23,50 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
In Detail
Security was, is, and will be one of the most important aspects of Enterprise Applications and one of the most challenging areas for architects, developers, and administrators. It is mandatory for Java EE application developers to secure their enterprise applications using Glassfish security features.
Learn to secure Java EE artifacts (like Servlets and EJB methods), configure and use GlassFish JAAS modules, and establish environment and network security using this practical guide filled with examples. One of the things you will love about this book is that it covers the advantages of protecting application servers and web service providers using OpenSSO.
The book starts by introducing Java EE security in Web, EJB, and Application Client modules. Then it introduces the Security Realms provided in GlassFish, which developers and administrators can use to complete the authentication and authorization setup. In the next step, we develop a completely secure Java EE application with Web, EJB, and Application Client modules.
The next part includes a detailed and practical guide to setting up, configuring, and extending GlassFish security. This part covers everything an administrator needs to know about GlassFish security, starting from installation and operating environment security, listeners and password security, through policy enforcement, to auditing and developing new auditing modules.
Before starting the third major part of the book, we have a chapter on OpenDS discussing how to install, and administrate OpenDS. The chapter covers importing and exporting data, setting up replications, backup and recovery and finally developing LDAP based solutions using OpenDS and Java.
Finally the third part starts by introducing OpenSSO and continues with guiding you through OpenSSO features, installation, configuration and how you can use it to secure Java EE applications in general and web services in particular. Identity Federation and SSO are discussed in the last chapter of the book along with a working sample.
Inspired from real development cases, this practical guide shows you how to secure a GlassFish installation and how to develop applications with secure authentication based on GlassFish, Java EE, and OpenSSO capabilities.
Approach
Security is driven by requirement and design and we implement security on the basis of the requirements provided by analysts. In this book, we take a programmatic approach to understand Java EE and GlassFish security.
You will find plenty of code samples in this book. It is easy to secure your application when you have a demonstration of a complete and working application explained in the book, isn't it? Each chapter starts with the importance and relevance of the topic by introducing some Java EE applications requirement, which will encourage you to read it further.
Who this book is for
This book is for application designers, developers and administrators who work with GlassFish and are keen to understand Java EE and GlassFish security.
To take full advantage of this book, you need to be familiar with Java EE and GlassFish application servers. You will love this book if you are looking for a book that covers Java EE security and using GlassFish features to create secure Java EE applications, or to secure the GlassFish installation and operating environment and using OpenSSO.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 353
Veröffentlichungsjahr: 2010
Ähnliche
Table of Contents
GlassFish Security
Masoud Kalali
GlassFish Security
Copyright © 2010 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, Packt Publishing, nor its dealers or distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: May 2010
Production Reference: 1030510
Published by Packt Publishing Ltd. 32 Lincoln Road Olton Birmingham, B27 6PA, UK.
ISBN 10: 1-84719-097-9
ISBN 13: 978-1-847190-97-0
www.packtpub.com
Cover Image by (<[email protected]>)
Credits
Author
Masoud Kalali
Reviewers
Arun Gupta
Gaston C. Hillar
Kumar Jayanti
Ludovic Poitou
Antonio Gomes Rodrigues
Emmanuel Venisse
Deepak Vohra
Acquisition Editor
Rashmi Phadnis
Development Editor
Reshma Sundaresan
Technical Editor
Vinodhan Nair
Copy Editor
Sanchari Mukherjee
Editorial Team Leader
Gagandeep Singh
Project Team Leader
Lata Basantani
Project Coordinator
Joel Goveya
Proofreader
Lynda Sliwoski
Indexer
Monica Ajmera Mehta
Graphics
Geetanjali Sawant
Production Coordinator
Shantanu Zagade
Cover Work
Shantanu Zagade
About the Author
Masoud Kalali has a software engineering degree and has been working on software development projects since 1998. He has experience with a variety of technologies (.NET, J2EE, CORBA, and COM+) on diverse platforms (Solaris, Linux, and Windows). His experience is in software architecture, design, and server-side development.
Masoud has several articles published in Java.net and DZone, and has authored multiple refcards published by DZone, including Java EE security and GlassFish v3 refcards. He is one of founder members of the NetBeans Dream Team and a GlassFish community spotlighted developer.
Masoud's main areas of research and interest include Service Oriented Architecture and large-scale systems' development and deployment. In his leisure time he enjoys photography, mountaineering and camping.
