JEE Security – How to setup authentication on Glassfish and Netbeans

August 16th, 2009  | Tags: , , ,

One of the most interesting feature from JEE is the security behavior. If you’re using JEE, you do not need to worry about authentication and authorization, there is a security specification that talks about this issue.
However security is from the official JEE specification, the authentication portion varies from application server to application server. In this topic, I’m going to show how to setup authetication on Glassfish and Netbeans. Fortunately it is a simple and easy task, thanks glassfish/netbeans team.

Roles, User and Groups

Before get started, let’s understand the difference among roles, user and groups. All JEE Security must contain these three elements.
In general speaking, roles belong to the application scope. In the application we setup which functionalities can be accessed using a certain role. E.g.: administrator role has the permission to access the admin.jsp page.
User refers the user that will log in the system. The user information can be storaged in a file, JDBC or even in a LDAP server.
Groups is the group of a user. This group is associated with a role. E.g: the admin group is associated with the administrador role.

Authentication Realms

An authentication realm, also called a security policy domain or security domain, is a scope over which the Enterprise Server defines and enforces a common security policy. Enterprise Server is preconfigured with the file, certificate, and admin-realm realms. In addition, you can set up ldap, jdbc, solaris, or custom realms. An application can specify which realm to use in its deployment descriptor. If the application does not specify a realm, Enterprise Server uses its default realm (file).

Adding an User into the File Realm

First of all, let’s start up the glassfish server. After that, access its administrator screen, clicking on http://localhost:4848. The default user/password is admin and adminadmin.

To add an User, on the left menu, click on Configuration -> Security -> Realms. After that, click on file realm.

On this screen, click on Manage Users button and then New button.
Add a new user called test and password test123. Keep the admin as group list.

We just added an user into the File Realm.

Creating a Web Application

To test the security we need an application. Let’s create a web application on netbeans for a simple example of how to use security.
Within Netbeans, go to File -> New Project. Choose Java Web and then Web Application.

Security Role mapping

As I said early, each application server has its own configuration for authentication. On glassfish, we must change the sun-web.xml file to map the roles. On Netbeans, double click on this file and its content will appear on screen. This file is located into Web Pages -> WEB-INF directory.
Within sun-web.xml file, go to Security tab. There, click on Add Security Role Mapping button and type the following:

  • Security Role Name: administrator
  • Group name: admin

Save this file and go to the next step.

Adding the authentication

Now, double click on the web.xml file and go to the Security tab. Expand the Login Configuration and select the BASIC. Also, in the realm name, put the realm you’re using, in our case: file.

Add the administrator in the Security Roles. You must change the Security Contraints like the screenshot below.

According to the configuration above, if the user tries to access the admin.jsp page, a pop-up with user and password must appear.

Creating an admin.jsp page and changing the index.jsp

Create a simple admin.jsp page (its content doesn’t matter). Also, change the index.jsp source code and add a link to the admin.jsp page. After that, run the application.
The index.jsp page should open properly however when you click on link to access the admin.jsp, a pop-up should appear, like image below:

if you enter the correct user/password, then the admin.jsp will be accessed.


Many people have doubt when they’re dealing with JEE Security, however the process is simple and flexible. You can add/remove/modify roles and access without change the underlying code. Also, you can link the roles with the JDBC or LDAP users.
As you can see in this topic, Glassfish and Netbeans have a great graphical tools for these configurations.

I hope this topic be useful for anyone. If you have any question or comment, fell free to leave your message below.

