6.7.4: Application security tutorial
During this tutorial, you will enable security in all three containers of
your simpleSession application:
You will use the Application Assembly Tool (AAT) to declare and define
J2EE security roles, as well as to control authorization on various J2EE
modules. You will also enable security in the application server runtime
and test your settings.
Authentication will be performed using the local operating system user
registry. This example only uses declarative security. It does not illustrate
any of the programmatic methods supported by the J2EE programming model.
Prerequisites
You need to have performed the Application deployment tutorial and Application
testing tutorial successfully in order to perform this tutorial successfully. If you ran into
trouble testing your application, you can still perform this tutorial to practice
the steps involved, but the testing phase of this tutorial will be unsuccessful.
Overview of steps (requires 45 to 60 minutes)
- Enable security in your application
- Enable security in the application server runtime
- Install the secured application
- Regenerate the Web server plug-in and save the server configuration
- Stop the server and start it again
- Ensure the application, application server, and Web server are running
- Test the Web client
- Test the Java client
- Disable security in the application server runtime
Paths through the tutorial
- Quick path: If your objective is
to practice these steps as quickly as possible, skip the
explanations marked with the
graphic.
- Maximum learning path: If your objective is to understand and explore the
product capabilities, read the
notes and browse the links
they provide to additional documentation.
- Start the Application Assembly Tool,
as discussed in the Application assembly tutorial.
- Edit the Deployed_simpleSession.ear application.
On the Welcome to Application Assembly Tool panel:
- Click the Existing tab.
- Click Browse next to the File name field.
- Navigate to the Deployed_simpleSession.ear that was assembled in
the Simple Session Bean tutorial and select Select.
- Select OK.
-
Create a security role to which you will be granting authorization to the
session bean and servlet in the application:
-
In the .ear file, select the Security Roles folder.
-
Right-click it and select New.
-
On the General tab, enter GoodGuys for the Name.
-
Optionally, enter a Description.
-
Select the Bindings tab.
-
Associate your (native) user ID with this security role:
-
Click Add... (next to the Users: area).
-
Specify your user ID in the Name field.
-
Click OK.
-
Click OK.
-
Authorize methods on the enterprise bean. You will authorize all home and
remote methods to security role GoodGuys:
-
In the tree view, expand EJB Modules.
-
Expand the EJB11.
-
Create a new security role:
-
Select Security Roles.
-
Right-click it and select New.
-
Enter GoodGuys as the Name.
-
Optionally, enter a description.
-
Click OK.
-
Create a new method permission:
-
In the tree view, select the Method Permissions under EJB11.
-
Right-click it and select New.
-
Add the methods:
- For the Name, specify myMethodPerm.
-
In the Methods area, click Add...
-
In the Add Methods dialog, expand the Ejb11.jar and the beans path:
com_ibm_websphere_gettingstarted_ejbs_SimpleSession
-
Select the Home and Remote interface folders (hold down the Shift
key to select both at once).
-
Click OK.
-
In the Roles area, click Add...
-
Select security role GoodGuys.
-
Click OK.
-
Click OK to close the New Method Permissions window.
-
Authorize a servlet. Add a login form to be used for authentication:
-
In the tree view, expand Web Modules -> SimpleSessionWar -> Files
-
Select Resource Files.
-
Right-click it and select Add Files.
-
Click Browse and navigate to the login.jar that you previously
downloaded.
-
Click OK.
-
Select login.html and error.jsp (hold down the Shift key
to select both at once).
-
Click Add.
-
Click
OK.
The files are displayed in the Application Assembly Tool, in the Resource Files
folder of the Web module.
-
In the tree view, click the .war file named SimpleSessionWar to display its properties.
-
Click the Advanced Tab.
-
Check the Login Configuration box.
-
Do the following:
-
Set Authentication Method to FORM
-
Enter Realm name : Getting Started
-
Enter Login Page: login.html
-
Enter Error Page: error.jsp
-
Click Apply when finished.
-
Add a security constraint:
-
Expand SimpleSessionWar.
-
Select Security Constraints.
-
Right-click it.
-
Click New.
-
Add a new security constraint:
-
Enter the Security Constraint Name: GoodGuys
-
Click Add... next to the Roles area.
-
Select the Security Role of GoodGuys.
-
Select OK.
-
Set Transport Guarantee to NONE.
-
Click OK.
-
Add a resource collection to the constraint:
-
Expand SimpleSessionWar -> Security Constraints -> GoodGuys
-
Select Web Resource Collections.
