This chapter presents the topics related to security configuration in eXo Platform:
Changes on the JAAS realm in the Tomcat bundle, and common changes in configuration.properties, portal.war, and rest.war.
Instructions on how to configure the ProxyFilterServie, and information of how the proxy service works.
Steps to configure the HTTPS configuration to run in the HTTPS mode.
Update the password encryption key of the RememberMe token
Information about the file location and steps to update the key of the RememberMe token.
eXo Platform relies on JAAS for propagating the user identity and roles to the different applications deployed on the server.
The JAAS realm is used by all eXo Platform applications and even propagated to the JCR for Access Control.
By default, eXo Platform uses the JAAS realm named "gatein-domain". If your IT operation rules require you to use another JAAS realm, you will need to modify several files so that eXo Platform can work on your JAAS realm.
Since the security configuration is highly dependent of the app server, each application sever is represented separately.
In the Tomcat bundle, the JAAS configuration is controled by the $PLATFORM_TOMCAT_HOME/conf/jaas.conf:
gatein-domain {
org.gatein.wci.security.WCILoginModule optional;
org.exoplatform.services.security.jaas.SharedStateLoginModule required;
org.exoplatform.services.security.j2ee.TomcatLoginModule required;
};Replace gatein-domain with your own domain name.
The PortalLoginModule module was designed to support the 'Remember me' feature. The password wrapped in PasswordCallback is the cookie token key. The PortalLoginModule module uses the token key to retrieve Credential object from CookieTokenService, then injects the correct username/password into the shared state (accessible from subsequent login modules). For the moment, to keep the authentication work properly, the PortalLoginModule module is mandatory. On the other hand, to ensure that correct password is visible to other login modules, it should be the first one in the JAAS configuration file. The custom login module could retrieve the real password through the shared state instead of PasswordCallback.
To learn more about the syntax, or realms in Tomcat, refer to the JAAS tutorial or Tomcat Realm How-To respectively.
For JBoss, you need to edit the default JAAS security domain in the portal.war!WEB-INF/jboss-web.xml file.
<jboss-web>
<security-domain>java:/jaas/gatein-domain</security-domain>
</jboss-web>
Additionally, you need to edit the application-policy to match the security-domain in the gatein.ear!META-INF/gatein-jboss-beans.xml.
<deployment xmlns="urn:jboss:bean-deployer:2.0">
<application-policy xmlns="urn:jboss:security-beans:1.0" name="gatein-domain">
<authentication>
<login-module code="org.exoplatform.web.security.PortalLoginModule" flag="required">
<module-option name="portalContainerName">portal</module-option>
<module-option name="realmName">gatein-domain</module-option>
</login-module>
<login-module code="org.exoplatform.services.security.jaas.SharedStateLoginModule" flag="required">
<module-option name="portalContainerName">portal</module-option>
<module-option name="realmName">gatein-domain</module-option>
</login-module>
<login-module code="org.exoplatform.services.security.j2ee.JbossLoginModule" flag="required">
<module-option name="portalContainerName">portal</module-option>
<module-option name="realmName">gatein-domain</module-option>
</login-module>
</authentication>
</application-policy>
</deployment>
To learn more about the JBoss security configuration, refer to JBoss Web Docs.
Finally, you need to do some common changes on both app servers as follows:
First, change the JAAS realm to match your own security constraints and then identify the entry named exo.security.domain inside the configuration.properties file.
# Realm name exo.security.domain=gatein-domain
Internally, eXo Platform uses this setting to set a new variable named "portal.container.realm" that is then used in the Kernel configuration files, such as platform-extension/WEB-INF/conf/platform/repository-configuration.xml.
Inside portal.war, you should declare the Realm name in the web.xml file:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>gatein-domain</realm-name>
<form-login-config>
...
</form-login-config>
</login-config>
You also need to modify rest.war to provide secured REST services properly.
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>gatein-domain</realm-name>
</login-config>
This change is very important, allowing you to secure the file downloads via WEBDAV.
See also
In eXo Platform, you could allow gadgets to load remote resources. However, this could be a potential security risk, as it will make the Gadget deployed as an open web proxy. So, you can set up the anonymous proxy to accept or deny certain hosts via configuring the ProxyFilterService.
Configure the ProxyFilterServie
By default, the proxy is closed to any host except the domain on which the gadget server is installed.
To modify the filtering of domain names, modify the portal.war/WEB-INF/conf/common/common-configuration.xml file.
The default configuration is set as below:
<component>
<key>org.exoplatform.web.security.proxy.ProxyFilterService</key>
<type>org.exoplatform.web.security.proxy.ProxyFilterService</type>
<init-params>
<values-param>
<!-- The white list -->
<name>white-list</name>
<!-- Accept anything not black listed -->
<value/>
</values-param>
<values-param>
<name>black-list</name>
<value/>
</values-param>
</init-params>
</component>
The proxy service will deny access to any domain that is in the blacklist. If the domain name does not match any of the blacklist, the proxy filter will verify if the domain name is on the white list. If the domain name is not defined in either the white list or black list, access will be denied. Multiple values can be added for each list and wildcards can also be used.
The following is an example of a valid configuration:
<component>
<key>org.exoplatform.web.security.proxy.ProxyFilterService</key>
<type>org.exoplatform.web.security.proxy.ProxyFilterService</type>
<init-params>
<values-param>
<name>white-list</name>
<value>*.example.com</value>
<value>www.example.net</value>
</values-param>
<values-param>
<name>black-list</name>
<value>evil.example.com</value>
</values-param>
</init-params>
</component>
See also
By default, eXo Platform runs in the HTTP mode. However, for the security purposes, you can configure it to run in the HTTPS mode. This section explains how to configure HTTPS mode.
1. Generate your key.
If you do not have an X.509 certificate, you can make a simple certificate using the keytool command.
i. Change the variables in the following command to suit your circumstances, then run it a terminal:
keytool -genkey -alias serverkeys -keyalg RSA -keystore server.keystore -storepass 123456 -keypass 123456 -dname "CN=localhost, OU=MYOU, O=MYORG, L=MYCITY, ST=MYSTATE, C=MY"
Your key will be stored in server.keystore.
ii. Import your key into the Sun JDK keystore (this is required to help running gadget features) with the following command:
keytool -importkeystore -srckeystore server.keystore -destkeystore $JAVA_HOME/jre/lib/security/cacerts
2. Set up the Jboss configuration to use your new key.
i. Comment the following lines in PLATFORM_JBOSS_HOME/server/<PROFILE>/deploy/jbossweb.sar/server.xml:
<Connector URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript" compression="on" compressionMinSize="2048" connectionTimeout="20000" disableUploadTimeout="true" emptySessionPath="true" enableLookups="false" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents=".*MSIE 6.*" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>
ii. Uncomment the following line:
<Connector SSLEnabled="true" address="${jboss.bind.address}" clientAuth="false" keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore" keystorePass="rmissl" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>
Then, change the values of keystoreFile and keystorePass to values of your key.
3. Restart your server. You can now access the portal via https://<ServerAddress>:8443/portal.
See also
In eXo Platform, the password encryption key of the RememberMe token is always a default key defined in the codeckey.txt file and this key is generated at the first bootstrap.
File location
| File | Tomcat | Jboss |
|---|---|---|
| codeckey.txt | $PLATFORM_TOMCAT_HOME/gatein/conf/codec. | $PLATFORM_JBOSS_HOME/server/<PROFILE>/conf/gatein/codec. |
Update the key
The administrators can simply update the key without doing any configuration as follows:
1. Remove the codeckey.txt file.
2. Restart the server.
See also