Securing Application Clients - The Java EE 5 Tutorial (original) (raw)

Document Information

Preface

Part I Introduction

1. Overview

2. Using the Tutorial Examples

Part II The Web Tier

3. Getting Started with Web Applications

4. Java Servlet Technology

5. JavaServer Pages Technology

6. JavaServer Pages Documents

7. JavaServer Pages Standard Tag Library

8. Custom Tags in JSP Pages

9. Scripting in JSP Pages

10. JavaServer Faces Technology

11. Using JavaServer Faces Technology in JSP Pages

12. Developing with JavaServer Faces Technology

13. Creating Custom UI Components

14. Configuring JavaServer Faces Applications

15. Internationalizing and Localizing Web Applications

Part III Web Services

16. Building Web Services with JAX-WS

17. Binding between XML Schema and Java Classes

18. Streaming API for XML

19. SOAP with Attachments API for Java

Part IV Enterprise Beans

20. Enterprise Beans

21. Getting Started with Enterprise Beans

22. Session Bean Examples

23. A Message-Driven Bean Example

Part V Persistence

24. Introduction to the Java Persistence API

25. Persistence in the Web Tier

26. Persistence in the EJB Tier

27. The Java Persistence Query Language

Part VI Services

28. Introduction to Security in the Java EE Platform

29. Securing Java EE Applications

Securing Enterprise Beans

Accessing an Enterprise Bean Caller's Security Context

Declaring Security Role Names Referenced from Enterprise Bean Code

Declaring Security Roles Using Annotations

Declaring Security Roles Using Deployment Descriptor Elements

Defining a Security View of Enterprise Beans

Defining Security Roles

Specifying an Authentication Mechanism

Specifying Method Permissions

Mapping Security Roles to Application Server Groups

Propagating Security Identity

Using Enterprise Bean Security Annotations

Using Enterprise Bean Security Deployment Descriptor Elements

Configuring IOR Security

Deploying Secure Enterprise Beans

Accepting Unauthenticated Users

Accessing Unprotected Enterprise Beans

Enterprise Bean Example Applications

Example: Securing an Enterprise Bean

Annotating the Bean

Setting Runtime Properties

Building, Deploying, and Running the Secure Cart Example Using NetBeans IDE

Building, Deploying, and Running the Secure Cart Example Using Ant

Example: Using the isCallerInRole and getCallerPrincipal Methods

Modifying ConverterBean

Modifying Runtime Properties for the Secure Converter Example

Building, Deploying, and Running the Secure Converter Example Using NetBeans IDE

Building, Deploying, and Running the Secure Converter Example Using Ant

Troubleshooting the Secure Converter Application

Discussion: Securing the Duke's Bank Example

Securing EIS Applications

Container-Managed Sign-On

Component-Managed Sign-On

Configuring Resource Adapter Security

Mapping an Application Principal to EIS Principals

30. Securing Web Applications

31. The Java Message Service API

32. Java EE Examples Using the JMS API

33. Transactions

34. Resource Connections

35. Connector Architecture

Part VII Case Studies

36. The Coffee Break Application

37. The Duke's Bank Application

Part VIII Appendixes

A. Java Encoding Schemes

B. About the Authors

Index

Securing Application Clients

The Java EE authentication requirements for application clients are the same as for other Java EE components, and the same authentication techniques can be used as for other Java EE application components.

No authentication is necessary when accessing unprotected web resources. When accessing protected web resources, the usual varieties of authentication can be used, namely HTTP basic authentication, SSL client authentication, or HTTP login form authentication. These authentication methods are discussed inSpecifying an Authentication Mechanism.

Authentication is required when accessing protected enterprise beans. The authentication mechanisms for enterprise beans are discussed in Securing Enterprise Beans. Lazy authentication can be used.

An application client makes use of an authentication service provided by the application client container for authenticating its users. The container’s service can be integrated with the native platform’s authentication system, so that a single sign-on capability is employed. The container can authenticate the user when the application is started, or it can use lazy authentication, authenticating the user when a protected resource is accessed.

An application client can provide a class to gather authentication data. If so, the javax.security.auth.callback.CallbackHandler interface must be implemented, and the class name must be specified in its deployment descriptor. The application’s callback handler must fully support Callback objects specified in the javax.security.auth.callback package. Gathering authentication data in this way is discussed in the next section, Using Login Modules.

Using Login Modules

An application client can use the Java Authentication and Authorization Service (JAAS) to create login modules for authentication. A JAAS-based application implements the javax.security.auth.callback.CallbackHandler interface so that it can interact with users to enter specific authentication data, such as user names or passwords, or to display error and warning messages.

Applications implement the CallbackHandler interface and pass it to the login context, which forwards it directly to the underlying login modules. A login module uses the callback handler both to gather input (such as a password or smart card PIN) from users and to supply information (such as status information) to users. Because the application specifies the callback handler, an underlying login module can remain independent of the various ways that applications interact with users.

For example, the implementation of a callback handler for a GUI application might display a window to solicit user input. Or the implementation of a callback handler for a command-line tool might simply prompt the user for input directly from the command line.

The login module passes an array of appropriate callbacks to the callback handler’shandle method (for example, a NameCallback for the user name and aPasswordCallback for the password); the callback handler performs the requested user interaction and sets appropriate values in the callbacks. For example, to process a NameCallback, theCallbackHandler might prompt for a name, retrieve the value from the user, and call the setName method of the NameCallback to store the name.

For more information on using JAAS for login modules for authentication, refer to the following sources:

• Java Authentication and Authorization Service (JAAS) in Java Platform, Standard Edition
• Java Authentication and Authorization Service (JAAS) Reference Guide
• Java Authentication and Authorization Service (JAAS): LoginModule Developer’s Guide

Links to this information are provided in Further Information about Security.

Using Programmatic Login

Programmatic login enables the client code to supply user credentials. If you are using an EJB client, you can use the com.sun.appserv.security.ProgrammaticLogin class with their convenient login and logout methods.

Because programmatic login is specific to a server, information on programmatic login is not included in this document.

Copyright © 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices