Securing Enterprise Information Systems Applications (original) (raw)

Document Information

Preface

Part I Introduction

1. Overview

2. Using the Tutorial Examples

Part II The Web Tier

3. Getting Started with Web Applications

4. JavaServer Faces Technology

5. Introduction to Facelets

6. Expression Language

7. Using JavaServer Faces Technology in Web Pages

8. Using Converters, Listeners, and Validators

9. Developing with JavaServer Faces Technology

10. JavaServer Faces Technology: Advanced Concepts

11. Using Ajax with JavaServer Faces Technology

12. Composite Components: Advanced Topics and Example

13. Creating Custom UI Components and Other Custom Objects

14. Configuring JavaServer Faces Applications

15. Java Servlet Technology

16. Uploading Files with Java Servlet Technology

17. Internationalizing and Localizing Web Applications

Part III Web Services

18. Introduction to Web Services

19. Building Web Services with JAX-WS

20. Building RESTful Web Services with JAX-RS

21. JAX-RS: Advanced Topics and Example

Part IV Enterprise Beans

22. Enterprise Beans

23. Getting Started with Enterprise Beans

24. Running the Enterprise Bean Examples

25. A Message-Driven Bean Example

26. Using the Embedded Enterprise Bean Container

27. Using Asynchronous Method Invocation in Session Beans

Part V Contexts and Dependency Injection for the Java EE Platform

28. Introduction to Contexts and Dependency Injection for the Java EE Platform

29. Running the Basic Contexts and Dependency Injection Examples

30. Contexts and Dependency Injection for the Java EE Platform: Advanced Topics

31. Running the Advanced Contexts and Dependency Injection Examples

Part VI Persistence

32. Introduction to the Java Persistence API

33. Running the Persistence Examples

34. The Java Persistence Query Language

35. Using the Criteria API to Create Queries

36. Creating and Using String-Based Criteria Queries

37. Controlling Concurrent Access to Entity Data with Locking

38. Using a Second-Level Cache with Java Persistence API Applications

Part VII Security

39. Introduction to Security in the Java EE Platform

40. Getting Started Securing Web Applications

41. Getting Started Securing Enterprise Applications

42. Java EE Security: Advanced Topics

Working with Digital Certificates

Creating a Server Certificate

To Use keytool to Create a Server Certificate

Adding Users to the Certificate Realm

Using a Different Server Certificate with the GlassFish Server

To Specify a Different Server Certificate

Authentication Mechanisms

Client Authentication

Mutual Authentication

Enabling Mutual Authentication over SSL

Creating a Client Certificate for Mutual Authentication

Using Form-Based Login in JavaServer Faces Web Applications

Using j_security_check in JavaServer Faces Forms

Using a Managed Bean for Authentication in JavaServer Faces Applications

Using the JDBC Realm for User Authentication

To Configure a JDBC Authentication Realm

Securing HTTP Resources

Securing Application Clients

Using Login Modules

Using Programmatic Login

Configuring Security Using Deployment Descriptors

Specifying Security for Basic Authentication in the Deployment Descriptor

Specifying Non-Default Principal-to-Role Mapping in the Deployment Descriptor

Further Information about Security

Part VIII Java EE Supporting Technologies

43. Introduction to Java EE Supporting Technologies

44. Transactions

45. Resources and Resource Adapters

46. The Resource Adapter Example

47. Java Message Service Concepts

48. Java Message Service Examples

49. Bean Validation: Advanced Topics

50. Using Java EE Interceptors

Part IX Case Studies

51. Duke's Bookstore Case Study Example

52. Duke's Tutoring Case Study Example

53. Duke's Forest Case Study Example

Index

In Enterprise Information Systems (EIS) applications, components request a connection to an EIS resource. As part of this connection, the EIS can require a sign-on for the requester to access the resource. The application component provider has two choices for the design of the EIS sign-on:

• Container-managed sign-on: The application component lets the container take the responsibility of configuring and managing the EIS sign-on. The container determines the user name and password for establishing a connection to an EIS instance. For more information, see Container-Managed Sign-On.
• Component-managed sign-on: The application component code manages EIS sign-on by including code that performs the sign-on process to an EIS. For more information, see Component-Managed Sign-On.

You can also configure security for resource adapters. See Configuring Resource Adapter Security.

Container-Managed Sign-On

In container-managed sign-on, an application component does not have to pass any sign-on security information to the getConnection() method. The security information is supplied by the container, as shown in the following example (the method call is highlighted inbold):

// Business method in an application component Context initctx = new InitialContext(); // Perform JNDI lookup to obtain a connection factory javax.resource.cci.ConnectionFactory cxf = (javax.resource.cci.ConnectionFactory)initctx.lookup( "java:comp/env/eis/MainframeCxFactory"); // Invoke factory to obtain a connection. The security // information is not passed in the getConnection method javax.resource.cci.Connection cx = cxf.getConnection(); ...

Component-Managed Sign-On

In component-managed sign-on, an application component is responsible for passing the needed sign-on security information for the resource to the getConnection method. For example, security information might be a user name and password, as shown here (the method call is highlighted in bold):

// Method in an application component Context initctx = new InitialContext();

// Perform JNDI lookup to obtain a connection factory javax.resource.cci.ConnectionFactory cxf = (javax.resource.cci.ConnectionFactory)initctx.lookup( "java:comp/env/eis/MainframeCxFactory");

// Get a new ConnectionSpec com.myeis.ConnectionSpecImpl properties = //..

// Invoke factory to obtain a connection properties.setUserName("..."); properties.setPassword("..."); javax.resource.cci.Connection cx = cxf.getConnection(properties); ...

Configuring Resource Adapter Security

A resource adapter is a system-level software component that typically implements network connectivity to an external resource manager. A resource adapter can extend the functionality of the Java EE platform either by implementing one of the Java EE standard service APIs, such as a JDBC driver, or by defining and implementing a resource adapter for a connector to an external application system. Resource adapters can also provide services that are entirely local, perhaps interacting with native resources. Resource adapters interface with the Java EE platform through Java EE service provider interfaces (Java EE SPI). A resource adapter that uses Java EE SPIs to attach to the Java EE platform will be able to work with all Java EE products.

To configure the security settings for a resource adapter, you need to edit the resource adapter descriptor file, ra.xml. Here is an example of the part of an ra.xml file that configures security properties for a resource adapter:

You can find out more about the options for configuring resource adapter security by reviewing as-install/lib/dtds/connector_1_0.dtd. You can configure the following elements in the resource adapter deployment descriptor file:

• Authentication mechanisms: Use the authentication-mechanism element to specify an authentication mechanism supported by the resource adapter. This support is for the resource adapter, not for the underlying EIS instance.
  There are two supported mechanism types:
  • BasicPassword, which supports the following interface:
    javax.resource.spi.security.PasswordCredential
  • Kerbv5, which supports the following interface:
    javax.resource.spi.security.GenericCredential
    The GlassFish Server does not currently support this mechanism type.
• Reauthentication support: Use the reauthentication-support element to specify whether the resource adapter implementation supports reauthentication of existing Managed-Connection instances. Options are true or false.
• Security permissions: Use the security-permission element to specify a security permission that is required by the resource adapter code. Support for security permissions is optional and is not supported in the current release of the GlassFish Server. You can, however, manually update the server.policy file to add the relevant permissions for the resource adapter.
  The security permissions listed in the deployment descriptor are different from those required by the default permission set as specified in the connector specification.
  For more information on the implementation of the security permission specification, see the security policy file documentation listed in Further Information about Security.

In addition to specifying resource adapter security in the ra.xml file, you can create a security map for a connector connection pool to map an application principal or a user group to a back-end EIS principal. The security map is usually used if one or more EIS back-end principals are used to execute operations (on the EIS) initiated by various principals or user groups in the application.

To Map an Application Principal to EIS Principals

When using the GlassFish Server, you can use security maps to map the caller identity of the application (principal or user group) to a suitable EIS principal in container-managed transaction-based scenarios. When an application principal initiates a request to an EIS, the GlassFish Server first checks for an exact principal by using the security map defined for the connector connection pool to determine the mapped back-end EIS principal. If there is no exact match, the GlassFish Server uses the wildcard character specification, if any, to determine the mapped back-end EIS principal. Security maps are used when an application user needs to execute an EIS operation that requires execution as a specific identity in the EIS.

To work with security maps, use the Administration Console. From the Administration Console, follow these steps to get to the security maps page.

1. In the navigation tree, expand the Resources node.
2. Expand the Connectors node.
3. Select the Connector Connection Pools node.
4. On the Connector Connection Pools page, click the name of the connection pool for which you want to create a security map.
5. Click the Security Maps tab.
6. Click New to create a new security map for the connection pool.
7. Type a name by which you will refer to the security map, as well as the other required information.
   Click the Help button for more information on the individual options.

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices