6.7.4: Application security tutorial

During this tutorial, you will enable security in all three containers of your simpleSession application:

You will use the Application Assembly Tool (AAT) to declare and define J2EE security roles, as well as to control authorization on various J2EE modules. You will also enable security in the application server runtime and test your settings.

Authentication will be performed using the local operating system user registry. This example only uses declarative security. It does not illustrate any of the programmatic methods supported by the J2EE programming model.

Prerequisites

You need to have performed the Application deployment tutorial and Application testing tutorial successfully in order to perform this tutorial successfully. If you ran into trouble testing your application, you can still perform this tutorial to practice the steps involved, but the testing phase of this tutorial will be unsuccessful.

Overview of steps (requires 45 to 60 minutes)

  1. Enable security in your application
  2. Enable security in the application server runtime
  3. Remove the unsecured version of the application
  4. Install the secured application
  5. Regenerate the Web server plug-in and save the server configuration
  6. Stop the administrative server and start it again
  7. Ensure the application, application server, and Web server are running
  8. Test the Web client
  9. Test the Java client
  10. Disable security in the application server runtime
Paths through the tutorial

Enable security in your application

  1. Start the Application Assembly Tool, as discussed in the Application assembly tutorial.
  2. Edit the Deployed_simpleSession.ear application.

    On the Welcome to Application Assembly Tool panel:

    1. Click the Existing tab.
    2. Click Browse next to the File name field.

      Browse for the file

    3. Navigate to the Deployed_simpleSession.ear that was assembled in the Simple Session Bean tutorial and select Select.
    4. Select OK.
  1. Create a security role to which you will be granting authorization to the session bean and servlet in the application:
    1. In the .ear file, select the Security Roles folder.

      Select Security Roles folder

    2. Right-click it and select New.
    3. On the General tab, enter GoodGuys for the Name.
    4. Optionally, enter a Description.

      Specifying general settings of a new security role

    5. Select the Bindings tab.
    6. Associate your (native) user ID with this security role:
      1. Click Add... (next to the Users: area).
      2. Specify your user ID in the Name field.
      3. Click OK.
    7. Click OK.
  1. Authorize methods on the enterprise bean. You will authorize all home and remote methods to security role GoodGuys:
    1. In the tree view, expand EJB Modules.
    2. Expand the EJB11.
    3. Create a new security role:
      1. Select Security Roles.
      2. Right-click it and select New.

        Select New

      3. Enter GoodGuys as the Name.
      4. Optionally, enter a description.

        Values entered in Security Roles dialog

      5. Click OK.
  1. Create a new method permission:
    1. In the tree view, select the Method Permissions under EJB11.
    2. Right-click it and select New.
    3. Add the methods:
      1. For the Name, specify myMethodPerm.
      2. In the Methods area, click Add...

        Adding a method

      3. In the Add Methods dialog, expand the Ejb11.jar and the beans path:
      4. com_ibm_websphere_gettingstarted_ejbs_SimpleSession
        
      5. Select the Home and Remote interface folders (hold down the Shift key to select both at once).

        Selecting the two folders

      6. Click OK.
      7. In the Roles area, click Add...
      8. Select security role GoodGuys.
      9. Click OK.

        Finished specifying values

    4. Click OK to close the New Method Permissions window.
    5. myMethodParm is displayed

  1. Authorize a servlet. Add a login form to be used for authentication:
    1. In the tree view, expand Web Modules -> SimpleSessionWar -> Files
    2. Select Resource Files.
    3. Right-click it and select Add Files.

      Select Add Files

    4. Click Browse and navigate to the login.jar that you previously downloaded.

      Browse for login.jar

    5. Click OK.
    6. Select login.html and error.jsp (hold down the Shift key to select both at once).

      Select the two files

    7. Click Add.

      Click Add

    8. Click OK.

      The files are displayed in the Application Assembly Tool, in the Resource Files folder of the Web module.

      The files are now displayed

    9. In the tree view, click the .war file named SimpleSessionWar to display its properties.
    10. Click the Advanced Tab.
    11. Check the Login Configuration box.
    12. Do the following:
      1. Set Authentication Method to FORM
      2. Enter Realm name : Getting Started
      3. Enter  Login Page: login.html
      4. Enter  Error Page: error.jsp
      5. Click Apply when finished.

      Servlet has been authorized

  1. Add a security constraint:
    1. Expand SimpleSessionWar.
    2. Select Security Constraints.
    3. Right-click it.
    4. Click New.
    5. Add a new security constraint:
      1. Enter the Security Constraint Name: GoodGuys
      2. Click Add... next to the Roles area.
      3. Select the Security Role of GoodGuys.
      4. Select OK.
      5. Set Transport Guarantee to NONE.

        Properties in New Security Constraint

      6. Click OK.
  1. Add a resource collection to the constraint:
    1. Expand SimpleSessionWar -> Security Constraints -> GoodGuys
    2. Select Web Resource Collections.
    3. Right-click it and select New.

      Creating a new resource collection

    4. Add a new web resource collection:
      1. Enter the Web Resource Name: SecureMe.
      2. Click Add... in the HTTP Methods section.
      3. Change HTTP Method to POST .
      4. Click OK.
      5. Click Add... in the HTTP Method section.
      6. Change HTTP Method to GET.
      7. Click OK.
      8. Click Add... in the URLs section.
      9. Enter /SimpleSession for the URL Pattern.

        Specifying the URL pattern

      10. Click OK.

        The Web resource collection exists

    5. Click OK.
  2. Save your .ear file using File -> Save As and save as
    product_installation_root/temp/tutorial/security/Deployed_simpleSessionSecure.ear
    

    Saving the .ear file

  3. Exit the AAT.

Enable security in the server runtime

  1. Start the application server, as discussed in the Application deployment tutorial.
  2. Open the administrative console
  3. Enable security:
    1. Click Console -> Security Center on the console menu bar.
    2. On the General tabbed page of the Security Center, click Enable Security.

    3. On the Authentication tabbed page, select Local Operating System.
    4. Specify the Security Server ID and password, namely your native operating system

      Specifying an ID and password for the server

    5. Click OK to exit the Security Center.

Remove the unsecured version of the application

Remove the unsecured version of SimpleSessionApp as described in the Application removal and cleanup tutorial. Then return here to proceed with the security tutorial.

Install the secured application

  1. In the console tree view, right-click WebSphere Administrative Domain -> Enterprise Applications.
  2. From the resulting menu, click Install Enterprise Application to launch the Install Enterprise Application wizard.
  3. On the Specifying the Application or Module panel:

    1. Ensure that the Browse for file on node field is set to your current node.
    2. Ensure Install Application is selected.
    3. Click Browse, next to the Path field. Browse for the Deployed_simpleSessionSecure.ear file and select it.

      Verify that its name is displayed in the Path field now.

    4. Specify SimpleSessionSecure as the Application name.
    5. Click Next.
  4. Click No when prompted whether to deny access to unprotected methods.
  5. On the Mapping Users to Roles panel, verify that the Goodguys role is mapped to your native user ID. Click Select... and make sure you can see your native ID listed in the Selected Users/Groups area of the resulting Select Users/Groups dialog. (To close the dialog after verification, click OK).
  6. Click Next.
  7. On the Mapping EJB RunAs Roles to Users panel, click Next.
  8. On the Binding Enterprise Beans to JNDI Names panel, verify that the JNDI Name is set to gs/hello, and then click Next.
  9. On the Mapping EJB References to Enterprise Beans panel, verify that the JNDI Name is set to gs/hello, and then click Next.
  10. On the Mapping Resource References to Resources panel, click Next.
  11. On the Specifying the Default Datasources for EJB Modules panel, click Next.
  12. On the Specifying Data Sources for Individual CMP Beans panel, click Next.
  13. On the Selecting Virtual Hosts for Web Modules panel, ensure that the Virtual Host is set to default_host, then click Next.
  14. On the Selecting Application Server panel, ensure that the EJB11 and SimpleSessionWar modules are going to reside on Application Server "Default Server," then click Next.
  15. Click Finish on the Completing the Application Installation Wizard panel.
  16. When prompted whether to regenerate code, click No.
  17. Look for the message confirming successful installation of the application. It might be a minute before it is displayed.

You can now view SimpleSessionSecure in the console tree view.

Application now in tree view

Regenerating the plug-in configuration

  1. In the console tree view, right-click WebSphere Administrative Domain -> Nodes -> your_host_name.
  2. From the resulting menu, select Regen Webserver Plugin.
  3. In the area at the bottom of the console, look for the Event Message saying that the Plugin regeneration has been completed. It might take a moment before it is displayed.
Stopping the administrative server and start it again

  1. To stop the administrative server, you can right-click your_host_name under Nodes in the administrative console and select Restart from the resulting menu. The console will close when you do so.
  2. Open the administrative console again after the administrative server starts. This time, you will be asked to log in, because security is enabled.
  3. In the console tree view, click WebSphere Administrative Domain -> Nodes -> your_host_name -> Application Servers -> Default Server.
  4. Ensure that the Module Visibility setting of the Default Server is set to "Compatibility." Click Apply if you had to change it.

Ensure the application, application server, and Web server are running

Recall learning this step in the Application testing tutorial.

Test the Web client

  1. Test the Web client the same way you tested the Web client for the unsecured simpleSession application, as discussed in the Application testing tutorial. That is, in a Web browser, type the URL:
    http://hostname:9080/gettingstarted3/SimpleSession?msg=Hi
    
  2. When the login screen is displayed, enter your native operating system user ID and password.
  3. Notice that your login credentials flowed to the EJB container as well because the above procedure established authorization of the EJB methods, as well as of the servlet.

Test the Java client

This, too, is similar to the way you did it in the Application testing tutorial, except you will reference the secured .ear file in the LaunchClient command.

  1. Open a system command prompt.
  2. Change directory to:
    product_installation_root/bin
  3. Enter the command:
    launchClient ../temp/tutorial/security/Deployed_simpleSessionSecure.ear
    
    (Remember, on Windows systems, the forward slashes should be backslashes).

    The client will proceed to the point of looking the EJB home before it prompts the user to log in.

    Issuing the launchClient command

  4. When the login pop-up is displayed, enter your native operating system user ID and password.

All finished with launchClient

Disable security in the application server runtime

  1. Start the application server, as discussed previously.
  2. Open the administrative console, as discussed in the Application deployment tutorial.
  3. Disable security.
    1. Click Console > Security Center on the console menu bar.
    2. On the General tabbed page of the Security Center, deselect the Enable Security check box.
    3. Click OK.
  4. Stop the application server and start it again, as discussed previously.

Do not forget to go back into the console and disable security if you are sharing the console with a colleague who will not know the correct ID and password the next time he or she tries to open the console!

What's next?

Now that you have assembled, deployed, and secured a Session bean application, you might want to try your hand at a CMP application. The Advanced application assembly and deployment tutorial describes how to do so.