File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JBoss/WildFly and the fly likes A Question for JBoss at Work Authors Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "A Question for JBoss at Work Authors" Watch "A Question for JBoss at Work Authors" New topic

A Question for JBoss at Work Authors

Michael Moser

Joined: May 14, 2004
Posts: 28
First, thanks for your work in the book. Practical guides are always worth a look. My question centers around application security. Security is central to a lot of the applications my team is writing. We currently use Oracle Application Server but it is a pain to configure and work with and so are looking at alternatives. How in depth does your book go with regard to security?
Dave Salter
Ranch Hand

Joined: Jul 20, 2005
Posts: 293

I'm not one of the authors, but perhaps I can comment.

First let me say, that I've read the book and it think its a very good read and a well worth buy for anyone developing/planning to develop apps on JBoss.

The book contains a chapter on security which covers restricting access to both web pages and to EJBs. It includes details about configuring JAAS authentication in JBoss and how this all ties up with your application.

As with most things in JBoss, configuring security is a matter of configuring xml files. There is no GUI to help you configure security, but if you know what XML files to edit its relatively painless.
Tom Marrs
Ranch Hand

Joined: Sep 20, 2000
Posts: 67
I think you posted this twice, but that's OK - I'll respond here, too.

It depends on what you're looking for. In chapter 9, we show how to add J2EE declarative security (FORM-based authentication) to the web site. Then, we show how to connect with JAAS (Java Authentication and Authorization Service) to authenticate/authorize the user. We use role-based security so that users in a particular role can only see certain pages. We show how to protect JSPs and Action URLs (so that only authorized users can execute your business logic).

We chose JAAS because:
1) JBoss security is based on JAAS.
2) You can swap out security realms (DBMS, Operating System, etc.) without changing your code.

We show how to configure JBoss to use a JAAS LoginModule that uses database tables for user authentication/authorization.

We also show how to propagate your security context (user/role) to the EJB tier from the web tier. But, if you don't use the Remote Interface for EJBs (or you don't use them at all), then the web-tier security is sufficient.

We also have an Appendix that covers JAAS in greater depth than the security chapter.

I agree. Here's the link:
subject: A Question for JBoss at Work Authors
It's not a secret anymore!