platform-help-home/infocenter_secure_access.html

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.3 - (download) (as text) (annotate)
Thu May 19 04:05:55 2005 UTC (4 years, 6 months ago) by kkolosow
Branch: MAIN
CVS Tags: R3_1, HEAD
Changes since 1.2: +1 -1 lines 
moving IRealmFactory to internal package

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<!------------------------------------------------------------------------------
 ! Copyright (c) 2000, 2004 IBM Corporation and others.
 ! All rights reserved. This program and the accompanying materials 
 ! are made available under the terms of the Common Public License v1.0
 ! which accompanies this distribution, and is available at
 ! http://www.eclipse.org/legal/epl-v10.html
 ! 
 ! Contributors:
 !     IBM Corporation - initial API and implementation
 ------------------------------------------------------------------------------->



<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>Secure InfoCenter Help - Eclipse Platform</title>
</head>

<body>
<h1>Secure InfoCenter Help</h1>

<h2>Introduction</h2>

<p>The Eclipse InfoCenter provides a common framework allowing
help and information documentation from different sources to be
integrated. The <a href=
"http://help.eclipse.org/help30/topic/org.eclipse.platform.doc.isv/reference/misc/help_infocenter.html">
Standalone Infocenter</a> in turn allows these documentation
content available on the intranet/internet for convenient access.</p>

<p>Prior to Eclipse 3.1, no security or access control mechanisms
are provided for the InfoCenter content, making it unsuitable for
serving up confidential information in an enterprise environment.</p>

<p>Eclipse 3.1 has been enhanced to allow secure access to the
InfoCenter.</p>

<h2>Enabling Secure Access to InfoCenter Help</h2>

<p>By default, security and access control is turned off. To turn on
secure access for the InfoCenter, follow the following steps.</p>

<ol>
<li><a href="#realmfactory">Implement the <code>IRealmFactory</code>
interface</a>.</li>
<li><a href="#enableSSL">Enable the SSL connector in the help 
subsystem appserver</a>.</li>
<li><a href="#enableSecureWebApp">Enable and configure the security
constraint in the help web application</a>.</li>
</ol>

<h3><a name="realmfactory">Implement the <code>IRealmFactory</code>
interface</a></h3>

<p>To enable access control to the InfoCenter, one needs to
create a plugin that implements the 
<code>org.eclipse.tomcat.realmfactory</code> extension point.
<pre><code>   &lt;extension
         id="org.eclipse.test.simplerealm"
         name="%simplerealm.realm"
         point="org.eclipse.tomcat.realmfactory"&gt;
      &lt;realmfactory class="org.eclipse.test.simplerealm.SimpleRealmFactory"&gt;
         &lt;parameter
               name="userDefinitionFile"
               value="c:\\tomcat-users.xml"/&gt;
      &lt;/realmfactory&gt;
   &lt;/extension&gt;</code></pre></p>
   
<p>The extension point implemention declares a class 
that implements the <code>IRealmFactory</code> 
interface.  In the example shown here, the class is called
<code>org.eclipse.test.simplerealm.SimpleRealmFactory</code>.</p>

<p>The main purpose of classes implementing the 
<code>IRealmFactory</code> interface is to return an appropriate
<code>org.apache.catalina.Realm</code> object, perhaps taking
info account the configuration information provided in the
extension point. A very simple implementation might look like
the following
<pre><code>	/* (non-Javadoc)
	 * @see org.eclipse.core.runtime.IExecutableExtension#setInitializationData(org.eclipse.core.runtime.IConfigurationElement, java.lang.String, java.lang.Object)
	 */
	public void setInitializationData(IConfigurationElement config,
			String propertyName, Object data) throws CoreException {
		this.config = config;
		parameters = (Map) data;
	}
	
	/**
	 * Creates a realm appropriate for authenticating
	 * using the path specified in the userDefFile parameter.
	 * 
	 * @see org.eclipse.tomcat.internal.extensions.IRealmFactory#createRealm()
	 */
	public Realm createRealm() {
		MemoryRealm retVal = new MemoryRealm();
		IConfigurationElement [] parameters = config.getChildren();
		String filepath = null;
		for (int i =0; i < parameters.length; i++) {
			if ("userDefinitionFile".equals(parameters[i].getAttribute("name"))) {
				filepath = parameters[i].getAttribute("value");
				break;
			}
		}
		if (filepath != null) {
			retVal.setPathname(filepath);			
		}
		return retVal;
	}</code></pre></p>
	
<p>How to implement a custom <code>Realm</code> object that
could provide more sophisticated authentication (perhaps by
going to a JNDI directory) is beyond the scope of this
document. Please refer to the appropriate documentation on
Tomcat for more information.</p>

