This week's book giveaway is in the OCPJP forum. We're giving away four copies of OCA/OCP Java SE 7 Programmer I & II Study Guide and have Kathy Sierra & Bert Bates on-line! See this thread for details.
First, thanks for your work in the book. Practical guides are always worth a look. My question centers around application security. Security is central to a lot of the applications my team is writing. We currently use Oracle Application Server but it is a pain to configure and work with and so are looking at alternatives. How in depth does your book go with regard to security?
I'm not one of the authors, but perhaps I can comment.
First let me say, that I've read the book and it think its a very good read and a well worth buy for anyone developing/planning to develop apps on JBoss.
The book contains a chapter on security which covers restricting access to both web pages and to EJBs. It includes details about configuring JAAS authentication in JBoss and how this all ties up with your application.
As with most things in JBoss, configuring security is a matter of configuring xml files. There is no GUI to help you configure security, but if you know what XML files to edit its relatively painless.
Michael, I think you posted this twice, but that's OK - I'll respond here, too.
It depends on what you're looking for. In chapter 9, we show how to add J2EE declarative security (FORM-based authentication) to the web site. Then, we show how to connect with JAAS (Java Authentication and Authorization Service) to authenticate/authorize the user. We use role-based security so that users in a particular role can only see certain pages. We show how to protect JSPs and Action URLs (so that only authorized users can execute your business logic).
We chose JAAS because: 1) JBoss security is based on JAAS. 2) You can swap out security realms (DBMS, Operating System, etc.) without changing your code.
We show how to configure JBoss to use a JAAS LoginModule that uses database tables for user authentication/authorization.
We also show how to propagate your security context (user/role) to the EJB tier from the web tier. But, if you don't use the Remote Interface for EJBs (or you don't use them at all), then the web-tier security is sufficient.
We also have an Appendix that covers JAAS in greater depth than the security chapter.