Setting Security Parameters

A security role is a semantic grouping of permissions that a given type of user of the application must have in order to successfully use the application. Use the User Manager tool, enabled with the integration of JAAS API to develop and test applications under real-world security deployment requirements. This is used for testing purposes (using the XML Security Realm) enabling creation of components that can be deployed on a production-server with any realm (including LDAP, DB, Flat Files etc.).

The application assembler defines a set of security roles for an application and is composed of one or more Enterprise JavaBeans, JavaServer Pages and Servlets.

The security role needs a name (example: administrator) and a description (example: full access). Defining multiple roles is possible.

The application assembler defines method permissions for each security role declaratively in the deployment descriptor.

The deployer assigns groups, defined in the target operational environment, to the security roles stored in the deployment descriptor.

Securing Application Access

In Studio, the following four basic steps are to be followed by the user to secure the application access:

Define Security Role References for JavaServer Pages in the web.xml dialog or at packaging time.

Define Security Role References for Enterprise JavaBeans in the ejb-jar.xml dialog or at packaging time

Create Groups using the User Manager tool before deployment.

Map Security References in the application to Groups at deploy time.

Securing EJB Components

Java Modules, Ejb Modules and java archives, all make references to security roles to create a secure environment. To add security roles, use the ejb-jar.xml dialog or add it to the specific JAR at packaging time.

With security roles defined for an EJB, specify the Home and Remote Interface methods that each security role should be allowed to invoke. This is method permission. To define method permissions, use the Method Permission node in the ejb-jar.xml dialog or the specific JAR at packaging time.

The Method Permission for each bean includes a list of security roles and a list of methods. All listed security roles can invoke all listed methods.

If there are no security roles defined in the Java Module, EJB Module or JAR, then everybody has a free access to all the bean methods inside them. An assignment restricts the access to a method.

Securing Web Components

Like EJB components, define security for Web components. Follow the given steps:

Define roles Identify the different logical roles that the users of your module can assume. Add the security roles using the web.xml dialog or add it at packaging time. To add roles, click on the Security Roles node in the web.xml file or in the WAR file at packaging time. Use the Add button to add the roles and Delete button to delete the roles.

Guest, User, and Administrator. Adding roles to the module, through "Security Role" function, involves giving the role a name.

Attach resources to roles Identify the resources that are to be secured and whose access should be restricted. To do this, use the Security Role-Refs tab in the web.xml dialog or in the specific WAR file at packaging time.

Security Constraints Group resources into Collections on which the security restrictions are specified. Then group "related" resources into a security-constraint. Finally add allowed logical roles (from the set of defined roles) to the created "security-constraint". To do the above, use the Security Constraints node in the specific WAR file at packaging time. This is not allowed in the web.xml dialog.

Define login configuration Studio supports Basic and Form authentications of the login of the role that is allowed into the module. This mode of authentication uses the browser's in-built dialog to accept login and password. Use the Login Configuration node in the web.xml dialog or the specific WAR file at packaging time to do this.

Setting Security Constraints

Security constraints can be added only at packaging time and not in the web.xml file of the Web Module. To set security constraints, do the following:

War file on the Desk > Right Click > Open. This brings up the Package tool. Click on the Security Constraint node in the Package tool > Right Click > Add Security Constraints.

This adds a new security constraint to the WAR. For a security constraint to be added, login configuration needs to be defined first. A WAR can contain multiple security-constraints.

Adding Resource Collection

Click on the New button on the security constraint panel to create a new resource collection. Identify the resources that are to be secured and whose access has to be restricted. Group these "related" resources (with respect to security) into a resource-collection.

The resources can be Servlets, JavaServer Pages, HTML files, or gif images. Specify the resource as a URL pattern. For example: /admin/*

Removing Security Constraints

Security constraints that were already created can be removed. It deletes all the resource collections of that constraint.

To set the login configurations, click on the Login Configuration node in the web.xml file or in the WAR file at packaging time.

This is used to configure the authentication method and the realm name that should be used for this application, and the attributes that are needed by the form login mechanism.

Basic

Realm Name The realm name element specifies the realm name to be used in HTTP Basic authorization

Form

Login Page This defines the location in the web app where the page that can be used for login can be found

Error Page This defines the location in the web app where the error page that is displayed when login is not successful, can be found

None Choose this option if your application does not require login

Session Timeout Details The session-timeout element defines the default session timeout interval for all sessions created in this web application. The specified timeout must be expressed in a whole number of minutes. It is by default set to -1.

Creating Groups and Users

This is done using Studio's User Manager that can be operated from Studio. Groups are those that are defined in the target Server environment.

By defining users and assigning them groups, ensure that the context entered to access the Servlet through the web page remains valid through the application. All EJB methods can recognize the user that logged in through the web page and activate the appropriate method permissions to either grant or deny access - throughout the application session.

Users

When the User Manager comes up for the first time, a default user name root and password pramati are already created with administrative privileges. Use the User Manager to add and delete more users to the list.

Given a user, it is possible to view the groups that have been assigned to it. A password that the user needs to access the application can also be given. To modify any users in the list, use the Modify button.

Groups

When the User Manager comes up for the first time, one group called administrator is already added to the User Manager. Use the User Manager to add and delete more groups to/from the list. The User Manager also allows sub-groups to be added to the list. To modify these groups and sub-groups from the list, use the Modify button.

Mapping Security References to Groups

It is at deploy time that the application deployer maps the security references defined in the JARs and WARs onto groups. The available groups are defined by the User Manager tool and obtained from security service started by the Server. To map security references to groups, use the Map Security Roles node in the Deploy tool. If there is a problem in obtaining the security service from the Server, please check the Server log in /logs directory, and Server output window in Studio.