Yubikey Glassfish Java Authentication Realm

Container-managed authentication is very useful in Java web applications; it saves writing a lot of back-end authentication and authorisation code into our applications, makes SSO (single sign-on) trivial between J2EE apps and also allows developers to hook into existing enterprise authorisation frameworks with relative ease.

With our recent development work with the Yubikey, a one-time password (OTP) token from Yubico we decided that it would be useful to have a Yubikey authentication realm for the Glassfish application server.

A lot of our existing J2EE applications use the JDBC Realm that is included in the Glassfish distribution. The JDBC Realm allows you to configure the authentication of your application to any JDBC back-end accessible by your application server (i.e. enabled by an appropriate JDBC driver library). Typically this will take the form of a MySQL database table with a list of usernames and password hashes.

Here’s an example of the Glassfish v2.1 JDBC Realm configuration template:

Glassfish v2.1 JDBC Realm Configuration

Glassfish v2.1 JDBC Realm Configuration

Our custom Yubikey Realm is essentially an extension of the JDBC Realm (although not in the sense of a Java “extends”). The Yubikey Realm supports all the same functionality as the JDBC Realm, so you can drop it in-place with all the same settings and it’s totally backwards compatible.

We’ve added the functionality to specify an additional column in the users database table containing the Base 64 Yubikey Public Identifier (ID) of the Yubikey assigned to that user. This is configured via the yubikey-column property. By default, the Yubikey Realm will authenticate users as normal, unless the password length is >= 32 characters. In this instance, the password is assumed to be a Yubikey OTP, and the Realm authenticates accordingly.

We have the additional parameters yubikey-force and yubikey-auth-url, which respectively control whether all logins are treated as Yubikey OTPs, and which validation server you would like to use.

Here’s an example of the realm configuration screen:

Yubikey Authentication Realm Configuration

Yubikey Authentication Realm Configuration

…and there we have it. Instant in-place implementation of Yubikey authenticated logins for all of our existing J2EE applications without changing any application code. Obviously it’s worth noting that in this context we’re using the Yubikey OTP as a convenient password replacement, not as a 2nd authentication factor.

Please feel free to contact me if you’re interested in using our authentication realm; we may consider publishing it online in due course, along with the installation instructions and a few enhancements that are pending.

This entry was posted in Java, Security and tagged , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

What is 6 + 14 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple question (so we know that you are a human)