• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Paul Clapham
  • Tim Cooke
  • Jeanne Boyarsky
  • Liutauras Vilda
  • Frank Carver
  • Henry Wong
  • Ron McLeod
Saloon Keepers:
  • Tim Moores
  • Frits Walraven
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Al Hobbs
  • Piet Souris
  • Himai Minh

A Question for JBoss at Work Authors

Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
First, thanks for your work in the book. Practical guides are always worth a look. My question centers around application security. Security is central to a lot of the applications my team is writing. We currently use Oracle Application Server but it is a pain to configure and work with and so are looking at alternatives. How in depth does your book go with regard to security?
Ranch Hand
Posts: 293
Mac OS X Netbeans IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm not one of the authors, but perhaps I can comment.

First let me say, that I've read the book and it think its a very good read and a well worth buy for anyone developing/planning to develop apps on JBoss.

The book contains a chapter on security which covers restricting access to both web pages and to EJBs. It includes details about configuring JAAS authentication in JBoss and how this all ties up with your application.

As with most things in JBoss, configuring security is a matter of configuring xml files. There is no GUI to help you configure security, but if you know what XML files to edit its relatively painless.
Posts: 67
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think you posted this twice, but that's OK - I'll respond here, too.

It depends on what you're looking for. In chapter 9, we show how to add J2EE declarative security (FORM-based authentication) to the web site. Then, we show how to connect with JAAS (Java Authentication and Authorization Service) to authenticate/authorize the user. We use role-based security so that users in a particular role can only see certain pages. We show how to protect JSPs and Action URLs (so that only authorized users can execute your business logic).

We chose JAAS because:
1) JBoss security is based on JAAS.
2) You can swap out security realms (DBMS, Operating System, etc.) without changing your code.

We show how to configure JBoss to use a JAAS LoginModule that uses database tables for user authentication/authorization.

We also show how to propagate your security context (user/role) to the EJB tier from the web tier. But, if you don't use the Remote Interface for EJBs (or you don't use them at all), then the web-tier security is sufficient.

We also have an Appendix that covers JAAS in greater depth than the security chapter.

Are you okay? You look a little big. Maybe this tiny ad will help:
the value of filler advertising in 2021
    Bookmark Topic Watch Topic
  • New Topic