encrypted contents from the same host

www.example.com over HTTP (unencrypted) for the public contents

secure.example.com over HTTPS (encrypted) for the private and sensitive contents (where sessions exist)

only has port TCP/80 open

only has port TCP/443 open

“HTTP Strict Transport Security (HSTS)” (previously called STS) to enforce HTTPS connections.

Secure Attribute

instructs web browsers to only send the cookie through an encrypted HTTPS (SSL/TLS) connection

HttpOnly Attribute

instructs web browsers not to allow scripts (e.g. JavaScript or VBscript) an ability to access the cookies via the DOM document.cookie object

Domain and Path Attributes

instructs web browsers to only send the cookie to the specified domain and all subdomains

instructs web browsers to only send the cookie to the specified directory or subdirectories (or paths or resources) within the web application

vulnerabilities in www.example.com might allow an attacker to get access to the session IDs from secure.example.com

Expire and Max-Age Attributes

it will be considered a

and will be stored on disk by the web browser based until the expiration time

use non-persistent cookies for session management purposes, so that the session ID does not remain on the web client cache for long periods of time, from where an attacker can obtain it.

Session ID Life Cycle

deploy the example by right clicking on the jboss-as-login project, and choosing Run As -> Run On Server

src/main/webapp directory

beans.xml and face-config.xml tell JBoss AS to enable CDI and JSF for the application

don't need a web.xml

src/main/resources

persistence.xml, which sets up JPA, and import.sql which Hibernate, the JPA provider in JBoss AS, will use to load the initial users into the application when the application starts

Changes for Hibernate 3.5 applications

if your application uses Hibernate 3 classes that are not available in Hibernate 4, for example, some of the validator or search classes, you may see ClassNotFoundExceptions when you deploy your application. If you encounter this problem, you can try one of two approaches: You may be able to resolve the issue by copying the specific Hibernate 3 JARs containing those classes into the application "/lib" directory or by adding them to the classpath using some other method. In some cases this may result in ClassCastExceptions or other class loading issues due to the mixed use of the Hibernate versions, so you will need to use the second approach. You need to tell the server to use only the Hibernate 3 libraries and you will need to add exclusions for the Hibernate 4 libraries. Details on how to do this are described here: JPA Reference Guide.

In previous versions of the application server, the JCA data source configuration was defined in a file with a suffix of *-ds.xml. This file was then deployed in the server's deploy directory. The JDBC driver was copied to the server lib/ directory or packaged in the application's WEB-INF/lib/ directory. In AS7, this has all changed. You will no longer package the JDBC driver with the application or in the server/lib directory. The *-ds.xml file is now obsolete and the datasource configuration information is now defined in the standalone/configuration/standalone.xml or in the domain/configuration/domain.xml file. A JDBC 4-compliant driver can be installed as a deployment or as a core module. A driver that is JDBC 4-compliant contains a META-INF/services/java.sql.Driver file that specifies the driver class name. A driver that is not JDBC 4-compliant requires additional steps, as noted below.

DataSource Configuration

domain mode, the configuration file is the domain/configuration/domain.xml

standalone mode, you will configure the datasource in the standalone/configuration/standalone.xml

MySQL datasource element:

        <connection-url>jdbc:mysql://localhost:3306/YourApplicationURL</connection-url>        <driver-class> com.mysql.jdbc.Driver </driver-class>        <driver> mysql-connector-java-5.1.15.jar </driver>

       <security>            <user-name> USERID </user-name>            <password> PASSWORD</password>        </security>

example of the driver element for driver that is not JDBC 4-compliant. The driver-class must be specified since it there is no META-INF/services/java.sql.Driver file that specifies the driver class name.

 <driver-class>com.mysql.jdbc.Driver</driver-class>

JDBC driver can be installed into the container in one of two ways: either as a deployment or as a core module

Install the JDBC driver

Install the JDBC driver as a deployment

In AS7 standalone mode, you simply copy the JDBC 4-compliant JAR into the AS7_HOME/standalone/deployments directory

example of a MySQL JDBC driver installed as a deployment:     AS7_HOME/standalone/deployments/mysql-connector-java-5.1.15.jar

do not at all describe "who" is able to perform the action(s)

Multiple Parts

Wildcard Permissions support the concept of multiple levels or parts. For example, you could restructure the previous simple example by granting a user the permission printer:query

Multiple Values Each part can contain multiple values. So instead of granting the user both the "printer:print" and "printer:query" permissions, you could simply grant them one: printer:print,query

All Values What if you wanted to grant a user all values in a particular part? It would be more convenient to do this than to have to manually list every value. Again, based on the wildcard character, we can do this. If the printer domain had 3 possible actions (query, print, and manage), this: printer:query,print,manage

simply becomes this: printer:*

Using the wildcard in this way scales better than explicitly listing actions since, if you added a new action to the application later, you don't need to update the permissions that use the wildcard character in that part.

Finally, it is also possible to use the wildcard token in any part of a wildcard permission string. For example, if you wanted to grant a user the "view" action across all domains (not just printers), you could grant this: *:view Then any permission check for "foo:view" would return true

Instance-Level Access Control

instance-level Access Control Lists

Checking Permissions

SecurityUtils.getSubject().isPermitted("printer:print:lp7200")

printer:*:*

all actions on a single printer

printer:*:lp7200

missing parts imply that the user has access to all values corresponding to that part

printer:print is equivalent to printer:print:*

Missing Parts

rule of thumb is to

when performing permission checks

first part is the

that is being operated on (printer)

second part is the

(query) being performed

three parts - the first is the

the second is the

third is the

allow access to

can only leave off parts from the end of the string

Performance Considerations

runtime implication logic must execute for

implicitly using Shiro's default

which executes the necessary implication logic

When using permission strings like the ones shown above, you're

Shiro's default behavior for Realm

for every permission check

need to be checked individually for implication

as the number of permissions assigned to a user or their roles or groups increase, the time to perform the check will necessarily increase

If a Realm implementor has a

more efficient way of checking permissions and performing this implication logic

should implement that as part of their

implies

user:*:12345

user:update:12345

printer

implies

printer:print

Implication, not Equality

permission

are evaluated by

logic - not equality checks

the former implies the latter

superset of functionality

implication logic can be executed at runtime

if the value is a Basic but the key is an Entity a

mapping is used.

if the key is a Basic but the value is an Entity a

mapping is still used

a three way join table, can be mapped using a

used to define a map relationship where the

Purchase the book at http://leanpub.com/entarch

50 Enterprise Architect Tricks can help you work with elements, diagrams, tagged values, connectors and many other advanced topics.

For example; certain procedures and workflows will need to be developed (new hire/leaver procedures for example)

Permission Schemes

A permission scheme is a set of

assignments for the project permissions

Every project has a permission scheme

One permission scheme can be associated with multiple projects

Permission schemes prevent having to set up permissions individually for every project

simplified and unofficial UML Profile for EJB 3.0 with support for

Enterprise JavaBeans

session beans