This chapter presents the topics related to security configuration in eXo Platform:
eXo Platform relies on JAAS for propagating the user identity and roles to the different applications deployed on the server.
The JAAS realm is used by all eXo Platform applications and even propagated to the JCR for Access Control.
By default, eXo Platform uses the JAAS realm named "gatein-domain". If your IT operation rules require you to use another JAAS realm, you will need to modify several files so that eXo Platform can work on your JAAS realm.
Since the security configuration is highly dependent of the app server, each application sever is represented separately.
In the Tomcat bundle, the JAAS configuration is controled by the $TOMCAT_HOME/conf/jaas.conf:
gatein-domain {
org.gatein.wci.security.WCILoginModule optional;
org.exoplatform.services.security.jaas.SharedStateLoginModule required;
org.exoplatform.services.security.j2ee.TomcatLoginModule required;
};
Replace gatein-domain with your own domain name.
The PortalLoginModule module was designed to support the 'Remember me' feature. The password wrapped in PasswordCallback is the cookie token key. The PortalLoginModule module uses the token key to retrieve Credential object from CookieTokenService, then injects the correct username/password into the shared state (accessible from subsequent login modules). For the moment, to keep the authentication work properly, the PortalLoginModule module is mandatory. On the other hand, to ensure that correct password is visible to other login modules, it should be the first one in the JAAS configuration file. The custom login module could retrieve the real password through the shared state instead of PasswordCallback.
To learn more about the syntax, or realms in Tomcat, refer to the JAAS tutorial or Tomcat Realm How-To respectively.
For JBoss, you need to edit the default JAAS security domain in the 02portal.war!WEB-INF/jboss-web.xml file.
<jboss-web>
<security-domain>java:/jaas/gatein-domain</security-domain>
</jboss-web>
Additionally, you need to edit the application-policy to match the security-domain in the gatein.ear!META-INF/gatein-jboss-beans.xml.
<deployment xmlns="urn:jboss:bean-deployer:2.0">
<application-policy xmlns="urn:jboss:security-beans:1.0" name="gatein-domain">
<authentication>
<login-module code="org.exoplatform.web.security.PortalLoginModule" flag="required">
<module-option name="portalContainerName">portal</module-option>
<module-option name="realmName">gatein-domain</module-option>
</login-module>
<login-module code="org.exoplatform.services.security.jaas.SharedStateLoginModule" flag="required">
<module-option name="portalContainerName">portal</module-option>
<module-option name="realmName">gatein-domain</module-option>
</login-module>
<login-module code="org.exoplatform.services.security.j2ee.JbossLoginModule" flag="required">
<module-option name="portalContainerName">portal</module-option>
<module-option name="realmName">gatein-domain</module-option>
</login-module>
</authentication>
</application-policy>
</deployment>
To learn more about the JBoss security configuration, refer to JBoss Web Docs.
Finally, you need to do some common changes on both app servers.
First, change the JAAS realm to match your own security constraints and then identify the entry named exo.security.domain inside the configuration.properties file.
# Realm name exo.security.domain=gatein-domain
Internally, eXo Platform uses this setting to set a new variable named "portal.container.realm" that is then used in the Kernel configuration files, such as platform-extension/WEB-INF/conf/platform/repository-configuration.xml.
Inside portal.war, you should declare the Realm name in the web.xml file:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>gatein-domain</realm-name>
<form-login-config>
...
</form-login-config>
</login-config>
In eXo Platform, you could allow gadgets to load remote resources. However, this could be a potential security risk, as it will make the Gadget deployed as an open web proxy. This implies configuring ProxyFilterService.
The default configuration is set as below:
<component>
<key>org.exoplatform.web.security.proxy.ProxyFilterService</key>
<type>org.exoplatform.web.security.proxy.ProxyFilterService</type>
<init-params>
<values-param>
<!-- The white list -->
<name>white-list</name>
<!-- Accept anything not black listed -->
<value>*</value>
</values-param>
<values-param>
<name>black-list</name>
<value>*.evil.org</value>
</values-param>
</init-params>
</component>
This configuration can be added into <GATEIN_CONF_DIR>/portal/<PORTAL_CONTAINER_NAME>/configuration.xml.
<GATEIN_CONF_DIR> = TOMCAT_HOME/gatein/conf/ if you are using Tomcat and JBOSS_HOME/server/<PROFILE>/conf/gatein/ if you are using JBoss.
<PORTAL_CONTAINER_NAME> = the name of the used portal container that is set to portal by default.
The proxy service allows accessing any site which matches the white-list domains, unless it belongs to the black-list. If the site is not defined in neither the white list nor black list, access will be denied. Multiple values can be added for each list and wildcards can also be used.
The following is an example of the Gadget Proxy configuration:
<component>
<key>org.exoplatform.web.security.proxy.ProxyFilterService</key>
<type>org.exoplatform.web.security.proxy.ProxyFilterService</type>
<init-params>
<values-param>
<name>white-list</name>
<value>*.example.com</value>
<value>www.example.net</value>
</values-param>
<values-param>
<name>black-list</name>
<value>evil.example.com</value>
</values-param>
</init-params>
</component>
By default, eXo Platform runs in the HTTP mode. However, for the security purposes, you can configure it to run in the HTTPS mode. This section explains how to configure HTTPS mode.
1. Generate your key.
If you do not have an X.509 certificate, you can make a simple certificate using the keytool command.
i. Change the variables in the following command to suit your circumstances, then run it a terminal:
keytool -genkey -alias serverkeys -keyalg RSA -keystore server.keystore -storepass 123456 -keypass 123456 -dname "CN=localhost, OU=MYOU, O=MYORG, L=MYCITY, ST=MYSTATE, C=MY"
Your key will be stored in server.keystore.
ii. Import your key into the Sun JDK keystore (this is required to help running gadget features) with the following command:
keytool -importkeystore -srckeystore server.keystore -destkeystore $JAVA_HOME/jre/lib/security/cacerts
2. Set up the Jboss configuration to use your new key.
i. Comment the following lines in JBOSS_HOME/server/<PROFILE>/deploy/jbossweb.sar/server.xml:
<Connector URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript" compression="on" compressionMinSize="2048" connectionTimeout="20000" disableUploadTimeout="true" emptySessionPath="true" enableLookups="false" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents=".*MSIE 6.*" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>
ii. Uncomment the following line:
<Connector SSLEnabled="true" address="${jboss.bind.address}" clientAuth="false" keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore" keystorePass="rmi+ssl" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>
Then, change the values of keystoreFile and keystorePass to values of your key.
3. Restart your server. You can now access the portal via https://<ServerAddress>:8443/portal.