This week's book giveaway is in the Programmer Certification forum.
We're giving away four copies of OCP Oracle Certified Professional Java SE 21 Developer Study Guide: Exam 1Z0-830 and have Jeanne Boyarsky & Scott Selikoff on-line!
See this thread for details.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Securing my JEE application: Point me in the right direction?

 
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have a simple JEE application which is deployed to JBoss 5.1.0.GA. The application consists of EJB3 entities, session beans and servlets and later, will include Web Services.
I would like to begin working out how to apply security to the application, but I'm not sure where to start.
I've been pawing over all the documentation available for JBoss (as well as JEE), but I'm not sure what it is I want to look at.

Based on the JEE documentation, I know how to secure the resources in the application to particular roles. I believe I just need to map my runtime users to the application roles.

Do I then just need to build a Login Module (is that the right term?) and configure JBoss AS to use it?

I was not able to find any information on creating a Login Module and configuring JBoss AS. Can you please provide me with a pointer?

Is this JAAS, or is there a newer/better technology available for doing this?
Using this, is it possible to maintain my list of users and roles in my application database, such that it can be updated dynamically?


Thank you for any pointers.
 
author
Posts: 5856
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How you go about it depends on your applications architecture. Let's take a simply architecture - your users access servlets which in turn access EJBs. The entry point into the system is thus the servlet, which means that you have to apply authentication there. This means editing the server/xxx/conf/login-config.xml file to define your login mechanism (add an application-policy entry to the file). Then create a WEB-INF/jboss-web.xml file in your web app (package it with your servlets) and have it reference the application-policy. Then go into the WEB-INF/web.xml file and specify the authentication and access control mechanism (any decent book on JSPs and servlets will tell you how).

Then for access control for your EJBs, use the same roles that you specified in web.xml file.

By the way, JBoss in Action goes into a lot of detail on security.
 
Mark E Hansen
Ranch Hand
Posts: 650
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you very much for that, Jason. I have ordered JBoss in Action, but it won't be here until after the holiday.

Is there a tutorial available that can walk me through this?

Am I correct that I will need to create a login module if I want to store my user/group lists and role associations in a database?

Thanks again,

 
Ranch Hand
Posts: 563
Google Web Toolkit Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Mark E Hansen wrote:Thank you very much for that, Jason. I have ordered JBoss in Action, but it won't be here until after the holiday.

Is there a tutorial available that can walk me through this?

Am I correct that I will need to create a login module if I want to store my user/group lists and role associations in a database?

Thanks again,



Yes you do. Your application policy must use the module org.jboss.security.auth.spi.DatabaseServerLoginModule.
It's very easy to set up in your login-config.xml file.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't think you need to resort to JAAS just to add authentication. As long as the users/passwords/roles are in a repository that's compatible with JBoss's servlet security implementation -probably not a high hurdle- you should be good to go. (I'm a but vague because I don't know much about JBoss, and -although the API you'd use in the servlet code is standardized- the way to set it up is server-specific. The JBoss approach is described at http://docs.jboss.org/jbossas/jboss4guide/r5/html/ch8.chapter.html)

Of course, properly securing an application goes way beyond adding authentication. See http://faq.javaranch.com/java/SecurityFaq#web-apps for some pointers on what else should be considered.
 
incandescent light gives off an efficient form of heat. You must be THIS smart to ride this ride. Tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic