SAM Security
Scientific Annotation Middleware (SAM) v. 2.1 Security Configuration
Using SAM's JAAS-based Authentication Filter
SAM provides a Java Authentication and Authorization Service (JAAS)-based mechanism for using alternate external authentication services. This mechanism makes is implemented as a ServletFilter configured in web.xml. The JAASAuthenticationFilter itself is generic and the security service invoked is determined by a JAAS configuration file and the configured LoginModule(s). The filter provides potential authentication information to the configured LoginModule(s) including username/password information from HTTP Basic Authentication, the value of the "SAMAuthToken" cookie, and the value of a configurable URL query parameter (e.g. as in /sam/files?token="42"), which can be used to support a range of username/password or single-sign-on mechanisms.
Configuring the JAASAuthenticationFilter
The JAASAUthenticationFilter is pre-configured in the SAM-2.1.zip distribution. By default, it
uses the SAM_Slide LoginModule, which uses Jakarta Slide's standard authentication
mechanism for initial authorization and subsequently avoids reauthentication via the "SAMAuthToken" cookie, which times out after a default 5 minutes of inactivity. To use the filter with other LoginModules as discussed below, you must edit the supplied jaas.config file or set the "JAAS_ConfigFile" context parameter in web.xml to "null" to make SAM use your jaas.config file as defined by the
Java system property
java.security.auth.login.config
To invoke other LoginModules, edit the web.xml file and change the "appName" parameter:
<filter>
<filter-name>AuthenticationFilter<filter-name>
<filter-class>org.scidac.sam.security.filter.JAASAuthenticationFilter
<filter-class>
<init-param>
<param-name>app-name<param-name>
<param-value>SAM_Slide<param-value>
<init-param>
...
Using JAAS LoginModules
To register a new LoginModule, edit the jaas.config file. SAM 2.1 (zip distribution) ships with 3 LoginModules:
-
SimpleLoginModule
This is a simple login module for testing the basic setup. The username and the password can be specified in the login context configuration. The context is "SAM_Simple" in the jaas.config file. The roles are also defined in the context configuration.
* The current defaults are user "root" and passwort "hello".
SAM_Simple { org.scidac.sam.security.SimpleLoginModule required debug = false user = root password = samroot roles = "root"; };SlideLoginModule (default)
The SlideLoginModule get the user information from the Slide namespace, with usernames and passwords stored using Slide's default mechanism (users and passwords defined initially in the file Domain.xml and then maintained in the /users/* nodes in the webDAV repository). It has three parameters: the name of the namespace, whether the username and password are digested, and a debug flag. The default namespace is "sam". Note Setting the debug option to "9" will print user passwords in the Tomcat console. You can also manually configure the timeout time of cookies created by sam by adding the line timeout = "<# of minutes>" to the option list (the default is 5 minutes.)
SAM_Slide { org.scidac.sam.security.SlideLoginModule required debug = false namespace = sam digest = none; };GSILoginModule
The module provides user authentication through a MyProxy server. The implementation is based on the Java COG-0.9.13, that is available at the Globus website. In order to use this login module you need a working setup of the COG on your computer and Grid certificates for your users.
When you login using the GSILoginModule, you provide the account name and the passphrase for your certificate on the MyProxy server. The module gets your Globus ID from the certificate it retrieves from the server. The Globus ID is mapped to the local user name by using the gridmap file.
SAM_Globus { org.scidac.sam.security.globus.GSILoginModule required debug = true host = "doesg.emsl.pnl.gov" port = "7512" lifetime = "3600" gridmap = "/gridmap.txt" namespace = "sam"; };