<h3><a name="enableSSL">Enable the SSL connector in the help 
subsystem appserver</a></h3>

<p>Before one can enable SSL for the help subsystem, one must
create the Java key store file using the <code>keytool</code>
command in the Java JDK. To create a new key store file
containing a self signed certificate on windows, 
<pre><code>%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA</code></pre>
On Unix, execute instead
<pre><code>$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA</code></pre>
</p>

<p>Optionally, one could also set up an officially approved
certificate. For more details on requesting and importing a 
Certificate from a Certificate Authority, see <a href=
"http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html">
SSL Configuration How-to</a> on the Tomcat site.</p>

<p>After the Java key store has been properly initialized,
enable SSL for the help subsystem by editing the
<code>preferences.ini</code> file in the plugin 
<code>org.eclipse.tomcat</code>. Modify the value of sslPort
<pre><code># The port number to use for the SSL Connector
# Should consider moving this to the AppserverPlugin
sslPort = -1</code></pre>
from -1 to 0 (to request the system to assign an arbitrary
available port or a specific available port for the SSL
connection.</p>

<h3><a name="enableSecureWebApp">Enable and configure the security 
constraint in the help web application</a></h3>

<p>To enable the security constraint, uncomment the following
section in the <code>web.xml</code> file in the plugin
<code>org.eclipse.help.webapp</code>, under the directory
<code>WEB-INF</code>.
<pre><code>&lt;!-- Uncomment to enable secure access to the InfoCenter.
     ** Update the role-name s as appropriate.
	&lt;security-constraint&gt;
		&lt;web-resource-collection&gt;
			&lt;web-resource-name&gt;helproot&lt;/web-resource-name&gt;
			&lt;description&gt;&lt;/description&gt;
			&lt;url-pattern&gt;/*&lt;/url-pattern&gt;
			&lt;http-method&gt;
			GET&lt;/http-method&gt;
			&lt;http-method&gt;
			PUT&lt;/http-method&gt;
		&lt;/web-resource-collection&gt;
		&lt;auth-constraint&gt;
			&lt;description&gt;&lt;/description&gt;
			&lt;role-name&gt;tomcat&lt;/role-name&gt;
		&lt;/auth-constraint&gt;
        &lt;user-data-constraint&gt;
            &lt;transport-guarantee&gt;CONFIDENTIAL&lt;/transport-guarantee&gt;
        &lt;/user-data-constraint&gt;
	&lt;/security-constraint&gt;
	&lt;login-config&gt;
		&lt;auth-method&gt;BASIC&lt;/auth-method&gt;
	&lt;/login-config&gt;
	&lt;security-role&gt;
		&lt;description&gt;&lt;/description&gt;
		&lt;role-name&gt;tomcat&lt;/role-name&gt;
	&lt;/security-role&gt;
--&gt;</code></pre>
Make sure the <code>role-name</code> elements are updated to the 
appropriate role name for your organization.</p>

<h2>How to start or stop infocenter from command line</h2>

<p>The org.eclipse.help.standalone.Infocenter class has a main 
method that you can use to launch infocenter from a command 
line. The command line arguments syntax is:</p>

<p><code>-command start | shutdown | [-eclipsehome 
eclipseInstallPath] [-host helpServerHost] [-locales localeList] 
[-port helpServerPort] [-adminId administratorUserId] 
[-adminPassword administratorPassword] [-trustStoreLocation 
trustStoreLocation] [-trustStorePassword trustStorePassword]
[-dir rtl] [-noexec] [platform options] 
[-vmargs JavaVMarguments]</code></p>

<p>To start an infocenter on port 8081 issue a start command by running</p>

<p><code>java -classpath d:\myApp\eclipse\plugins\org.eclipse.help.base_3.1.0.jar
org.eclipse.help.standalone.Infocenter -command start -eclipsehome d:\myApp\eclipse -port 8081</code></p>

<p>To shut the infocenter down issue a shutdown command by running</p>

<p><code>java -classpath d:\myApp\eclipse\plugins\org.eclipse.help.base_3.1.0.jar 
org.eclipse.help.standalone.Infocenter -command shutdown
-adminId adminUserId -adminPassword adminPassword
-trustStoreLocation trustStoreLocation -trustStorePassword
trustStorePassword -eclipsehome d:\myApp\eclipse</code></p>

<p>The options <code>adminId</code>, <code>adminPassword</code>,
<code>trustStoreLocation</code>, and <code>trustStorePassword</code>
are needed if secure access to the infocenter is enabled.
The administrator must be authorized by the realm for
accessing the Infocenter. The trust store options may
be needed if the keystore is not an officially approved
certificate.</p>

</body>

</html>