Chapter 9. Security
If youâve worked through all the previous chapters, you have a fully functional vertical slice of the JAW Motors application that allows you to run a credit check and view, add, edit (update), delete, and buy cars. Although this works, thereâs a gaping holeâanyone with a browser who knows the applicationâs URL can modify JAW Motorsâ inventory. So we need to add security to the application. In this chapter, weâll secure the âCar Inventoryâ and âAdd/Edit Carâ pages so that only authorized users can modify cars in the inventory. We wonât secure the âBuy Carâ or âRun Credit Checkâ pages (and their underlying functionality) because we still want all users to be able to buy a car or run a credit check without having to log in. Weâll discuss J2EE web-based security, Java Authentication & Authorization Service (JAAS), and EJB security. Along the way weâll show how to deploy these security mechanisms on JBoss.
J2EE Security
Security is an important part of J2EE application architecture because the J2EE components and tiers used in a systemâs architecture determine the choice of security technologies. If an application uses only web-based technologies, then it only needs to restrict access to JSPs, Servlets, and so on. But EJBs are now part of the JAW Motors architecture, so they must be protected as well. The system must create a security context that encompasses the entire J2EE stack from frontend web pages to backend business logic ...
Get JBoss at Work: A Practical Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.