First, thanks for your work in the book. Practical guides are always worth a look. My question centers around application security. Security is central to a lot of the applications my team is writing. We currently use Oracle Application Server but it is a pain to configure and work with and so are looking at alternatives. How in depth does your book go with regard to security?
Joined: Sep 20, 2000
It depends on what you're looking for. In chapter 9, we show how to add J2EE declarative security (FORM-based authentication) to the web site. Then, we show how to connect with JAAS (Java Authentication and Authorization Service) to authenticate/authorize the user. We use role-based security so that users in a particular role can only see certain pages. We show how to protect JSPs and Action URLs (so that only authorized users can execute your business logic).
We chose JAAS because: 1) JBoss security is based on JAAS. 2) You can swap out security realms (DBMS, Operating System, etc.) without changing your code.
We show how to configure JBoss to use a JAAS LoginModule that uses database tables for user authentication/authorization.
We also show how to propagate your security context (user/role) to the EJB tier from the web tier. But, if you don't use the Remote Interface for EJBs (or you don't use them at all), then the web-tier security is sufficient.
We also have an Appendix that covers JAAS in greater depth than the security chapter.
Joined: May 14, 2004
Excellent. I will have check out your book. Thanks for the response and good luck!