This chapter implements the security changes to the EJBs discussed in Chapter 17 of the EJB book.
This exercise secures the Titan Cruises Reservation system introduced in Exercise 11.4 in Workbook 9. It modifies the ProcessPayment EJB so that only authorized merchant users can invoke payment operations.
If JBoss is running, shut it down. You will need to make some configuration modifications to enable security for this exercise.
To enable security in the JBoss application server, you need to create a security domain . A security domain is a repository for users, passwords, and the roles with which each user is associated. The EJB container delegates to the security domain when performing authentication and authorization. Each container can be associated with a different domain.
Out of the box, JBoss supports three types of domains:
relational databases, LDAP, and a flat file. For this example, we will use a
clear-text flat file to store our users, passwords, and role
associations. Security domains are configured in the
file. Open this file in your favorite editor and add the following
XML within the
<application-policy name="TitanIdentityDB"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="usersProperties"> users-titan.properties </module-option> ...