Masoud blogs on Java EE, Software Architecture and Security at http://weblogs.java.net/blog/kalali/ and you can follow him at his Twitter account at http://twitter.com/MasoudKalali.
Masoud can be reached via <[email protected]>in case you had some queries about the book or if you just felt like talking to him about software engineering.
About the Reviewers
Gastón C. Hillar has been working with computers since he was eight. He began programming with the legendary Texas TI-99/4A and Commodore 64 home computers in the early 80s.
He has a Bachelor's degree in Computer Science, graduated with honors, and an MBA (Master in Business Administration), graduated with an outstanding thesis.
He has worked as developer, architect, and project manager for many companies in Buenos Aires, Argentina. He was project manager in one of the most important mortgage loan banks in Latin America for several years. Now, he is an independent IT consultant working for several American, European, and Latin American companies, and a freelance author. He is always looking for new adventures around the world.
He also works with electronics (he is an electronics technician). He is always researching and writing about new technologies. He owns an IT and electronics laboratory with many servers, monitors, and measuring instruments.
He has written two books for Packt Publishing, C# 2008 and 2005 Threaded Programming: Beginner's Guide and 3D Game Development with Microsoft Silverlight 3: Beginner's Guide.
He contributes to Dr. Dobb's Go Parallel programming portal at http://www.ddj.com/go-parallel/ and is a guest blogger at Intel Software Network (http://software.intel.com).
In 2009, he was awarded as an Intel® Black Belt Software Developer.
Besides all this, he is the author of more than 40 books in Spanish about computer science, modern hardware, programming, systems development, software architecture, business applications, balanced scorecard applications, IT project management, the Internet, and electronics, published by Editorial HASA and Grupo Noriega Editores.
He usually writes articles for leading Spanish magazines Mundo Linux, Solo Programadores, and Resistor.
He lives with his wife, Vanesa, and his son, Kevin. When not tinkering with computers, he enjoys developing and playing with wireless virtual reality devices and electronics toys with his father, his son, and his nephew Nico.
You can reach him at: [email protected].
You can follow him on Twitter at: http://twitter.com/gastonhillar.
Gastón's blog is at: http://csharpmulticore.blogspot.com.
Kumar Jayanti is a staff engineer at Sun Microsystems and works on the Web Technologies and Standards team. In his current role, Kumar is the implementation lead for GlassFish v3 Security, Metro Web Services Security, and also the specification and implementation lead for the SAAJ (JSR 67). Kumar holds an M.Tech degree in Computer Science from IIT Mumbai, India. His areas of interest include distributed computing, CORBA, XML, Web Services, and Security.
Ludovic Poitou is a directory services architect at Sun Microsystems and the community manager for the OpenDS project. For the past 15 years, he's been designing and developing numerous aspects of Sun's directory products, from management tools to protocols, security and multi-master replication.
Ludovic blogs about LDAP, directory services, OpenDS, and life at http://blogs.sun.com/Ludo.
Ludovic Poitou has been a technical reviewer for the following books:
Antonio Gomes Rodrigues earned his Masters degree from the University of Paris VII in France. Since then, he has worked in various companies with Java EE technologies in the roles of developers, technical leader, and technical manager of offshore projects.
He currently works on performance problems in Java EE applications in a specialized company.
I would like to thank my friend Nadère for his motivation and support, my girlfriend Aurélie for her patience, and my family.
Emmanuel Venisse has been developing, architecturing, and integrating J2EE applications for twelve years for banks, government, holiday company projects, and so on. He's been working on several J2EE application servers such as JBoss, WebLogic, WebSphere, and more recently with GlassFish. For the last five years, he has worked as a freelancer. For the last seven years, he's been working, in his spare time, on Apache Maven, Continuum, and Archiva projects as a core developer and he's also the Continuum project leader. He has contributed to the majority of books written about Apache Maven.
Deepak Vohra is a consultant and a principal member of the software company NuBean.com. Deepak is a Sun Certified Java Programmer and Web Component Developer, and has worked in the fields of XML and Java programming and J2EE for over five years. Deepak is the co-author of the Apress book, Pro XML Development with Java Technology and was the technical reviewer for the O'Reilly book WebLogic: The Definitive Guide. Deepak was also the technical reviewer for the Course Technology PTR book Ruby Programming for the Absolute Beginner, and the technical editor for the Manning Publications book Prototype and Scriptaculous in Action. Deepak is also the author of the Packt Publishing books JDBC 4.0 and Oracle JDeveloper for J2EE Development, and Processing XML documents with Oracle JDeveloper 11g.
To My Parents
Preface
We are living in a world full of dazzling wonders, and I for one always enjoy encountering them. Software development is one of the wonders that dazzles me because of its enormously vast domain, including many concerns and subjects of interest. Looking at this domain from any distance, we will see one big and sometimes blurry-edged spot named security.
Security, an orthogonal and inseparable part of software systems, is not for preventing others from accessing some information and system resources but for allowing them access in an appropriate way, by implementing necessary means to precisely check any attempt to access a resource and either allow it to go further or not and record all information related to examining this attempt for further review.
Java EE is the platform of choice for developing enormously large-scale applications, and provides plethora of features for implementing security plans for applications, starting from dealing with identity storages and identity solutions up to providing GUI-level support for security concerns and integration with other security providers.
Nowadays, integration is something that we hear in every software development meeting and session independent from what the session is about. Security integration, however, is a delicate matter compared to all other issues as it deals directly with the organization's assets. Java EE design allows it to delegate its security requirements to another entity in the enterprise, like a single sign-on solution, which on the other hand can integrate with other products and platforms in use in the organization.
The GlassFish Security book is an attempt to explain this domain considering Java EE, GlassFish, and OpenSSO capabilities and features.
What this book covers
Chapter 1, Java EE Security Model, discusses how we can secure different Java applications by using the declarative security model or by using the API exposed by Java EE containers to access the security enforcement layers programmatically. It also briefly introduces Web modules, EJB modules, and application client module's security in different levels, including authentication, authorization, and transport security.
Chapter 2, GlassFish Security Realms, discusses JAAS and GlassFish security realm, including File realm, JDBC realm, LDAP realm, and Certificate realm in detail as that will be required to develop a secure enterprise application. It also discusses GlassFish application server interaction with identity storages such as relational databases,Lightweight Directory Access Protocol (LDAP) servers, flat file storage, and so on.
Chapter 3, Designing and Developing Secure Java EE Applications, covers developing and deploying a secure Java EE application with all standard modules including Web, EJB, and application client modules. It also teaches us how we can secure EJBs using annotation and then use a web frontend to use the secured EJBs after a user provides correct identification information.
Chapter 4, Securing GlassFish Environment, helps you secure your operating system and environment from unprivileged access by applications deployed in GlassFish using the OS features and Java policy management. It also covers network communication security, GlassFish password security, and finally security auditing, which is a complementary function in software security.
Chapter 5, Securing GlassFish, covers GlassFish administration security tasks such as password security and listener security. This chapter will teach you to secure GlassFish by examining the administration security, password protection, and network listener security. It also discusses the benefits of virtual servers for isolating different applications deployed in a single machine with a single IP address.
Chapter 6, Introducing OpenDS: Open Source Directory Service, teaches you about directory service and the set of features OpenDS provides—installing, administrating, and monitoring OpenDS and using OpenDS in embedded mode. This chapter teaches you to set up a replication topology to ensure service and data availability in case of unpredicted disasters.
Chapter 7, OpenSSO, the Single sign-on Solution, covers projects security from an integration point of view. In this chapter you will install and configure OpenSSO and understand different methods of using OpenSSO. It also teaches you how to use OpenSSO RESTful Web Services for authentication, authorization, and acquiring SSO tokens.
Chapter 8, Securing Java EE Applications using OpenSSO, covers OpenSSO Policy Agents that let us as architects, system designers, and developers secure a Java EE application using OpenSSO without changing the application source code. It also discusses about Policy Agents, Policy Agent's installation, and administration, along with changing our sample application to place it under agent protection instead of using plain Java EE protection.
Chapter 9, Securing Web Services by OpenSSO, covers Web Services security and how we can use OpenSSO and OpenSSO agents to secure our Web Services deployed in GlassFish. It also teaches you to install OpenSSO Web Services Security Provider Agent and develop a simple, secure pair of WSP and WSC.
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "For the authentication method and a built-in realm named file as the security realm."
A block of code is set as follows:
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
Any command-line input or output is written as follows:
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "clicking the Next button moves you to the next screen".
Note
Warnings or important notes appear in a box like this.
Note
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title via the subject of your message.
If there is a book that you need and would like to see us publish, please send us a note in the SUGGEST A TITLE form on www.packtpub.com or e-mail <[email protected]>.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book on, see our author guide on www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Note
Downloading the example code for the book
Visit https://www.packtpub.com//sites/default/files/downloads/9386_Code.zip to directly download the example code.
The downloadable files contain instructions on how to use them.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the let us know link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]>with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
Questions
You can contact us at <[email protected]>if you are having a problem with any aspect of the book, and we will do our best to address it.
Chapter 1. Java EE Security Model
Java EE is the mainstream platform for implementing applications in a broad range of use cases starting from high transaction backend for rich clients to a complex integration and mixture of web, transaction processing, and EIS integration layers.
Security is one of the main concerns of software developers whether in small and mid-scale range or in large-scale, distributed software. Starting from the smallest application to the largest one, all may need a similar set of security measures such as authentication, authorization, non-reputability, and transport security.
Java EE as a modular platform for developing enterprise-scale applications provides a great deal of functionalities and features to address security requirements in a declarative way instead of an intrusive code-changing way.
In this chapter we will discuss how we can secure different Java applications either by describing the security model using the declarative security or by manually enforcing the security needs using the API exposed by Java EE containers to access the security enforcement layers programmatically. In Chapter 3 we will put into practice all that we will discuss in this and the next chapter to build a secure Java EE application.
A detailed list of what you will learn in this chapter is as follows:
We will discuss security annotations and programmatic security in addition to looking at security description elements, which we can include in the deployment descriptors.
Overview of Java EE architecture
Java EE platform is the dominant platform for developing enterprise-scale applications and in the past three years developers have started looking at Java EE for developing small and mid-scale applications.
We can define Java EE as a set of libraries and tools, developed on top of what Java SE provides as a language and platform. A Java EE application usually consists of three different modules, which include Web module and EJB module residing in the server, and the Application Client Module which is designated for the client applications. Each module is assembled from different components and deployed in a designated container or server. These containers are well integrated with each other and form the Java EE application server.
Note
We have another type of module called connector module; we will not include it in our discussion as it is not widely used compared to three other module types. The connector module allows developers connect different application servers together or connect application servers to EIS systems.
Each of these containers provides a unique set of functionalities in the overall application server architecture. We may use one or two types of containers to form our application without involving the other containers.
Understanding a typical Java EE application
We briefly discussed the Java EE architecture and we said it consists of three main modules which are deployed in different application server containers. The Web module running inside the Web container sits in front of an EJB module deployed in the EJB (Enterprise Java Beans) container. The EJB module drives the system's business logic and provides transaction processing capabilities. This middle layer, which is formed by EJBs, may interact with a database or any other EIS (Enterprise Information System) through a connector module.
The last module is an application client module, which is a Java-based client application that directly interacts with middle layer through a specific container named Application Client Container (ACC). Following diagram shows a Java EE application which uses Web, EJB, and Application Client Container.
The previous figure assumes that no security measure is applied on user interaction with application or the interactions between different application modules. Each of these modules can be deployed independently or one or more of them can be included in a larger logical bundle named Enterprise Application Archive (EAR) and deployed together into the application server. Application server will decompose the archive and deploy each module into its designated container.
Each Java EE application, depending on which set of modules it uses, can have as few as one deployment descriptor or half a dozen. The deployment descriptors basically instruct the application server on how to deal with the application components. The following figure illustrates location and names of the deployment descriptors for a typical Java EE application designated for GlassFish application server.
As you can see we have files with similar names, one without the sun- prefix and one with the prefix.
Files without the prefix are standard to Java EE and use the same schema across all Java EE application servers. These standard files deal with the configuration elements of a Java EE application and have nothing to do with the container the application is going to be deployed into. For example, definition of a Servlet, a Servlet filter, an EJB, and an EJB security constraint, among others can be configuration elements of the standard deployment descriptors.
The files prefixed with sun- specify the application server-specific configurations related to the application components. For example, mapping the Java EE security to application server-specific capabilities is one of functions of these files.
Note
Web browsers are the prominent clients for Java EE application and a fair deal of effort is devoted to secure and facilitate accessing Java EE applications through the browser without involving application client modules.
