Document Information
Preface
Part I Introduction
1. Overview
2. Using the Tutorial Examples
Part II The Web Tier
3. Getting Started with Web Applications
4. Java Servlet Technology
5. JavaServer Faces Technology
6. Introduction to Facelets
7. Using JavaServer Faces Technology in Web Pages
8. Developing with JavaServer Faces Technology
9. Configuring JavaServer Faces Applications
Part III Web Services
10. Introduction to Web Services
11. Building Web Services with JAX-WS
12. Building RESTful Web Services with JAX-RS and Jersey
Part IV Enterprise Beans
13. Enterprise Beans
14. Getting Started with Enterprise Beans
15. Running the Enterprise Bean Examples
Part V Persistence
16. Introduction to the Java Persistence API
17. Running the Persistence Examples
18. The Java Persistence Query Language
Part VI Security
19. Introduction to Security in the Java EE Platform
20. Using Java EE Security
21. Securing Java EE Applications
Overview of Web Application Security
Working with Security Roles
Declaring Security Roles
Specifying Security Roles
Mapping Security Roles to Enterprise Server Groups
Checking Caller Identity Programmatically
Declaring and Linking Role References
Declaring Roles
Defining Security Requirements for Web Applications
Declaring Security Requirements Using Annotations
Using the @DeclareRoles Annotation
Controlling Access
Mapping Access Control Annotations to Security Constraints in Deployment Descriptors
Using the @RunAs Annotation
Declaring Security Requirements Programmatically
Declaring Security Requirements in a Deployment Descriptor
Specifying Security Constraints
Specifying a Secure Connection
Specifying an Authentication Mechanism
HTTP Basic Authentication
Form-Based Authentication
HTTPS Client Authentication
Digest Authentication
Examples: Securing Web Applications
Example: Using Form-Based Authentication with a JSP Page
Creating a Web Client for Form-Based Authentication
Creating the Login Form and the Error Page
Specifying a Security Constraint
Adding Authorized Roles and Users
Mapping Application Roles to Enterprise Server Groups
Building, Packaging, and Deploying the Form-Based Authentication Example Using NetBeans IDE
Building, Packaging, and Deploying the Form-Based Authentication Example Using Ant
Testing the Form-Based Authentication Web Client
Example: Basic Authentication with a Servlet
Declaring Security Roles
Specifying the Security Constraint
Adding Authorized Roles and Users
Mapping Application Roles to Enterprise Server Groups
Building, Packaging, and Deploying the Servlet Basic Authentication Example Using NetBeans IDE
Building, Packaging, and Deploying the Servlet Basic Authentication Example Using Ant
Running the Basic Authentication Servlet
Troubleshooting the Basic Authentication Example
Example: Basic Authentication with JAX-WS
Annotating the Service
Adding Security Elements to the Deployment Descriptor
Linking Roles to Groups
Building and Deploying helloservice with Basic Authentication Using NetBeans IDE
Building and Deploying helloservice with Basic Authentication Using Ant
Building and Running the helloservice Client Application with Basic Authentication Using NetBeans IDE
Building and Running the helloservice Client Application with Basic Authentication Using Ant
Part VII Java EE Supporting Technologies
23. Introduction to Java EE Supporting Technologies
24. Transactions
25. Resource Connections
Index
|
|
Chapter 22Securing Web ApplicationsWeb applications contain resources that can be accessed by many users. These resources
often traverse unprotected, open networks, such as the Internet. In such an environment,
a substantial number of web applications will require some type of security. The ways to implement security for Java EE web applications are discussed in
a general way in Securing Containers. This chapter provides more detail and a few
examples that explore these security services as they relate to web components. Java EE security services can be implemented for web applications in the following
ways:
Metadata annotations (or simply, annotations) are used to specify information about security within a class file. When the application is deployed, this information can either be used by or overridden by the application deployment descriptor. New in Java EE 6 and Servlet specification 3.0, the @RolesAllowed, @DenyAll, @PermitAll, and @TransportProtected annotations are supported for Servlets. Declarative security expresses an application’s security structure, including security roles, access control, and authentication requirements in a deployment descriptor, which is external to the application. By using annotations, deployment descriptors for an application are simplified. With the addition of the authenticate, login, and logout methods to the Servlet specification, a web.xml file is no longer required for web applications, but may still be used to further specify security requirements beyond the basic default values. Any values explicitly specified in the deployment descriptor override any values specified in annotations. Programmatic security is embedded in an application and is used to make security decisions. Programmatic security is useful when declarative security alone is not sufficient to express the security model of an application. New in Java EE 6 and Servlet specification 3.0, the authenticate, login, and logout, methods of the HttpServletRequest interface.
Some of the material in this chapter assumes that you have already
read Chapter 19, Introduction to Security in the Java EE Platform. This chapter also assumes that you are familiar with the web
technologies discussed in Chapter 3, Getting Started with Web Applications, Chapter 4, Java Servlet Technology, and Chapter 5, JavaServer Faces Technology.
The material in The Java EE 6 Tutorial, Volume I is copyright-protected and may not be published in other works without express written permission from Sun Microsystems.
|
