This sample demonstrates the use of a Network interceptor in a very simple authentication scheme.
The authentication consists in the client side of each connection sending a user name that must match the user name on the server side. The server then sends a response, either "OK" or an error message. If the repsonse is "OK" then client will proceed with the conenction, otherwise it will exit.
The user name is set as a system property -Djppf.user.name=<user_name> on all JPPF processes (client, server, nodes), and the interceptor encrypts it before send it over the network. As in the Network Data Encryption demo, the network data is encrypted using a DES cipher with a 56 bits symetric secret key. This secret key is kept in a keystore included in the resulting jar file deployed to the nodes, servers and clients. Therefore, the jar file is the weakest point in the security chain. This design should not be used in production, but it is sufficient for the needs of this demo.
The actual authentication is performed through a JAAS Login Module which is invoked from our network interceptor's onConnect() method.
To build and run the demo, please follow these steps:- The first thing to do is to generate the secret key used for encryption and decryption: open a command prompt in JPPF-x.y.z-samples-pack/NetworkInterceptor and type "ant -Dpassword=<keystore_password>" This will compile the demo's code, generate a secret key and store it in a keystore, store the provided keystore password in a file in Base64 format, and finally put all these files in the file NetworkInterceptor.jar
- You will then need to have a JPPF server and at least one node installed. For information on how to set up a node and server, please refer to the JPPF documentation
- before starting the server and node, we will need to configure them so they can discover and use the interceptor:
- add NetworkInterceptor.jar to their classpath, by simply dropping it into their lib directory
- edit their configuration file - config/jppf-driver.properties for the driver, config/jppf-node.properties for a node - and look for the jppf.jvm.options property.
At the end of the property's value, add "-Djppf.user.name=<your_user_name>". As an example, the property should now look like this:
jppf.jvm.options = -server -Xmx256m -Djppf.user.name=jppf_user
- we can now start the driver and node. In their console output, there will be messages like this:
successful client authentication successful server authentication
Note: we see client and server messages in the driver output, because the driver actually connects to the JMX remote server of each node. - to run the demo, open a command prompt in JPPF-x.y.z-samples-pack/NetworkInterceptor, then there are several options:
- to launch the demo with the Ant script on any platform: "ant run -Djppf.user.name=<your_user_name>"
- to launch the demo with a shell script on Linux/Unix/Mac: "./run.sh <your_user_name>"
- to launch the demo with a shell script on Windows: "run.bat <your_user_name>"
- You can try running the demo with a user name that doesn't match the one configured for the driver. You will then see that the demo quickly terminates without submitting a job
- NetworkInterceptorDemo.java: The entry point for the demo
- JaasNetworkInterceptor.java: the network interceptor implementation
- CryptoHelper.java: utility class used to create secret keys and encrypt/decrypt data
- MyTask.java: a simple JPPF task added to the job submitted by the demo
- InterceptorLoginModule.java: the Jaas login module invoked from the network interceptyor to authenticate
- InterceptorCallbackHandler.java: used by the Jaas login module to retrieve the socket connection through which authentication is performed
- JPPFJaasConfiguration.java: a Jaas configuration implementation which avoids using a jaas.config file
- SocketCallback.java: used to transport the socket connection back to the login module
If you need more insight into the code of this demo, you can consult the Java source files located in the NetworkInterceptor/src folder.
In addition, There are 2 privileged places you can go to: