Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

A Question for JBoss at Work Authors

 
Michael Moser
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
First, thanks for your work in the book. Practical guides are always worth a look. My question centers around application security. Security is central to a lot of the applications my team is writing. We currently use Oracle Application Server but it is a pain to configure and work with and so are looking at alternatives. How in depth does your book go with regard to security?
 
Dave Salter
Ranch Hand
Posts: 293
Java Mac OS X Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not one of the authors, but perhaps I can comment.

First let me say, that I've read the book and it think its a very good read and a well worth buy for anyone developing/planning to develop apps on JBoss.

The book contains a chapter on security which covers restricting access to both web pages and to EJBs. It includes details about configuring JAAS authentication in JBoss and how this all ties up with your application.

As with most things in JBoss, configuring security is a matter of configuring xml files. There is no GUI to help you configure security, but if you know what XML files to edit its relatively painless.
 
Tom Marrs
Author
Ranch Hand
Posts: 67
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Michael,
I think you posted this twice, but that's OK - I'll respond here, too.

It depends on what you're looking for. In chapter 9, we show how to add J2EE declarative security (FORM-based authentication) to the web site. Then, we show how to connect with JAAS (Java Authentication and Authorization Service) to authenticate/authorize the user. We use role-based security so that users in a particular role can only see certain pages. We show how to protect JSPs and Action URLs (so that only authorized users can execute your business logic).

We chose JAAS because:
1) JBoss security is based on JAAS.
2) You can swap out security realms (DBMS, Operating System, etc.) without changing your code.

We show how to configure JBoss to use a JAAS LoginModule that uses database tables for user authentication/authorization.

We also show how to propagate your security context (user/role) to the EJB tier from the web tier. But, if you don't use the Remote Interface for EJBs (or you don't use them at all), then the web-tier security is sufficient.

We also have an Appendix that covers JAAS in greater depth than the security chapter.

Tom
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic