Security elevation in Geronimo V2.1.5

Geronimo is an open source application server developed under the Java EE 5 specification requirements under the Apache Software Fund, and the latest version of the V2.1 series--v2.1.5 is about to be released. In this version of the upgrade, a large part of the improvement focused on the user's proposed security-related update requirements, resulting in many new features such as password encryption in the deployment plan, Kerberos login module, role-based WEB Management console, and KeyStore passwords using ciphertext. This article will elaborate on the application methods and technical details of these security improvements and provide a quick channel for readers to understand how to build more secure applications and how to manage servers securely.

Introduction

Apache Geronimo as an application server that complies with the Java EE 5 specification, provides three basic login authentication mechanisms for HTTP Basic authentication (RFC2068), SSL mutual authentication, and form-based login. The Geronimo V2.1 series has implemented Keystore management, which allows users to unlock Keystore in the WEB management console, create private keys, add certificates, and so on. Also, during the use of Geronimo, users can define and enable multiple security domains (realm) in the application's deployment plan file. Each security domain can authenticate users and provide a series of security credentials (principal) for authenticated users to enable users to access the required resources. The security domain information that is defined in the deployment plan file usually requires specific information to log on to security providers such as databases, LDAP servers, and so on, including the security provider's address, username, password, and so on. Provider This can be achieved through the extension of the JAAS Loginmodule, which has been provided in Geronimo Ldaploginmodule, Sqlloginmodule, Propertiesfileloginmodule, Certificatechainloginmodule and Certificatepropertiesfileloginmodule implementations, we can easily add our own defined Loginmodule types. Below, we introduce some of the new security features and improvements that are added to the Geronimo V2.1.5, mainly divided into 4 parts, the cryptographic tools of cryptography, the safe use of KeyStore, the role-based Web Management Console, and the new Kerberos login module.

Encryption of passwords

In the first few versions of the Geronimo V2.1 series, the GBean attribute contains a "password" string that is automatically encrypted when it is written to the Config.xml file, from an interpretation of the Gbeanoverride class WriteXml method Statement to see this, as shown in Listing 1.

Listing 1. Code snippets for the WriteXml method

if　(name.toLowerCase().indexOf("password")　>　-1)　{
　　 value　=　EncryptionManager.encrypt(value);
　 }

It uses the Encryptionmanager encrypt static method for encryption. By default, this encryption method takes the form of predefined simple encryption, and the ciphertext string that is encrypted with plaintext will begin with the. The algorithm is as follows:

When the input string begins with the {simple}, it is returned directly.

When the input string is at the beginning of {XXX}, the ciphertext that is considered to be encrypted by other encryption methods should be decrypted to plaintext first and then encrypted in a simple encryption mode.

When the input string does not begin with any {XXX}, it is encrypted in a simple encryption mode.

When Config.xml is read during Geronimo startup, the Encrptionmanager decrypt static method is invoked to decrypt the following algorithm:

When the input string does not begin with any {XXX}, it is considered unencrypted and returned directly.

Otherwise, it is decrypted using the corresponding method of {XXX}, for example, when the ciphertext string begins with {simple}, it is used simply to decrypt the method.

As we can see, Geronimo has provided a set of cryptographic and decryption mechanisms for cryptography, but, in the short, the previous version did not use the tools of these APIs to encrypt strings in the command line, which means that the user has no channel to manually encrypt the plaintext to place the resulting ciphertext into Config.xml in the middle of the trip. Also, for deployment plans for Geronimo modules, such as data sources and JMS resource adapters, users cannot specify encrypted passwords in them, which is not conducive to security of the application. In the Geronimo V2.1.5, these problems are resolved.