Skip to main content

J2EE Container Security in Applications

Introduction

Using J2EE Container security is the first step towards designing a secure and portable J2EE application.

The integration of Container security with an application is easy but requires some amount of knowledge and research. The main reason for this is various J2EE application server providers gives us only a limited amount of login modules by default.
For example an Active Directory authentication is a standard requirement but not all J2EE Server vendors provide this.But many major vendors provide this login module . The bottomline is we may be required to write our own login modules for many standard services. Writing our own login module is not difficult .Writing a custom login module will not be covered in this post.This post is about integrating a DB login module to an application deployed in JBoss Server.
In this post i am only giving the steps without eloborating on each of the steps.

5 Steps
  1. Identify the EJB that you want to secure.
  2. Add the annotation @Securitydomain and give the name of the domain which will provide the security.
  3. Add @RolesAllowed annotation and define which roles can access the EJB methods
  4. In the jboss login-config xml add a security domain entry
  5. Configure the DatabaseServerLoginModule as the liogin module. This will allow us to use authenticate and authorise the user and roles from a database. This module is provided by JBoss , so only thing left is to tell this module the tables to be used.
That's all. Now try invoking the ejb methods without providing a user and password in the JNDI properties. You should get an authentication exception.Now provide a valid user and password and if that user is mapped to a role then the ejb invocation will be successful.
Labels:

Comments

Post a Comment

Popular posts from this blog

Java - Too Many web frameworks

Hmm......... Java Web technology is exploding with many web frameworks promoted by the industry and many by opensource. Too many frameworks to choose from is a bad thing or good thing ?. Read on and judge yourselves. May be too much of anything is bad. Just look at the list below. JSF Spring MVC Tapestry Struts 2 ADF from Oracle Cocoon Maverick JBoss seam This is a never ending list. There are many more. Ofcourse not all are mainstream nowadays. Look at Microsoft stack , you mainly have ASP .NET and that's it. It has grown well.You need to learn only that and you focus all your skills in that web framework.It has accumulated many components and matured into a very robust RAD web application framework. The problem with the Java stream is you work on a particular web framework for sometime and all of a sudden you have to work in another web framework for another project.Hence the experiance one gains by working in a particular framework for long time, gets lost. This definitly lowers...
4 comments
Read more

Using Database login Module in JBoss

This post is a detailed description on how to use the database login module in JBoss with a J2EE Application. Scenario There is a EJB and we want to restrict the access to this ejb's method to an authenticated user having a particular role. The EJB is accessed from a standalone Java Client using Remote Lookup. Implementation The EJB is HelloSSB and the roles allowed are admin and user. First step is to write the EJB The source code is given below. This is a stateless session bean. package com.prem.ejb; import javax.annotation.PreDestroy; import javax.annotation.Resource; import javax.annotation.security.RolesAllowed; import javax.ejb.SessionContext; import javax.ejb.Stateless; import javax.persistence.EntityManager; import javax.persistence.PersistenceContext; import org.jboss.annotation.security.SecurityDomain; @Stateless @SecurityDomain ("helloworld") public class HelloSSB implements HellioIntf{ @PersistenceContext(unitName = "EntApp") EntityManager em; @Reso...
26 comments
Read more