You are previewing GlassFish Security.
O'Reilly logo
GlassFish Security

Book Description

Secure your GlassFish installation, Web applications, EJB applications, Application Client modules, and Web services

  • Secure your GlassFish installation and J2EE applications

  • Develop secure Java EE applications including Web, EJB, and Application Client modules

  • Secure web services using GlassFish and OpenSSO web service security features

  • Support SSL in GlassFish including Mutual Authentication and Certificate Realm with this practical guide

  • In Detail

    Security was, is, and will be one of the most important aspects of Enterprise Applications and one of the most challenging areas for architects, developers, and administrators. It is mandatory for Java EE application developers to secure their enterprise applications using Glassfish security features.

    Learn to secure Java EE artifacts (like Servlets and EJB methods), configure and use GlassFish JAAS modules, and establish environment and network security using this practical guide filled with examples. One of the things you will love about this book is that it covers the advantages of protecting application servers and web service providers using OpenSSO.

    The book starts by introducing Java EE security in Web, EJB, and Application Client modules. Then it introduces the Security Realms provided in GlassFish, which developers and administrators can use to complete the authentication and authorization setup. In the next step, we develop a completely secure Java EE application with Web, EJB, and Application Client modules.

    The next part includes a detailed and practical guide to setting up, configuring, and extending GlassFish security. This part covers everything an administrator needs to know about GlassFish security, starting from installation and operating environment security, listeners and password security, through policy enforcement, to auditing and developing new auditing modules.

    Before starting the third major part of the book, we have a chapter on OpenDS discussing how to install, and administrate OpenDS. The chapter covers importing and exporting data, setting up replications, backup and recovery and finally developing LDAP based solutions using OpenDS and Java.

    Finally the third part starts by introducing OpenSSO and continues with guiding you through OpenSSO features, installation, configuration and how you can use it to secure Java EE applications in general and web services in particular. Identity Federation and SSO are discussed in the last chapter of the book along with a working sample.

    Inspired from real development cases, this practical guide shows you how to secure a GlassFish installation and how to develop applications with secure authentication based on GlassFish, Java EE, and OpenSSO capabilities.

