français

jGuard

• overview
• licence
• useful links
• quick start guide
• which jGuard authentication configuration?
• faq
• 0.64 web site (old)
• api (0.65)

jGuard install on j2ee

1. required librairies
2. AccessFilter and web.xml
3. integrate jGuard in your jsp
4. integrate jGuard in your servlets

Login Modules

• XmlLoginModule
• OracleLoginModule
• PostgreSQLLoginModule
• MySQLLoginModule
• DB2LoginModule
• SQLServerLoginModule

Authorization Managers

• XmlAuthorizationManager
• OracleAuthorizationManager
• PostgreSQLAuthorizationManager
• MySQLAuthorizationManager
• DB2AuthorizationManager
• SQLServerAuthorizationManager

Advanced jGuard

jGuard install on jvm

1. java.home
2. libraries and bootclasspath
3. java.security
4. jGuard.loginScheme
5. jGuard.policy

• jGuard and the SecurityManager

Which jGuard authentication configuration?

jGuard distinguish 3 types of "users" in a J2EE environment:

1. administrator
2. webapp developer
3. webapp user

jGuard provide two types of authentication configuration:

• 'usual' authentication

  'usual' authentication provide a good security level. it permits to protect webapp ressources against webapp users. each webapp user will be authenticated, and access control will be provided regarding his roles.
  this authentication configuration will not protect webapp developers against webapp developers of others webapps, and don't protect administrator. the first webapp which use jGuard configure all the JVM security configuration.The authentication configuration is easier, because all should be configured in the web.xml. there is no need to configure things on the JVM side. Security is present after the first webapp which use jGuard is loaded by the application Server.this security level is reliable for these use cases:

  • the webapp is used to test jGuard
  • there is only one webapp on the application server
  • there are multiple webapps on the same application servers, and there are 'friendly' each others
  • one 'friendly' webapp is loaded firstly

• 'advanced' authentication

  'advanced' configuration permits to have the more secure level available, but is a little bit more tricky to configure:
  you have to install two jars: one for the webapp, and one dedicated to the JVM-side.some bootclasspath tricks are needed too. this configuration permits to protect webapp ressources against users like the 'usual' configuration, to protect webapp developers against others webapps, and to protect administrator against any webapp developers.the administrator machine should restrict too the java rights to protect against application sever administrator. this configuration is highly secure, and should be used by hosting companies. it's a cascading security delegation model:
  webapp users are controlled by webapp developers; webapp developers are isolated from others webapps (others webapp developers cannot make damages);webapp developers are controlled by the application server administrator which configure the JVM security. The application server administrator is controlled by the operating system administrator which assign restricted rights to java.the operating system administrator security relies on BIOS security, which relies on the physical machine security.
  to have this very secured configuration, you must enable the securityManager.