  1. ddosia
    August 18th, 2009 at 00:06

    unfortunately, you can not find much useful information about how to make your own realms, and javaee tutorial has not clarify this…
    there is some related links:

  2. August 18th, 2009 at 14:26

    Thanks for your feedback, but the goal of this topic is not to talk about custom realms. The goal is give an overview of how to setup works on Glassfish and Netbeans. In a next topic, I’m going to show up how to use JDBC realm. Who knows in the future we talk about custom realms as well.
    Regards []’s

  3. Hiran Chaudhuri
    September 5th, 2009 at 13:48

    Thank you for taking time to document this topic. You explained very well the relations between users, roles, groups and the authorization process.
    But am I missing something? How does the container know, which realm to take in case I configured several? I think this goes in the web.xml security section, unfortunately you have no picture of those settings…

  4. September 26th, 2009 at 08:26

    Hi Hiran. You’re absolutely right. I have forgotten to put the screenshort. Basically, in the web.xml file, in the security tab, there is a Login Configuration section. There you can tell to glassfish which realm you’re going to use. I’ve updated the post and put the screenshot there.
    Thanks for your feedback.

  5. November 27th, 2009 at 00:10

    Thank you so much for this document.
    I’m trying to find out a solution to offer a link for users who want closing the session.

    Have you a solution for this ?

    Thank you for your help.

  6. Sanjay
    January 26th, 2010 at 09:23

    You did a wonderful job explaining basic things. But my users are not created in thsi way. Users are created using registration page. My doubt is when you configure the role in web.xml and make database tables for users and roles, now when the unauthenticated user tries to enter he will be redirected to login page. And now what? When he enters username and password, do we need to check it from database if he belongs to that role or it is managed on it’s own? Also how to get the return url? means suppose user entered
    Then he will be redirected to loginpage and now if he is admin he should be redirected to the foofoo.jsf and not the default page of Admin.
    Also, another thing is how does server know that the user is already authenticated? Means suppose once he is redirected to login.jsf and again if he tries to access admin resource, will he be again redirected to login page or he will be allowed to browse? And if he is redirected to login form then to prevent it we should store it some session variable? some key? so that we can be sure whether he is authenticated or not?
    Now again, if we should store it in session, then do we need to check session on each and every page? if 50 pages are there, then replicate same logic on each and every page? Please guide me i am utterly confused.

  7. Craig
    April 10th, 2010 at 16:31

    Thanks for this, just what I was looking for and very indepth. Will keep my eye on this blog!

  8. denis
    April 14th, 2010 at 05:45

    Please, can you share example application

  9. Dileep
    December 28th, 2010 at 11:25

    Hi, can you share sample application which shows all these stuff. I would like to use custom realm.

  10. gordan
    March 1st, 2011 at 12:42

    Hi!!! Here is similar post on how to setup authentication on glassfish with jsf, if anyone interested.

  11. kavita potdar
    July 13th, 2012 at 04:11

    sir, I create above program but it is not working .giving error,plz solve my problem.

    HTTP Status 403 – Access to the requested resource has been denied


    type Status report

    messageAccess to the requested resource has been denied

    descriptionAccess to the specified resource (Access to the requested resource has been denied) has been forbidden.


    Sun Java System Application Server 9.1_01

  12. Tony
    February 12th, 2013 at 23:10

    ‘brigado de Cincinnati for your clear and functional explanation. The only problem I found was that I did not have a sun-web.xml file. I told Netbeans to make a glassfish-web.xml (in the “Glassfish” category). I’m using Netbeans 7.2.1

    Thanks again.

  13. February 22nd, 2013 at 07:55

    Thanks for your feedback Tony. Maybe the new version of Netbeans and Glassfish this file does not exist anymore. To be honest, I’m no longer using Glassfish and Netbeans.

  14. khurram
    February 27th, 2013 at 05:56

    ok, then which IDE are you using now and what difference have you seen sor far?

  15. March 2nd, 2013 at 10:01

    I am using RSA (Rational Software Architect) based on Eclipse and WebSphere Application Server.

  16. June 15th, 2014 at 20:01

    What i do not understood is in fact how you’re no longer
    actually a lot more smartly-favored than you might be right now.
    You’re so intelligent. You understand therefore considerably with regards to this subject, produced me for my part consider it from so many various angles.
    Its like women and men don’t seem to be involved except it’s something to accomplish with
    Lady gaga! Your personal stuffs great. At all times take care
    of it up!