Skip to main content

J2EE Container Security in Applications

Introduction

Using J2EE Container security is the first step towards designing a secure and portable J2EE application.

The integration of Container security with an application is easy but requires some amount of knowledge and research. The main reason for this is various J2EE application server providers gives us only a limited amount of login modules by default.
For example an Active Directory authentication is a standard requirement but not all J2EE Server vendors provide this.But many major vendors provide this login module . The bottomline is we may be required to write our own login modules for many standard services. Writing our own login module is not difficult .Writing a custom login module will not be covered in this post.This post is about integrating a DB login module to an application deployed in JBoss Server.
In this post i am only giving the steps without eloborating on each of the steps.

5 Steps
  1. Identify the EJB that you want to secure.
  2. Add the annotation @Securitydomain and give the name of the domain which will provide the security.
  3. Add @RolesAllowed annotation and define which roles can access the EJB methods
  4. In the jboss login-config xml add a security domain entry
  5. Configure the DatabaseServerLoginModule as the liogin module. This will allow us to use authenticate and authorise the user and roles from a database. This module is provided by JBoss , so only thing left is to tell this module the tables to be used.
That's all. Now try invoking the ejb methods without providing a user and password in the JNDI properties. You should get an authentication exception.Now provide a valid user and password and if that user is mapped to a role then the ejb invocation will be successful.
Labels:

Comments

Post a Comment

Popular posts from this blog

Using Database login Module in JBoss

This post is a detailed description on how to use the database login module in JBoss with a J2EE Application. Scenario There is a EJB and we want to restrict the access to this ejb's method to an authenticated user having a particular role. The EJB is accessed from a standalone Java Client using Remote Lookup. Implementation The EJB is HelloSSB and the roles allowed are admin and user. First step is to write the EJB The source code is given below. This is a stateless session bean. package com.prem.ejb; import javax.annotation.PreDestroy; import javax.annotation.Resource; import javax.annotation.security.RolesAllowed; import javax.ejb.SessionContext; import javax.ejb.Stateless; import javax.persistence.EntityManager; import javax.persistence.PersistenceContext; import org.jboss.annotation.security.SecurityDomain; @Stateless @SecurityDomain ("helloworld") public class HelloSSB implements HellioIntf{ @PersistenceContext(unitName = "EntApp") EntityManager em; @Reso...
26 comments
Read more
How to integrate Container security in a web application and propagate it to EJB Layer. Normally an enterprise application has a web tier and a business tier (Most probably EJB in the case of J2EE).The security requirments for such an application in general will be this "Only an authenticated and authorized user should be able to access the protected part of the application" This includes both dynamic (jsp pages) and static content like HTML files. If the user has the rights for the web page then based on his role he should be restricted to invoke an ejb method.That's even if he has access to a page he should be able to execute only those business operations for which his role is given access. To satisfy the above requirement we have to have security at 2 levels . One at the web container side and other at the ejb container side. The rest of the post explains how we can do that in JBoss 4.2.2 See my old post on securing an EJB. Once the EJB is secured, next step is to sec...
1 comment
Read more