JEE Security – How to setup authentication on Glassfish and Netbeans
One of the most interesting feature from JEE is the security behavior. If you’re using JEE, you do not need to worry about authentication and authorization, there is a security specification that talks about this issue.
However security is from the official JEE specification, the authentication portion varies from application server to application server. In this topic, I’m going to show how to setup authetication on Glassfish and Netbeans. Fortunately it is a simple and easy task, thanks glassfish/netbeans team.
Roles, User and Groups
Before get started, let’s understand the difference among roles, user and groups. All JEE Security must contain these three elements.
In general speaking, roles belong to the application scope. In the application we setup which functionalities can be accessed using a certain role. E.g.: administrator role has the permission to access the admin.jsp page.
User refers the user that will log in the system. The user information can be storaged in a file, JDBC or even in a LDAP server.
Groups is the group of a user. This group is associated with a role. E.g: the admin group is associated with the administrador role.
An authentication realm, also called a security policy domain or security domain, is a scope over which the Enterprise Server defines and enforces a common security policy. Enterprise Server is preconfigured with the file, certificate, and admin-realm realms. In addition, you can set up ldap, jdbc, solaris, or custom realms. An application can specify which realm to use in its deployment descriptor. If the application does not specify a realm, Enterprise Server uses its default realm (file).
Adding an User into the File Realm
First of all, let’s start up the glassfish server. After that, access its administrator screen, clicking on http://localhost:4848. The default user/password is admin and adminadmin.
To add an User, on the left menu, click on Configuration -> Security -> Realms. After that, click on file realm.
On this screen, click on Manage Users button and then New button.
Add a new user called test and password test123. Keep the admin as group list.
We just added an user into the File Realm.
Creating a Web Application
To test the security we need an application. Let’s create a web application on netbeans for a simple example of how to use security.
Within Netbeans, go to File -> New Project. Choose Java Web and then Web Application.
Security Role mapping
As I said early, each application server has its own configuration for authentication. On glassfish, we must change the sun-web.xml file to map the roles. On Netbeans, double click on this file and its content will appear on screen. This file is located into Web Pages -> WEB-INF directory.
Within sun-web.xml file, go to Security tab. There, click on Add Security Role Mapping button and type the following:
- Security Role Name: administrator
- Group name: admin
Adding the authentication
Now, double click on the web.xml file and go to the Security tab. Expand the Login Configuration and select the BASIC. Also, in the realm name, put the realm you’re using, in our case: file.
Add the administrator in the Security Roles. You must change the Security Contraints like the screenshot below.
According to the configuration above, if the user tries to access the admin.jsp page, a pop-up with user and password must appear.
Creating an admin.jsp page and changing the index.jsp
Create a simple admin.jsp page (its content doesn’t matter). Also, change the index.jsp source code and add a link to the admin.jsp page. After that, run the application.
The index.jsp page should open properly however when you click on link to access the admin.jsp, a pop-up should appear, like image below:
if you enter the correct user/password, then the admin.jsp will be accessed.
Many people have doubt when they’re dealing with JEE Security, however the process is simple and flexible. You can add/remove/modify roles and access without change the underlying code. Also, you can link the roles with the JDBC or LDAP users.
As you can see in this topic, Glassfish and Netbeans have a great graphical tools for these configurations.
I hope this topic be useful for anyone. If you have any question or comment, fell free to leave your message below.