9.3. Restricting Access with web.xmlWe restrict access to the administrative page URLs in web.xml as in Example 9-1. Example 9-1. web.xml... <security-constraint> <web-resource-collection> <web-resource-name> JAW Application protected Admin pages. </web-resource-name> <description>Require users to authenticate.</description> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <description> Allow Manager role to access Admin pages. </description> <role-name>Manager</role-name> </auth-constraint> </security-constraint> <security-role> <description>JAW Managers</description> <role-name>Manager</role-name> </security-role> ... The <security-constraint> element protects the administrative pages by specifying:
To be complete, we've also modified the Controller Servlet in Example 9-2 to prefix all administrative pages with the admin/ URL. Example 9-2. ControllerServlet.javapublic class ControllerServlet extends HttpServlet { ... protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { ... // perform action ... else if(MODIFY_CAR_LIST_ACTION.equals(actionName)) { ... destinationPage = "/admin/carList.jsp"; } ... } }
We've protected the administrative pages' URLs so that only authenticated users can access these pages. We now have to choose an authentication method. 9.3.1. Web-Based AuthenticationAuthentication establishes the user's identity in the system. There are four methods of authentication:
9.3.2. Form-Based AuthenticationWe're using Form-based authentication because it is the most commonly used authentication technique and we want to use our own login page. Example 9-3 shows how we configure Form-based authentication in web.xml. Example 9-3. web.xml... <login-config> <auth-method>FORM</auth-method> <realm-name>JawJaasDbRealm</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/loginError.jsp</form-error-page> </form-login-config> </login-config> ... The <realm-name> element specifies the name of our security realm, and its textual value, JawJaasDbRealm, must match the name of the security realm specified in the JBoss JAAS login configuration file. We'll see the login.jsp and loginerror.jsp pages in action in the "Testing Secure JSPs" section. For now, let's take a closer look at the login page. 9.3.3. The Login FormExample 9-4 is an excerpt from the form in the login.jsp page. Example 9-4. login.jsp<form method="POST" action="j_security_check"> <input type="text" name="j_username"> <input type="password" name="j_password"> </form> Form-based Authentication requires the following naming conventions on the login form :
9.3.4. Automating Declarative Authentication and Authorization in web.xmlIn web.xml, we had to add the <security-constraint>, <security-role>, and <login-config> elements to set up Form-based authentication, but XDoclet doesn't provide a way to generate these elements. We could've hardcoded these elements, but this wouldn't fit with our Ant-based build process. So we created an XDoclet merge file called web-security.xml that XDoclet merged in as it generated web.xml. You can find web-security.xml in the xdoclet/merge directory in the ch09-a project's webapp sub-project that comes with the JAW Motors code distribution. 9.3.5. Creating a Security RealmWe're now going to create a security realm using database tables that associates a user with the roles he plays in the system. Table 9-1 shows the Users from the USER table.
Table 9-2 shows the JAW Motors application's Roles in the ROLE table.
Now we need to specify the roles for each user in the system. Table 9-3 shows the USER_ROLE table that shows which roles a user has by joining the USER and ROLE tables.
When joined with the USER and ROLE tables, the data in the USER_ROLE table indicates that both users have the Manager role. You can find these new security-related tables in the ch09-a project's sql/build.xml file. Now that we've set up declarative security and created a security realm, we need to deploy the security realm on JBoss. Before we can discuss web-based security any further, we need to cover core JAAS concepts because the JBoss security manager, JBoss Security Extension (JBossSX), is based on JAAS. After discussing the core JAAS API, we'll then get to the heart of JAAS-based securitythe LoginModule. |