JBoss.org Community Documentation
We have covered quite a bit of material on SRP and now its time to demonstrate SRP in practice with an example. The example demonstrates client side authentication of the user via SRP as well as subsequent secured access to a simple EJB using the SRP session challenge as the user credential. The test code deploys an EJB JAR that includes a SAR for the configuration of the server side login module configuration and SRP services. As in the previous examples we will dynamically install the server side login module configuration using the SecurityConfig
MBean. In this example we also use a custom implementation of the SRPVerifierStore
interface that uses an in memory store that is seeded from a Java properties file rather than a serialized object store as used by the SRPVerifierStoreService
. This custom service is org.jboss.book.security.ex3.service.PropertiesVerifierStore
. The following shows the contents of the JAR that contains the example EJB and SRP services.
[examples]$ jar tf output/security/security-ex3.jar META-INF/MANIFEST.MF META-INF/ejb-jar.xml META-INF/jboss.xml org/jboss/book/security/ex3/Echo.class org/jboss/book/security/ex3/EchoBean.class org/jboss/book/security/ex3/EchoHome.class roles.properties users.properties security-ex3.sar
The key SRP related items in this example are the SRP MBean services configuration, and the SRP login module configurations. The jboss-service.xml
descriptor of the security-ex3.sar
is given in Example 8.11, “The security-ex3.sar jboss-service.xml descriptor for the SRP services”, while Example 8.12, “The client side standard JAAS configuration” and Example 8.13, “The server side XMLLoginConfig configuration” give the example client side and server side login module configurations.
<server> <!-- The custom JAAS login configuration that installs a Configuration capable of dynamically updating the config settings --> <mbean code="org.jboss.book.security.service.SecurityConfig" name="jboss.docs.security:service=LoginConfig-EX3"> <attribute name="AuthConfig">META-INF/login-config.xml</attribute> <attribute name="SecurityConfigName">jboss.security:name=SecurityConfig</attribute> </mbean> <!-- The SRP service that provides the SRP RMI server and server side authentication cache --> <mbean code="org.jboss.security.srp.SRPService" name="jboss.docs.security:service=SRPService"> <attribute name="VerifierSourceJndiName">srp-test/security-ex3</attribute> <attribute name="JndiName">srp-test/SRPServerInterface</attribute> <attribute name="AuthenticationCacheJndiName">srp-test/AuthenticationCache</attribute> <attribute name="ServerPort">0</attribute> <depends>jboss.docs.security:service=PropertiesVerifierStore</depends> </mbean> <!-- The SRP store handler service that provides the user password verifier information --> <mbean code="org.jboss.security.ex3.service.PropertiesVerifierStore" name="jboss.docs.security:service=PropertiesVerifierStore"> <attribute name="JndiName">srp-test/security-ex3</attribute> </mbean> </server>
Example 8.11. The security-ex3.sar jboss-service.xml descriptor for the SRP services
srp { org.jboss.security.srp.jaas.SRPLoginModule required srpServerJndiName="srp-test/SRPServerInterface" ; org.jboss.security.ClientLoginModule required password-stacking="useFirstPass" ; };
Example 8.12. The client side standard JAAS configuration
<application-policy name="security-ex3"> <authentication> <login-module code="org.jboss.security.srp.jaas.SRPCacheLoginModule" flag = "required"> <module-option name="cacheJndiName">srp-test/AuthenticationCache</module-option> </login-module> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="password-stacking">useFirstPass</module-option> </login-module> </authentication> </application-policy>
Example 8.13. The server side XMLLoginConfig configuration
The example services are the ServiceConfig
and the PropertiesVerifierStore
and SRPService
MBeans. Note that the JndiName
attribute of the PropertiesVerifierStore
is equal to the VerifierSourceJndiName
attribute of the SRPService
, and that the SRPService
depends on the PropertiesVerifierStore
. This is required because the SRPService
needs an implementation of the SRPVerifierStore
interface for accessing user password verification information.
The client side login module configuration makes use of the SRPLoginModule
with a srpServerJndiName
option value that corresponds to the JBoss server component SRPService
JndiName attribute value(srp-test/SRPServerInterface
). Also needed is the ClientLoginModule
configured with the password-stacking="useFirstPass"
value to propagate the user authentication credentials generated by the SRPLoginModule
to the EJB invocation layer.
There are two issues to note about the server side login module configuration. First, note the cacheJndiName=srp-test/AuthenticationCache
configuration option tells the SRPCacheLoginModule
the location of the CachePolicy
that contains the SRPServerSession
for users who have authenticated against the SRPService
. This value corresponds to the SRPService
AuthenticationCacheJndiName
attribute value. Second, the configuration includes a UsersRolesLoginModule
with the password-stacking=useFirstPass
configuration option. It is required to use a second login module with the SRPCacheLoginModule
because SRP is only an authentication technology. A second login module needs to be configured that accepts the authentication credentials validated by the SRPCacheLoginModule
to set the principal's roles that determines the principal's permissions. The UsersRolesLoginModule
is augmenting the SRP authentication with properties file based authorization. The user's roles are coming the roles.properties
file included in the EJB JAR.
Now, run the example 3 client by executing the following command from the book examples directory:
[examples]$ ant -Dchap=security -Dex=3 run-example ... run-example3: [echo] Waiting for 5 seconds for deploy... [java] Logging in using the 'srp' configuration [java] Created Echo [java] Echo.echo()#1 = This is call 1 [java] Echo.echo()#2 = This is call 2
In the examples/logs
directory you will find a file called ex3-trace.log
. This is a detailed trace of the client side of the SRP algorithm. The traces show step-by-step the construction of the public keys, challenges, session key and verification.
Note that the client has taken a long time to run relative to the other simple examples. The reason for this is the construction of the client's public key. This involves the creation of a cryptographically strong random number, and this process takes quite a bit of time the first time it occurs. If you were to log out and log in again within the same VM, the process would be much faster. Also note that Echo.echo()#2
fails with an authentication exception. The client code sleeps for 15 seconds after making the first call to demonstrate the behavior of the SRPService
cache expiration. The SRPService
cache policy timeout has been set to a mere 10 seconds to force this issue. As stated earlier, you need to make the cache timeout very long, or handle re-authentication on failure.