Section 9.2. Web-Based Security


9.2. Web-Based Security

To secure the web site, we need to do the following:

  • Protect the administrative pages:

    • Restrict access based on the URL pattern.

    • Associate security roles with the URL.

    • Create security roles for the JAW Motors application.

  • Choose an Authentication mechanism and implement it.

  • Automate extra web.xml settings with XDoclet.

  • Create a security realm that associates a user with the roles he plays in the system.

  • Configure a JAAS LoginModule that's tied to the security realm.

  • Deploy the JAAS-based security realm with the JBoss container.

  • Protect MVC administrative actions:

  • Restrict access based on the URL pattern.

  • Propagate the correct user credentials from the web tier:

    • Establish a default user identity for non-secure web access.

    • Use the right user identity for secure web access.

9.2.1. Protecting the Administrative Pages

J2EE provides Declarative Security, so rather than writing code to protect our resources, we can accomplish this through URL patterns and deployment descriptors. If you'll recall, the Car Inventory page (carList.jsp), as shown in Figure 9-1, enables you to view and modify the JAW Motors inventory.

Figure 9-1. JAW Motors Car Inventory page


We also must protect the Add/Edit Car page (carForm.jspyou see this page when you press the "Add Car" or "Edit" link on the Car Inventory page) (Figure 9-2).

Figure 9-2. JAW Motors Add/Edit Car page


We first move carList.jsp and carForm.jsp to a sub-directory under WEB-INF (in the WAR file) called admin to differentiate these protected pages from the public pages. Now our pages in the WAR file look like this:


WEB-INF/

All public non-protected pages, including index.jsp, go here.


WEB-INF/admin/

All administrative protected pages, including carList.jsp and carForm.jsp, go here.

To access these pages, you would now use this URL as a prefix: http://localhost:8080/ch09/admin/

But we still need to restrict access to the administrative pages by creating security roles and associating them with these URL patterns in web.xml.



JBoss at Work. A Practical Guide
JBoss at Work: A Practical Guide
ISBN: 0596007345
EAN: 2147483647
Year: 2004
Pages: 197

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net