The Java EE platform offers a rich environment for securing web applications, web services, and enterprise beans in a declarative manner by working with application resources and user roles. The two concepts are defined as follows:
Java enterprise applications are secured by mapping resources to roles. When a resource is called, the caller must map to a role name that is authorized to access the resource. If the caller cannot map to an authorized role, the call is rejected. In enterprise applications, the application server verifies the caller's role before allowing the caller to execute the resource. The authorized combinations of roles and resources are declared in deployment descriptors. The application server reads them from the deployment descriptors and applies them. This process is known as declarative security. The necessary tasks that you must perform to secure an enterprise application are:
This section describes the different steps to follow to secure a simple web application with NetBeans IDE. For a complete tutorial on enterprise application security, you can refer to the J2EE 1.4 Tutorial at http://java.sun.com/j2ee/1.4/docs/tutorial/doc/Security2.html. Simple Declarative SecurityIf you want to secure access for the web pages exposed within an enterprise application, you need to declare <security-constraint>, <security-role>, and <login-config> elements in the web.xml deployment descriptor (which you can find in the Projects window by expanding the web project's Configuration Files node). The visual web.xml editor does not expose those elements in NetBeans IDE, so you need to switch to the XML view and add the following elements: <security-constraint> <web-resource-collection> <web-resource-name> basic security test </web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>staffmember</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>basic-file</realm-name> </login-config> <security-role> <role-name>staffmember</role-name> </security-role> These settings protect the access of all the web pages (see the <url-pattern> element), using the BASIC login configuration. The authorized logical user is called staffmember. Authentication establishes the identity of a user by challenging the user to provide a valid username/password pair. Authentication can be used to protect any web-accessible resource, including web applications, web services, page flow applications, and individual JSP pages. In BASIC authentication, the browser provides the login window and it cannot be customized. If you require a customizable login page, use FORM Authentication. Registering Users for an Application Server InstanceTo add authorized users to the Sun Java System Application Server, follow these steps:
Now that you have registered a username for this application server instance, you can map the logical security role called staffmember to this physical user called ludo. To do that, use the IDE's visual editor for the sun-web.xml file:
Now when you run this web application, you are prompted for a username and password when you first try to access the application's welcome (as shown in Figure 13-28). Enter ludo as the username and ludo as the password, and you should be able to access the requested web page. Figure 13-28. Prompt for username and password to access a web application that has security constraints set up
This section is only an introduction to Java EE security settings. Make sure you read the J2EE 1.4 Tutorial, which covers more advanced security concepts for enterprise applications, such as web-services message protection for service endpoints (WSS in the SOAP layer is the use of XML Encryption and XML Digital Signatures to secure SOAP messages). You can find a complete tutorial at the following URL: http://docs.sun.com/source/819-0079/dgsecure.html#wp14462. Remember, once you are ready to use more advanced security settings, you can take advantage of the IDE's visual configuration editors (for sun-ejb-jar.xml and sun-web.xml) to edit these security settings. |