Wednesday May 14, 2008
Wednesday May 14, 2008 Authentication for SIPServlet resources in SailFin Application Server
The authentication of SIPServlet resources can be done with Digest Authentication. In SailFin, the digest authentication is implemented using the JDBC realm. You can check the details on Shingwai's blog about JDBC realm in Glassfish.
Note that at this time, ONLY this JDBC realm for digest authentication is supported on SailFin server. Other realms such as LDAP support might happen in future releases.
The following steps can help in configuring the digest auth with jdbc realm on SailFin application server:
1.Create a jdbcresource from GUI based admin console (default user: admin and password: adminadmin) or update domain.xml in similar to the below snippet. There is a default JDBC connection pool "DerbyPool" which connects to default DB (JavaDB or Derby) supplied with SailFin. We just need to create the jdbc resource or use "jdbc/__default" datasource-jndi.
| <jdbc-resource
enabled="true" jndi-name="jdbc/digestauth"
object-type="user" pool-name="DerbyPool"/> |
2.Create a security auth realm from GUI based admin console (Configuration> Security> Realms> ) or update domain.xml in similar to the below snippet. Replace Your_Realm_Name to something meaningful in your config or just use as it is. Refer JDBCRealm configuration blog on how to create users in the DB and also the fields.
|
<auth-realm
classname="com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm" name="Your_Realm_Name"> <property name="user-name-column" value="userid"/> <property name="password-column" value="password"/> <property name="group-name-column" value="groupid"/> <property name="jaas-context" value="jdbcDigestRealm"/> <property name="datasource-jndi" value="jdbc/digestauth"/> <property name="group-table" value="grouptable"/> <property name="user-table" value="usertable"/> </auth-realm> |
 |
3.Check the following is already added to login.conf under domain/domain1/config
| jdbcDigestRealm
{ com.sun.enterprise.security.auth.login.JDBCDigestLoginModule required; }; |
4. Add the following to sip.xml or web.xml
| <login-config> <auth-method>DIGEST</auth-method> <realm-name>Your_Realm_Name</realm-name> </login-config> |
Snapshot of sip.xml while protecting the REGISTER method for the SIP Servlet RegistrarServlet.
|
<security-constraint> <display-name>RegistrarConstraint1</display-name> <resource-collection> <resource-name>RegistrarServlet</resource-name> <description>SIP Servlet resource protection</description> <servlet-name>RegistrarServlet</servlet-name> <sip-method>REGISTER</sip-method> </resource-collection> <auth-constraint> <description>User can Access the files</description> <role-name>User</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>DIGEST</auth-method> <realm-name>Your_Realm_Name</realm-name> </login-config> <security-role> <description>User Role</description> <role-name>User</role-name> </security-role> <security-role> <description>Admin Role </description> <role-name>Admin</role-name> </security-role> |
4. Make sure the Derby is started and DB users/groups schemas created.
To start/stop DB :
| ./bin/asadmin
start-database ./bin/asadmin stop-database |
5. Restart the SailFin Server and ready to use the DIGEST auth for your applications.
Thats it!
Posted by Jagadesh Babu Munta ( May 14 2008, 11:17:55 AM PDT ) Permalink Comments [1]
Post a Comment:
Comments are closed for this entry.
Hi Jagadesh,
thanks for this information, you really helped me get on my way faster.
I have configured a jdbcRealm with a connection to a en existing MySQL database. I'm pretty sure it has a connection to the database, but when I try to REGISTER (Yes, I secured my Registrar servlet), I get in the Sailfin log:
... _ThreadID=27;_ThreadName=SipContainer-serversWorkerThread-5060-1;user;|SEC
5046: Audit: Authentication refused for [user].|#]
-- AND --
... Digest Authentication failed
com.sun.enterprise.security.LoginException: Login failed: javax.security.auth.login.LoginException: Login Failure: all modules ignored
-- AND --
|INFO|sun-comms-appserver1.0|javax.enterprise.system.core.security|_ThreadID=23;_ThreadName=SipContainer-serversWorkerThread-5060-3;|JACC Pol
icy Provider: PolicyWrapper.implies, context(WindTalkerCommunication/_WindTalkerCommunication)- permission((org.jvnet.glassfish.comms.security.authorize.SipResourcePermissi
on registrar REGISTER)) domain that failed(ProtectionDomain (file:/WindTalkerCommunication/_WindTalkerCommunication <no signer certificates>)
I really don't know where to look, since I see no real error I recognize. Do you have any ideas maybe?
Best regards,
Paul.
Posted by Paul Heijmann on May 15, 2008 at 07:00 AM PDT #