Java EE Platform and Security Management

The Java EE platform offers a rich environment for securing web applications, web services, and enterprise beans in a declarative manner by working with application resources and user roles. The two concepts are defined as follows:

• Resources are visible or callable features of the applications. For EJB modules, resources are public EJB methods declared on home or remote interfaces. For web modules, resources are URL patterns that are mapped to JavaServer Pages (JSP) files, servlet methods, and other components.

• Roles define access privileges and can be associated with one or more users.

Java enterprise applications are secured by mapping resources to roles. When a resource is called, the caller must map to a role name that is authorized to access the resource. If the caller cannot map to an authorized role, the call is rejected. In enterprise applications, the application server verifies the caller's role before allowing the caller to execute the resource.

The authorized combinations of roles and resources are declared in deployment descriptors. The application server reads them from the deployment descriptors and applies them. This process is known as declarative security.

The necessary tasks that you must perform to secure an enterprise application are:

• Declare the different roles.

• Specify which roles are permitted to access the resources.

This section describes the different steps to follow to secure a simple web application with NetBeans IDE. For a complete tutorial on enterprise application security, you can refer to the J2EE 1.4 Tutorial at http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security2.html.

Simple Declarative Security

If you want to secure access for the web pages exposed within an enterprise application, you need to declare <security-constraint>, <security-role>, and <login-config> elements in the web.xml deployment descriptor (which you can find in the Projects window by expanding the web project's Configuration Files node). The visual web.xml editor does not expose those elements in NetBeans IDE, so you need to switch to the XML view and add the following elements:

    <security-constraint>       <web-resource-collection>         <web-resource-name>           basic security test         </web-resource-name>         <url-pattern>/*</url-pattern>       </web-resource-collection>       <auth-constraint>         <role-name>staffmember</role-name>       </auth-constraint>     </security-constraint>      <login-config>        <auth-method>BASIC</auth-method>        <realm-name>basic-file</realm-name>      </login-config>      <security-role>        <role-name>staffmember</role-name>      </security-role>

These settings protect the access of all the web pages (see the <url-pattern> element), using the BASIC login configuration. The authorized logical user is called staffmember.

Authentication establishes the identity of a user by challenging the user to provide a valid username/password pair. Authentication can be used to protect any web-accessible resource, including web applications, web services, page flow applications, and individual JSP pages. In BASIC authentication, the browser provides the login window and it cannot be customized. If you require a customizable login page, use FORM Authentication.

Registering Users for an Application Server Instance

To add authorized users to the Sun Java System Application Server, follow these steps:

1.	Make sure the server instance is up and running by opening the Runtime window, right-clicking the server instance's node, and choosing Start. If the Start menu item is not enabled, the server is already running. Figure 13-24. Starting the application server from the IDE's Runtime window
2.	Right-click the server instance's node and choose View Admin Console. The login page for the Admin Console appears in a web browser.
3.	Log into the application server's Admin Console, and enter the username and password of a user in the admin-realm who belongs to the asadmin group. The name and password you entered when installing the server will work. The NetBeans IDE/Sun Java System Application Server bundle uses these default values: admin for the username and adminadmin for the password.
4.	In the Admin Console tree, expand the Configuration | Security | Realms node and select the file realm to add users you want to enable to access applications running in this realm.
5.	Click the Manage Users button.
6.	Click New to add a new user to the realm. In this case, we will use the username ludo and the password ludo as well. You can also enter a group to which the user belongs, but leave that field blank for this example.
7.	Click OK to add this user to the list of users in the realm. Figure 13-25 shows the state of the console after entering the user ludo to the realm. Figure 13-25. Sun Java System Application Server Admin Console after having created a user account
8.	Click Logout when you have completed this task.

Now that you have registered a username for this application server instance, you can map the logical security role called staffmember to this physical user called ludo. To do that, use the IDE's visual editor for the sun-web.xml file:

1. Open the sun-web.xml file from the Projects window by expanding the project's Configuration Files node and double-clicking the sun-web.xml node.

2. In the visual editor, expand the Sun Web Application node. If you have declared the <security-constraint>,<security-role>, and <login-config> elements as described previously in the Simple Declarative Security section, the staffmember node should appear.

3. Select the staffmember node, click the Master Roles tab in the right pane of the visual editor, click Add Principal, and type ludo in the New Principal Name dialog box. (Figure 13-26 shows what the visual editor should look like after you have completed this step.)

   Figure 13-26. Visual editor for the sun-web.xml file, Master Roles tab, after having added the principal ludo

   

4. Click the Role Assignments tab, select ludo in the Principal Master List, and click the Add button to assign that user to the staffmember role. Figure 13-27 shows what the visual editor should look like after you have completed this step.

   Figure 13-27. Visual editor for the sun-web.xml file, Role Assignments tab, after having mapped the staffmember role to the user ludo

   

Now when you run this web application, you are prompted for a username and password when you first try to access the application's welcome (as shown in Figure 13-28). Enter ludo as the username and ludo as the password, and you should be able to access the requested web page.

This section is only an introduction to Java EE security settings. Make sure you read the J2EE 1.4 Tutorial, which covers more advanced security concepts for enterprise applications, such as web-services message protection for service endpoints (WSS in the SOAP layer is the use of XML Encryption and XML Digital Signatures to secure SOAP messages). You can find a complete tutorial at the following URL: http://docs.sun.com/source/819-0079/dgsecure.html#wp14462.

Remember, once you are ready to use more advanced security settings, you can take advantage of the IDE's visual configuration editors (for sun-ejb-jar.xml and sun-web.xml) to edit these security settings.