Ceptor - Get a Free Trial

Integrating with Glassfish

Owned by Kim Rasmussen
Last updated: Jun 01, 2020 by Kim Rasmussen (Unlicensed)
3 min read

Introduction

Ceptor is an entire security solution that protects portals and application servers, regardless of the communication type used, be it JSP, Servlets, EJB or other type of communication. Ceptor can provide Authentication and Authorization checking on all resources, as well as provide secure communication clients and servers.
Any number of web servers, application servers or other types of servers can be integrated, and used to create personalized content and session sharing between all applications, so users experience single signon with access (depending on authorization of course) to all applications available in your portal.
This document describes how to integrate Ceptor with the Glassfish Application Server version 3.112

Installation

In the Ceptor distribution, you can find the required .jar files in samples/integration/glassfish. To install the Tomcat Realm, you will need to copyCeptorJASPI.jar to your glassfish domain autodeploy/bundles directory, along withCeptorAgent.jar (from lib in the distribution) and org.apache.log4j_1.2.15.v201012070815.jar which are both required by the Ceptor Agent.
The org.apache.log4j_1.2.15.v201012070815.jar is a special OSGI aware version since the default distribution of log4j v1.2.16 has broken MANIFEST.MF that does not work with glassfish.
Then you need to change domain.xml and add this section to the message-security-config section.

<provider-config provider-type="server" provider-id="CeptorProvider" class-name="dk.portalprotect.jaspi.ServerAuthModule">
  <property name="server.name" value="webserver1"></property>
  <property name="config.servers" value="nio://localhost:21233"></property>
  <property name="server.alias" value="Glassfish"></property>
  <property name="nowait" value="true"></property>
  <request-policy></request-policy>
  <response-policy></response-policy>
</provider-config>


You will need to change the values of server.name, config.servers and server.alias to match your configuration of Ceptor.
You can also use Glassfish's administration tool to do this for you, you have to execute this command:
asadmin create-message-security-provider --layer HttpServlet --providertype server --classname dk.portalprotect.jaspi.ServerAuthModulePortalProtectProvider
But then you need to add the properties by editing domain.xml or entering them in the administration GUI. If you wish, you can also use system properties instead.
If you want to make the classes in CeptorAgent.jar available to the application as well, you need to copy CeptorAgent.jar and the log4j .jar to the domains lib/ext directory for them to be visible to the deployed webapps.
To setup log4j to specify where to log, refer to: https://blogs.oracle.com/naman/entry/configure_log4j_for_use_in
To replace java.util.logging used by glassfish to a better alternative, you might want to look here:
http://hwellmann.blogspot.com/2010/12/glassfish-logging-with-slf4j-part-2.html

Webapp Configuration

For the user principal and groups to be available within glassfish, you will need to protect access to your webapp.
This is an example of how to configure web.xml to do just that.

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
  <display-name>Welcome to Glassfish</display-name>
  <description>
    Welcome to Glassfish
  </description>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Default constraint</web-resource-name>
      <description>Default security constraints</description>
      <url-pattern>/*</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
      <description>Default constraint</description>
      <role-name>pp_everyone</role-name>
    </auth-constraint>
  </security-constraint>
  <security-role>
    <description>All users going though PP</description>
    <role-name>pp_everyone</role-name>
  </security-role>
</web-app>

You also need to tell Glassfish to use the newly installed CeptorProvider for your webapp – do this by adding a file called sun-web.xml to your WEB-INF directory with the following content:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'http://www.sun.com/software/sunone/appserver/dtds/sun-web-app_2_3-0.dtd'>
  <sun-web-app httpservlet-security-provider="CeptorProvider">
  <security-role-mapping>
    <role-name>pp_everyone</role-name>
    <principal-name>pp_everyone</principal-name>
    <group-name>pp_everyone</group-name>
  </security-role-mapping>
</sun-web-app>


This is all you need to be able to do J2EE security from within your webapp – the following is an example you can add to a .jsp page to try it out:

Current user: <%=request.getRemoteUser() %><br/>
User principal: <%=request.getUserPrincipal() %>
Auth type: <%=request.getAuthType() %><br/>
Has role pp_everyone: <%=request.isUserInRole("pp_everyone") %><br/>
Has role pp_identifiedusers: <%=request.isUserInRole("pp_identifiedusers") %><br/>
Has role pp_anonymous: <%=request.isUserInRole("pp_anonymous") %><br/>


You do not need to add all the roles you are checking against in your webapp to <security-role> tags in the web.xml.

© Ceptor ApS. All Rights Reserved.