    Table of Contents

    1. GlassFish Security
      1. GlassFish Security
      2. Credits
      3. About the Author
      4. About the Reviewers
      5. Preface
        1. What this book covers
        2. Conventions
        3. Reader feedback
        4. Customer support
          1. Errata
          2. Piracy
          3. Questions
      6. 1. Java EE Security Model
        1. Overview of Java EE architecture
        2. Understanding a typical Java EE application
        3. Accessing protected resource inside a Web module
          1. Deployment descriptors
          2. Understanding Java EE security terms
          3. Defining constraints on resources
          4. Authenticating and authorizing users
            1. Adding authentication to a Web application
            2. Authorizing using deployment descriptor
          5. Managing session information
          6. Adding transport security
          7. Using programmatic security in web applications
          8. Using security annotations
        4. Understanding the EJB modules
          1. Securing EJB modules using annotations
          2. Mapping roles to principals and groups
          3. Accessing the security context programmatically
          4. Using EJB interceptors for auditing and security purposes
          5. Enforcing authentication in EJB modules
        5. Understanding the application client module
        6. Declaring security roles in Application level
        7. Summary
      7. 2. GlassFish Security Realms
        1. Security realms
          1. Authenticating using security realms
          2. Reusing security assets
        2. GlassFish security realms
          1. Administrating security realms
          2. Creating a file realm
          3. Creating the JDBC realm
          4. Using the LDAP realm to secure web applications
            1. Downloading and installing OpenDS 2.2
            2. Creating the LDAP realm
              1. Configuring the GlassFish LDAP realm for Microsoft Active Directory
          5. Creating the certificate realm
            1. Public key cryptography
            2. Digital signature
            3. Key stores and trust stores
            4. Managing certificates
              1. Listing the content of keystore.jks and cacert.jks
              2. Obtaining and installing a valid certificate
          6. Creating the Solaris realm
          7. Developing custom realms
            1. Developing the custom realm
              1. Implementing a JAAS LoginModule
              2. Implementing a realm class
            2. Installing and configuring
        3. Adding a custom authentication method to GlassFish
        4. Summary
      8. 3. Designing and Developing Secure Java EE Applications
        1. Understanding the sample application
        2. Analyzing sample application business logic
        3. Implementing the Business and Persistence layers
          1. Implementing the Persistence layer
        4. Developing the Presentation layer
          1. Implementing the Conversion GUI
            1. Implementing the Converter servlet
            2. Implementing the authentication frontend
              1. Implementing a login page
              2. Implementing a logout page
              3. Implementing a login error page
              4. Implementing an access restricted page
            3. Configuring deployment descriptors
            4. Specifying the security realm
        5. Deploying the application client module in the Application Client Container
          1. Configuring Application Client Container security
        6. Summary
      9. 4. Securing GlassFish Environment
        1. Securing a host operating system
          1. Defining security at the OS level
            1. Creating the installation directory
            2. Creating the GlassFish user
            3. Logging in as a GlassFish user
            4. Restricting access to the filesystem
            5. Restricting access to network interfaces
            6. Restricting access to ports
            7. Enforcing storage usage limitation
          2. Implementing restrictions in the application server level
            1. Securing the Java Runtime environment from unprivileged access
            2. Implementing the policy manager
            3. Securing the GlassFish using security manager
              1. Defining security policy in platform policy file
              2. Introducing the GlassFish policy file
              3. Applying policies on deployed applications separately
            4. Alternative container policy providers
        2. Estimating security risks: Auditing
          1. Enabling the default auditing module
          2. Developing custom auditing modules
        3. Summary
      10. 5. Securing GlassFish
        1. Administrating GlassFish
          1. Using CLI for administration tasks
            1. Implementing security in CLI
              1. The asadmin and administration credentials
              2. Protecting GlassFish domain using master password
              3. Changing passwords
              4. Protecting passwords with encryption
              5. Securing the CLI communication channel
        2. Securing different network listeners
          1. Securing HTTP listeners
          2. Securing ORB listeners
          3. Securing JMX listeners
        3. Hosting multiple domains using one IP
        4. Sharing security context between different applications using SSO
          1. Enabling SSO in virtual server
        5. Summary
      11. 6. Introducing OpenDS: Open Source Directory Service
        1. Storing hierarchical information: Directory services
          1. Connecting directory services to software systems
        2. Introducing OpenDS
          1. Understanding OpenDS backend and services
        3. Installing and administrating OpenDS
          1. Installing OpenDS and DSML gateway
            1. Understanding the system requirements
            2. Downloading and installing OpenDS server
            3. Studying the OpenDS directory structure
            4. Installing and configuring the DSML gateway
              1. Testing the DSML Gateway
        4. Administrating and managing OpenDS
          1. Importing and exporting data
            1. Importing LDIF files
            2. Exporting database content into LDIF file
          2. Backing up and restoring data
            1. Creating a backup of OpenDS data
            2. Restoring server state using backups
          3. Enabling JMX Connection Handler
        5. Embedding OpenDS
          1. Benefits of embedded mode capability of OpenDS
          2. Preparing the environment
        6. Replicating Directory Information Tree (DIT)
          1. OpenDS replication mechanism
          2. Setting up an Asynchronous replication infrastructure
        7. Summary
      12. 7. OpenSSO, the Single sign-on Solution
        1. What is SSO
        2. What is OpenSSO
          1. OpenSSO functionalities
            1. Controlling user access
            2. Federation Management
            3. Identity Web Services
            4. OpenSSO architecture
            5. OpenSSO realms
          2. Installing OpenSSO in GlassFish
          3. Configuring OpenSSO for authentication and authorization
        3. Authentication chaining
          1. Realm Authentication
          2. User Authentication
        4. Securing our applications using OpenSSO
          1. Authenticating users by the RESTful interface
          2. Authorizing using REST
          3. SSO using REST
        5. Summary
      13. 8. Securing Java EE Applications using OpenSSO
        1. Understanding Policy Agents
          1. Specifying access privileges by defining policies
          2. Protecting diverse types of containers using Policy Agents
          3. Working of OpenSSO agents
            1. Protecting different types of resources
          4. Exploring outstanding features of Policy Agents
            1. Managing Centralized Agent Configuration
            2. Managing agents in groups
            3. Applying agents configuration on-the-fly
            4. Having more control over the installation process
        2. Installing J2EE Agent 3.0 for GlassFish
          1. Placing the sample application under OpenSSO protection
            1. Changing sample application descriptor files
            2. Configuring the agent to protect the sample application
            3. Defining access rules
        3. Summary
      14. 9. Securing Web Services by OpenSSO
        1. Java EE and Web Services security
          1. Securing Web Services in a Web module
          2. Web Services security in EJB modules
          3. EJB-based Web Services authentication in GlassFish
        2. Understanding Web Services security
          1. Understanding SOAP message structure
        3. Developing secure Web Services
        4. Downloading and installing Web Services security agents
          1. Creating a Web Service Client profile
          2. Creating a Web Service Provider profile
        5. Securing the Echo Web Service
          1. Developing an Echo Service Consumer
          2. Authenticating a service call using WSP
            1. Configuring WSP for enforcing authentication
            2. Configuring WSC to support authentication
        6. Summary