How to enable security on the HTTP connector

The HTTP connector is implemented by the servlet called XAServlet (full name is org.xaware.server.connector.servlet.XAServlet.java). Spring Security (formerly called the Acegi project) is used to implement security (authentication and access control) for this servlet. See [1] for more information about Spring Security.

XAware's security model includes authentication and access control. A user is authenticated using a user name and password, and is allowed to operate in one or more roles, as specified by the security configuration. The BizView files implementing a service each can have a "required role" assigned to it. Roles can be assigned to a BizView file at packaging time, or via the JMX management console. At run-time, when security is enabled, access to a BizView file is allowed only if the user has a role allowed by the BizView file.

Enabling security involves a change to the web.xml file (contained inside xaware.war and xaware.ear, within its embedded war), plus enabling access control through the JMX console. Follow these steps to enable security:

1. Uncomment the Spring Security section in web.xml. The Ant build script in <xaware.home>/deploy has tasks to do this:

cd <xaware.home>/deploy

set XAWARE_HOME=<xaware.home>

set SERVER_HOME=<xaware.home>

ant unzip_all_archives enable_security zip_all_archives

The resulting xaware.ear and xaware.war files are located in <xaware.home>/deploy_modified. For example, the xaware.ear file for JBoss is at <xaware.home>/deploy-modified/appserver/jdk5/xaware.ear.

Deploy the updated xaware.ear and/or xaware.war file to your server.

2. Enable security using the JMX console (restart the server first if you have not already done so, to ensure the ear/war changes take effect). To do this, bring up the XAware.SecurityProperties domain on the JMX console. Enable the security parameters for AuthorizeBizViewFiles and AuthorizeResourceFiles as shown below:

AuthorizeBizViewFiles controls whether BizView files are subjected to access control. Similarly, AuthorizeResourceFiles controls whether arbitrary resource files, like XSL-T files are subjected to access control.

At this point, security is enabled, and deployed BizView files will be protected with access control. To test the configuration, you can use the Package Assembly tool to set allowed roles for BizView files, deploy the XAR file using user admin, password admin, then use the sample user IDs below to test the results.

Modifying the Security Configuration The security configuration in the delivered product configures Spring Security to use HTTP Basic authentication with a simple file-based user/role definition file. Spring Security is very flexible, however, and can be configured to use HTTP Digest or certificate-based authentication with database, LDAP, single sign-on modules, and many other authentication mechanisms. See the Acegi site ([2]) for details on how to do this. You will need to modify the Spring Security file, web-inf/applicationContext-acegi-security.xml to configure Spring Security.

In the default installation, users, passwords, and roles are defined in the file web-inf/users.properties. This file is intended for testing purposes only, and includes these test users:

dianne/emu - ROLE_USER

scott/wombat - ROLE_ADMIN, ROLE_USER, ROLE_SUPERVISOR

admin/admin - ROLE_ADMIN

If you need to change the Spring Security configuration to something other than the default, simple file-based authentication, you will need to modify the file WEB-INF/applicationContext-acegi-security.xml. You should study the material at Spring Security site for the available configuration options and instructions. To modify WEB-INF/applicationContext-acegi-security.xml, follow these steps:

cd <xaware.home>/deploy

set XAWARE_HOME=<xaware.home>

set SERVER_HOME=<xaware.home>

ant unzip_all_archives

Make changes to security config: - uncomment the security section in web.xml - change the Spring security configuration to meet your needs. This is the hard part where you'll need support from the Spring web site to help configure WEB-INF/applicationContext-acegi-security.xml. The default configuration is fine for testing... just change users.properties. - change users.properties file if you're still using it (as opposed to a different Spring Security config)

ant zip_all_archives

At this point, the new EAR file will be built. You might want to copy the new EAR file to the deploy/appserver/jdk5 directory, so it becomes the new baseline for later changes (make a backup of the original xaware.ear).