-
Right-click it and select New.
-
Add a new web resource collection:
-
Enter the Web Resource Name: SecureMe.
-
Click Add... in the
HTTP Methods section.
-
Change HTTP Method to POST .
-
Click OK.
-
Click Add... in the
HTTP Method section.
-
Change HTTP Method to GET.
-
Click OK.
-
Click Add... in the URLs section.
-
Enter /SimpleSession for the URL Pattern.
-
Click OK.
-
Click OK.
-
Save your .ear file using File -> Save As and save as
product_installation_root/temp/tutorial/security/Deployed_simpleSessionSecure.ear
-
Exit the AAT.
- Start the application server, as discussed in the Application deployment tutorial.
- Open the administrative console
- Enable security:
-
In the tree view, expand Security.
-
Select Local OS Authentication.
-
Select Local OS User Registry in the right pane.
-
Change the Server ID:
<operating system userid>
-
Change the Server Password: <operating system userid password>
-
Click OK.
-
In the topology tree, select Security.
-
Check Enabled in the right pane.
-
Click OK.
-
Save the configuration by clicking Configuration needs to be saved link at
the top of the Security page.
The deployment tutorial discussed how to install an application using the administrative
console installation wizard. This tutorial shows an alternate method,
the application installer command line tool. A key benefit, as described
in the documentation for the application installer tool,
is that the tool can be used with the application server stopped.
- Open a system command prompt.
- Change directory to:
product_installation_root/bin
- Enter the command on a single line:
SEAppInstall -install ../temp/tutorial/security/Deployed_simpleSessionSecure.ear
-ejbdeploy false
(Remember, on Windows systems, the forward slashes should be backslashes).
- Answer the questions when prompted (the prompts are summarized here, but not verbatim):
- Remove the application and reinstall it?
- Yes
- precompile all JSP files
- No
- precompile individual Web Applications
- No
- default data source for the EJB JAR
- Push Enter
- JNDI names
- Push Enter, which indicates the default value: gs/hello
- Subject Name for the Security Roles
- Verify the default value is U:userid, where userid is your native
operating system user ID. Accept the default value by pushing Enter.
- Virtual Host name
- Verify the default is set to default_host and press Enter.
- Denying all unprotected methods
- Yes
Installing an application requires regenerating the configuration for the
WebSphere plug-in for the Web server. This task was discussed in the
Application deployment tutorial,
but the method used there required starting the server and opening the
administrative console.
Try an alternate method that does not require the server to be running:
- Open a system command prompt.
- Run the GenPluginCfg script, pointing it to the default server XML configuration file.
The script is located at:
product_installation_root/bin/GenPluginCfg.sh|bat
(Run the script as you usually would run a script or bat file on your particular
operating system). Use the argument:
-configFile ../config/server-cfg.xml
In this case, the server should be stopped already. Confirm this.
Start the server again, as you learned
to do in the Application deployment tutorial.
Recall learning this step in the Application testing tutorial.
- Test the Web client the same way you tested the Web client for the unsecured
simpleSession application, as discussed in the
Application testing tutorial. That is, in a Web browser, type the URL:
http://hostname:9080/gettingstarted3/SimpleSession?msg=Hi
- When the login screen is displayed, enter your native operating system
user ID and password.
Notice that your login credentials flowed to the EJB container as
well because the above procedure established authorization of the EJB methods,
as well as of the servlet.
This, too, is similar to the way you did it in the Application testing tutorial,
except you will reference the secured .ear file in the LaunchClient command.
- Open a system command prompt.
- Change directory to:
product_installation_root/bin
- Enter the command:
launchClient ../temp/tutorial/security/Deployed_simpleSessionSecure.ear
(Remember, on Windows systems, the forward slashes should be backslashes).
The client will proceed to the point of looking the EJB home before it
prompts the user to log in.
- When the login pop-up is displayed, enter your native operating system
user ID and password.
- Start the application server, as discussed previously.
- Open the administrative console, as discussed in the Application deployment tutorial.
- Disable security.
- Click Console > Security Center on the console menu bar.
- On the General tabbed page of the Security Center, deselect the Enable Security check box.
- Click OK.
- Stop the application server and start it again, as discussed previously.
Do not forget to go back into the console and disable security if you are sharing
the console with a colleague who will not know the correct ID and password the next
time he or she tries to open the console!
What's next?
Now that you have assembled, deployed, and secured a Session bean application, you
might want to try your hand at a CMP application. The Advanced
application assembly and deployment tutorial describes how to do so.