We are living in a world full of dazzling wonders, and ifor one always enjoy
encountering them. Software development is one of the wonders that dazzles me because
of its enormously vast domain, including many concerns and subjects of interest. Looking
at this domain from any distance, we will see one big and sometimes blurry-edged spot
Security, an orthogonal and inseparable part of software systems, is not for preventing
others from accessing some information and system resources but for allowing them
access in an appropriate way, by implementing necessary means to precisely check any
attempt to access a resource and either allow it to go further or not and record all
information related to examining this attempt for further review.
Java EE is the platform of choice for developing enormously large-scale applications, and
provides plethora of features for implementing security plans for applications, starting
from dealing with identity storages and identity solutions up to providing GUI-level
support for security concerns and integration with other security providers.
Nowadays, integration is something that we hear in every software development meeting
and session independent from what the session is about. Security integration, however, is
a delicate matter compared to all other issues as it deals directly with the organization’s
assets. Java EE design allows it to delegate its security requirements to another entity in
the enterprise, like a single sign-on solution, which on the other hand can integrate with
other products and platforms in use in the organization.
The GlassFish Security book is an attempt to explain this domain considering Java EE,
GlassFish, and OpenSSO capabilities and features.
What This Book Covers
Chapter 1, Java EE Security Model, discusses how we can secure different Java
applications by using the declarative security model or by using the APiexposed by Java
EE containers to access the security enforcement layers programmatically. It also briefl y
introduces Web modules, EJB modules, and application client module’s security in
different levels, including authentication, authorization, and transport security.
Chapter 2, GlassFish Security Realms, discusses JAAS and GlassFish security realm,
including File realm, JDBC realm, LDAP realm, and Certificate realm in detail as that
will be required to develop a secure enterprise application. It also discusses GlassFish
application server interaction with identity storages such as relational databases,
Lightweight Directory Access Protocol (LDAP) servers, fl at file storage, and so on.
Chapter 3, Designing and Developing Secure Java EE Applications, covers developing
and deploying a secure Java EE application with all standard modules including Web,
EJB, and application client modules. It also teaches us how we can secure EJBs using
annotation and then use a web frontend to use the secured EJBs after a user provides
correct identification information.
Chapter 4, Securing GlassFish Environment, helps you secure your operating system and
environment from unprivileged access by applications deployed in GlassFish using the
OS features and Java policy management. It also covers network communication
security, GlassFish password security, and finally security auditing, which is a
complementary function in software security.
Chapter 5, Securing GlassFish, covers GlassFish administration security tasks such as
password security and listener security. This chapter will teach you to secure GlassFish
by examining the administration security, password protection, and network listener
security. It also discusses the benefits of virtual servers for isolating different applications
deployed in a single machine with a single IP address.
Chapter 6, Introducing OpenDS: Open Source Directory Service, teaches you about
directory service and the set of features OpenDS provides—installing, administrating,
and monitoring OpenDS and using OpenDS in embedded mode. This chapter teaches you
to set up a replication topology to ensure service and data availability in case of
Chapter 7, OpenSSO, the Single sign-on Solution, covers projects security from an
integration point of view. In this chapter you will install and configure OpenSSO and
understand different methods of using OpenSSO. It also teaches you how to use
OpenSSO RESTful Web Services for authentication, authorization, and acquiring SSO
Chapter 8, Securing Java EE Applications using OpenSSO, covers OpenSSO Policy
Agents that let us as architects, system designers, and developers secure a Java EE
application using OpenSSO without changing the application source code. It also
discusses about Policy Agents, Policy Agent’s installation, and administration, along with
changing our sample application to place it under agent protection instead of using plain
Java EE protection.
Chapter 9, Securing Web Services by OpenSSO, covers Web Services security and how
we can use OpenSSO and OpenSSO agents to secure our Web Services deployed in
GlassFish. It also teaches you to install OpenSSO Web Services Security Provider Agent
and develop a simple, secure pair of WSP and WSC.
Designing and Developing Secure Java EE Applications
In previous chapters we discussed how we can utilize Java EE capabilities to secure
our Java EE applications. In this chapter, we are going to put what we learned
into practice and develop a secure Java EE application with all standard modules
including Web, EJB, and application client modules.
Security is an orthogonal concern for an application and we should assess it right
from the start by reviewing the analysis we receive from business and functional
analysts. Assessing the security requirements results in understanding the
functionalities we need to include in our architecture to deliver a secure
application covering the necessary requirements.
Security necessities can include a wide area of requirements, which may vary from
a simple authentication to several sub-systems. A list of these sub-systems includes
identity and access management system and transport security, which can include
encrypting data as well.
In this chapter we will develop a secure Java EE application based on Java EE and
GlassFish capabilities. In course of the chapter we will cover following topics:
- Analyzing Java EE application security requirements
- Including security requirements in Java EE application design
- Developing secure Business layer using EJBs
- Developing secure Presentation layer using JSP and Servlets
- Configuring deployment descriptors of Java EE applications
- Specifying security realm for enterprise applications
- Developing secure application client module
- Configuring Application Client Container
Understanding the sample application
The sample application that we are going to develop, converts different length
measurement units into each other. Our application converts meter to centimeter,
millimeter, and inch. The application also stores usage statistics for later use cases.
Guest users who prefer not to log in can only use meter to centimeter conversion,
while any company employee can use meter to centimeter and meter to millimeter
conversion, and finally any of company’s managers can access meter to inch in
addition to two other conversion functionalities. We should show a custom login
page to comply with site-wide look and feel.
No encryption is required for communication between clients and our application
but we need to make sure that no one can intercept and steal the username and
passwords provided by members. All members’ identification information is
stored in the company’s wide directory server.
The following diagram shows the high-level functionality of the sample application:
We have login action and three conversion actions. Users can access some of them
after logging in and some of them can be accessed without logging in.
Analyzing sample application business logic
Before looking at security requirements and factors affecting the software security
let’s see what we need to provide in our business layer. Our business logic consists of
conversion operations and persistence of the conversion operations usage statistics.
We can use a stateless Session Bean with three methods, one for each type of
conversion. And for statistics persistence we can use EJB 3 entity beans.
After studying the application description we can extract the following
security-related requirements which we need to address to comply with
the application description:
- Authentication is required
- Authentication should happen over a secure channel
- Authorization is required
- We need to use LDAP security realm
So far we translated the business analysis to technical requirements and
now we are going to check each requirement in further detail to extract the
implementation details. For implementing the sample application we can
use a simple bottom-up procedure.
The following diagram shows the application blocks down to JSP files, Servlet,
As you can see we have Web module, EJB module, and an application client module.
The Web module and the application client module presents a frontend for the EJB
layer that performs both business logic, which is the conversion operations, and
storing the conversion operation invocation statistics using Entity Beans. GlassFish
uses the LDAP realm to authenticate the users against the specified directory server.