A. Unified authentication server and resource server
By default, creating/updating a site from application area or environment attributes deploys the libraries and declares the Servlets required to ensure the correct operation of the authentication service (JWTServlet) in order to integrate it into the resource server.
The following information is automatically added to the application descriptor (web.xml):
<servlet>
<servlet-name>JWTServlet</servlet-name>
<servlet-class>com.hardis.jwtprovider.JwtProvider</servlet-class>
</servlet>
<servlet>
<servlet-name>JEELoginServlet</servlet-name>
<servlet-class>com.hardis.security.loginmodules.jee.JEELoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>JWTServlet</servlet-name>
<url-pattern>/JWTServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>JEELoginServlet</servlet-name>
<url-pattern>/security/JEELoginServlet</url-pattern>
</servlet-mapping>
The following actions are required to complete authentication service configuration:
update the /WEB-INF/beans.xml file by declaring the JwtProviderConfig and JwtJEELoginModule (or JwtLDAPLoginModule or JwtAdeliaLoginModule) objects.
put a JKS-format Keystore called RSJwtSecurity.key containing the keys of the asymmetric RSA-256 encryption algorithm in the /WEB-INF/conf directory of the application or externalize the Keystore using a URL-type jndi resource via the url/adelRSJwtSecurity alias using the com.hardis.common.jndiURLFactory factory.
Note: A Keystore is provided by default in the /WEB-INF/conf directory.secure the transport layer (HTTPS) for accessing the authentication Servlet (JWTServlet).
B. Autonomous authentication server
The authentication service (or server) can be deployed autonomously.
To do this, copy the %adeliws%/javarun/jwtProviderStandAlone/jwtProviderStandAlone.war file to the appropriate location on the application server.
The service is configured via a file (jwtProv.properties) externalized in the form of a URL-type jndi file via the url/jwtProv alias with a factory pointing to the class com.hardis.common.JndiURLPropsFactory.
Example:
Declaration of a URL-type jndi resource called url/jwtProv using the com.hardis.common.JndiURLPropsFactory factory.
The location of the jwtProv.properties file containing the service configuration information is set using the URL: file:///d:/extcfg/jwtProv.properties
<Resource auth="Container" factory="com.hardis.common.JndiURLPropsFactory" name="url/jwtProv" type="java.net.URL" url="file:///d:/extcfg/jwtProv.properties"/>
The referenced jwtProv.properties file must declare the values for the JwtProviderConfig and JwtJEELoginModule (or JwtLDAPLoginModule or JwtAdeliaLoginModule) object properties as follows:
;jwtProviderConfig
jwtProviderConfig.jwtUserRoleClaim=roles
jwtProviderConfig.jwtValidityTimeClaim=iat
jwtProviderConfig.jwtTtl=3600
jwtProviderConfig.jwtIssuer=jwtIssuer
jwtProviderConfig.jwtPrefixId=jwtId_
jwtProviderConfig.jwtAudienceKind=RscServers
jwtProviderConfig.jwtAudience=http://srvapis1.com/apis ;http://srvapis2.com/apis
jwtProviderConfig.jwtLoginModuleName=jwtLDAPLoginModule
;jwtJEELoginModule
jwtJEELoginModule.userParameterName=login
jwtJEELoginModule.passwordParameterName=password
jwtJEELoginModule.securityRoles=role1,role2,role3
jwtJEELoginModule.securityRequestUrl=
;jwtLDAPLoginModule
jwtLDAPLoginModule.userParameterName=login
jwtLDAPLoginModule.passwordParameterName=password
jwtLDAPLoginModule.ldapParameters=\
[type:Domino]\
[connectionsURL:dominoldap.domain.com:389]\
[connectionName:user]\
[connectionPassword:password]\
[connectionTimeout:5000]\
[connectionPoolSize:10]\
[useSSL:false]\
[userBase:o=domain]\
[userSearch:(&(uid={0})(objectclass=dominoPerson))]\ [userSearchScope:SUB]\
[userName:sn]\
[userAttributes:mail,uid]\
[groupBase:o=domain]\
[groupSearch:(member={0})]\
[groupSubtree:true]\
[groupName:cn]\ [rolesMapping:role1=group1;role2=group2|group3]
jwtLDAPLoginModule.jwtExtraClaims=[specClaim1:mail][specClaim2:uid]
;jwtAdeliaLoginModule
jwtAdeliaLoginModule.userParameterName=login
jwtAdeliaLoginModule.passwordParameterName=password
jwtAdeliaLoginModule.adeliaParameters=\
[VAAuthProgram:javaobj.JWAUTH]\
[SSOEnabled:false]\
[Unicode:false]
The service also requires a Keystore to encrypt the token. This Keystore is externalized in the form of a URL-type jndi resource using the com.hardis.common.JndiURLFactory factory via the url/adelRSJwtSecurity alias.
Example:
Declaration of a URL-type jndi resource called url/adelRSJwtSecurity using the com.hardis.common.JndiURLFactory factory.
The location of the Keystore is set using the URL: file:///d:/extcfg/RSJwtSecurity.key
<Resource auth="Container" factory="com.hardis.common.JndiURLFactory" name="url/adelRSJwtSecurity" type="java.net.URL" url="file:///d:/extcfg/RSJwtSecurity.key "/>
Finally, the autonomous authentication service requires secure transport (HTTPS) by default. Configuration must therefore be carried out in the Java EE container to satisfy this requirement.
Comments concerning the AdeliaLoginModule authentication module:
As this authentication module uses an Adelia program, the jwtProviderStandAlone.war archive needs to be completed beforehand by:
- adding classes resulting from the generation (standard Java type) of the VA_B program in the WEB-INF\classes directory.
- adding the adeljrt-<version>.jar library to the WEB-INF/lib directory.
The characteristics of the VA_B authentication program are given in the Authentication modules section.
C. Encryption/validation of the JWT
A Keystore (called RSJwtSecurity.key), containing the keys of the asymmetric RSA-256 encryption algorithm and used to encrypt or validate a token, is delivered to the WEB-INF/conf directory of the Web application created by Adelia Studio by default, playing the role of resource server.
The same Keystore must be used by the authentication server (token encryption) and by the aforementioned resource server (token validation).
If the authentication service and resource server are hosted by the same application, the Keystore can be left in the application's WEB-INF/conf directory.
If the authentication service and resource server are hosted by different applications, the Keystore must be externalized via the jndi resource called url/adelRSJwtSecurity in order to share this Keystore between the two applications.
The Keystore provided by default may be replaced by another Keystore which needs to be created with the following command:
java -cp jwtProvider-{version}.jar;bcprov-jdk15-1.45.jar com.hardis.jwtprovider.JwtKeyTool -generate pathto\RSJwtSecurity.key