Before we move on to securing the EJB tier, let's recap what we've done so far:
Protected the administrative pages by:
Restricting access based on the /admin/* URL pattern in web.xml
Associating security roles with the /admin/* URL pattern in web.xml
Moving the administrative pages beneath the /admin sub-directory in WEB INF
Creating security roles for the JAW Motors application in web.xml
Implemented FORM-based Authentication by:
Adding a <login-config> element to web.xml and tying it to a security realm
Creating a login page, login.jsp with a form that follows FORM-based Authentication naming conventions
Developing a login error pageloginerror.jsp
Automated extra web.xml settings with the servlets.xml, servlet-mappings.xml, and web-security.xml XDoclet merge files
Created a security realm in the JAW Motors database that associates a user with the roles they play in the system
Deployed the JAAS-based security realm with the JBoss container by:
Configuring a JAAS LoginModule that's tied to the database security realm using $JBOSS_HOME/server/default/conf/$JBOSS_HOME/server/default/conf and $JBOSS_HOME/server/default/deploy/jaw-login-config-service.xml
Adding the JAAS domain settings to jboss-web.xml
Added a read-only page and MVC action to ensure that we can still access non-secure resources without logging in
Protected MV administrative actions by:
Modifying JSPs and the Controller Servlet to prefix all administrative action URLs with /admin/
Modifying web.xml with the new /controller/admin/* <url-pattern> element to lock down the administrative action URLs
Propagated the correct user credentials from the web tier:
Established a default guest user identity for non-secure actions and pages in web.xml
Used the Manager identity for secure actions and pages in web.xml