J2EE Security Model
(Read: J2ee spec chapter 3 , Servlet Spec chapter 11 , Blueprints chapter 9)
Secure applications require the client to first be authenticated as a valid user
of the
application, and secondly to have the authorization to access the EJB business
logic.
Applications with secure web containers and secure EJB containers may enforce
the following security processes for web clients:
authenticate the caller
authorize the caller for access to the URL
authorize the caller for access to the EJB business methods
Authentication is the process that verifies the users IDENTITY.
Authorization is the process that verifies the users PERMISSION to access a
resource.
A primary goal of the J2EE platform is to isolate the developer from the details
of
the security mechanisms and facilitate the secure deployment of an application
in
diverse environments. This goal is addressed by providing mechanisms for the
specification of application security requirements declaratively and outside the
application.
Declarative security is when the security mechanism for an application is
declared
and handled externally to the application. Deployment descriptors (DDs) are used
by J2EE to describe Declarative Security.
Servlet Level Security
A secure web container needs to authenticate web client users and to authorize
their access to the servlet. Once the user has been authenticated and authorized
the
servlet passes on user credentials to an EJB to establish a secure association
with
the bean.
User Authentication by Servlets
Three web based login mechanisms are required by J2EE Specification, v1.2.
These three mechanisms include: HTTP basic authentication,
SSL mutual authentication, and form-based login.
The web application deployment descriptor login-config element describes the
authentication method to be used.
The syntax for the login-config element is as follows:
<!ELEMENT login-config (auth-method?,realm-name?,from-login-config?)>
Steps for setting up Declarative Form authentication:
0) In the (WAR ) deployment descriptor specify logical roles for the types of
users
that will access your application. At deploy time you will map these logical
roles to the actual groups or users in your Application Server directory.
This example descriptor specifies the logical role customer
<security-role>
<role-name>customer</role-name>
</security-role>
1) In the (WAR ) deployment descriptor configure to
restrict access to webresources, this will cause the Web Server to Authenticate
the user when the user tries to access this resource.
Restricting Access to Web Resources:
To control access to a Web resource, an Application Component Provider or
Application Assembler specifies a security-constraint element with an
auth-constraint
subelement in the Web deployment descriptor.
This example descriptor specifies that the URL /control/placeorder
can only be accessed by users acting in the role of customer:
<security-constraint>
<web-resource-collection>
<web-resource-name>placeorder</web-resource-name>
<url-pattern>/control/placeorder</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>customer</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>confidential</transport-guarantee>
</user-data-constraint>
</security-constraint>
2) In the (WAR) deployment descriptor configure a page to
display for form authentication. This page will be displayed
when the user tries to access a restricted resource (see above).
<login-config>
<auth-method>FORM</auth-method>
<realm-name>default</realm-name>
<form-login-config>
<form-login-page>/estore/Login.jsp</form-login-page>
<form-error-page>/estore/error.jsp</form-error-page>
</form-login-config>
</login-config>
3) In your war package you must have the form login page (in this example
Login.jsp). In this page you must have the following form tags:
<form method="POST" action="j_security_check">
<input type="text" name="j_user_name">
<input type="password" name="j_password">
</form>
When the user submits the login.jsp form, the WEB CONTAINER will authenticate
the user and set credentials for authorizationaccess.
Servlets can call HttpServletRequest getRemoteUser() or
getUserPrincipal().getName()
to get the username if the user is logged in.
EJB Level Security
The EJB container is responsible for authorizing access to a bean method by
using
the security policy laid out in the EJB XML deployment descriptor.
Steps for setting up Declarative EJB Authorization restrictions:
1) In the EJB deployment descriptor set up logical Roles
<security-role>
<role-name>customer</role-name>
</security-role>
2) In the EJB deployment descriptor set up method permissions for
Roles for EJB methods. In the following example the Role
customer has permission to call the purchaseCart method of the
ShoppingCartEJB.
<method-permission>
<role-name>customer</role-name>
<method>
<ejb-name>ShoppingCartEJB</ejb-name>
<method-intf>Remote</method-intf>
<method-name>purchaseCart</method-name>
<method-params>
<method-param>java.lang.String</method-param>
</method-params>
</method>
</method-permission>
3) At deploy time map the Roles to the groups or users in the App Server
Directory
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
