Section 9.8. Web Security Checklist

9.8. Web Security Checklist

Before we move on to securing the EJB tier, let's recap what we've done so far:

  • Protected the administrative pages by:

    • Restricting access based on the /admin/* URL pattern in web.xml

    • Associating security roles with the /admin/* URL pattern in web.xml

    • Moving the administrative pages beneath the /admin sub-directory in WEB INF

    • Creating security roles for the JAW Motors application in web.xml

  • Implemented FORM-based Authentication by:

    • Adding a <login-config> element to web.xml and tying it to a security realm

    • Creating a login page, login.jsp with a form that follows FORM-based Authentication naming conventions

    • Developing a login error pageloginerror.jsp

  • Automated extra web.xml settings with the servlets.xml, servlet-mappings.xml, and web-security.xml XDoclet merge files

  • Created a security realm in the JAW Motors database that associates a user with the roles they play in the system

  • Deployed the JAAS-based security realm with the JBoss container by:

    • Configuring a JAAS LoginModule that's tied to the database security realm using $JBOSS_HOME/server/default/conf/$JBOSS_HOME/server/default/conf and $JBOSS_HOME/server/default/deploy/jaw-login-config-service.xml

    • Adding the JAAS domain settings to jboss-web.xml

  • Added a read-only page and MVC action to ensure that we can still access non-secure resources without logging in

  • Protected MV administrative actions by:

    • Modifying JSPs and the Controller Servlet to prefix all administrative action URLs with /admin/

    • Modifying web.xml with the new /controller/admin/* <url-pattern> element to lock down the administrative action URLs

  • Propagated the correct user credentials from the web tier:

    Established a default guest user identity for non-secure actions and pages in web.xml

  • Used the Manager identity for secure actions and pages in web.xml

JBoss at Work. A Practical Guide
JBoss at Work: A Practical Guide
ISBN: 0596007345
EAN: 2147483647
Year: 2004
Pages: 197

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: