2. Using the Tutorial Examples
3. Getting Started with Web Applications
5. JavaServer Pages Technology
7. JavaServer Pages Standard Tag Library
10. JavaServer Faces Technology
11. Using JavaServer Faces Technology in JSP Pages
12. Developing with JavaServer Faces Technology
13. Creating Custom UI Components
14. Configuring JavaServer Faces Applications
15. Internationalizing and Localizing Web Applications
16. Building Web Services with JAX-WS
17. Binding between XML Schema and Java Classes
19. SOAP with Attachments API for Java
21. Getting Started with Enterprise Beans
23. A Message-Driven Bean Example
24. Introduction to the Java Persistence API
25. Persistence in the Web Tier
26. Persistence in the EJB Tier
27. The Java Persistence Query Language
28. Introduction to Security in the Java EE Platform
29. Securing Java EE Applications
Overview of Web Application Security
Specifying Security Roles Using Annotations
Specifying Security Roles Using Deployment Descriptor Elements
Mapping Security Roles to Application Server Groups
Checking Caller Identity Programmatically
Declaring and Linking Role References
Declaring Roles Using Annotations
Declaring Roles Using Deployment Descriptor Elements
Defining Security Requirements for Web Applications
Declaring Security Requirements Using Annotations
Using the@DeclareRoles Annotation
Declaring Security Requirements in a Deployment Descriptor
Specifying Security Constraints
Specifying a Secure Connection
Specifying an Authentication Mechanism
Examples: Securing Web Applications
Example: Using Form-Based Authentication with a JSP Page
Creating a Web Client for Form-Based Authentication
Creating the Login Form and the Error Page
Specifying a Security Constraint
Adding Authorized Roles and Users
Mapping Application Roles to Application Server Groups
Building, Packaging, and Deploying the Form-Based Authentication Example Using NetBeans IDE
Building, Packaging, and Deploying the Form-Based Authentication Example Using Ant
Testing the Form-Based Authentication Web Client
Example: Basic Authentication with a Servlet
Specifying the Security Constraint
Adding Authorized Roles and Users
Mapping Application Roles to Application Server Groups
Building, Packaging, and Deploying the Servlet Basic Authentication Example Using NetBeans IDE
Building, Packaging, and Deploying the Servlet Basic Authentication Example Using Ant
Running the Basic Authentication Servlet
Troubleshooting the Basic Authentication Example
Example: Basic Authentication with JAX-WS
Adding Security Elements to the Deployment Descriptor
Building and Deployinghelloservice with Basic Authentication Using NetBeans IDE
Building and Deployinghelloservice with Basic Authentication Using Ant
Building and Running thehelloservice Client Application with Basic Authentication Using NetBeans IDE
Building and Running thehelloservice Client Application with Basic Authentication Using Ant
31. The Java Message Service API
32. Java EE Examples Using the JMS API
36. The Coffee Break Application
Chapter 30
Securing Web Applications
Web applications contain resources that can be accessed by many users. These resourcesoften traverse unprotected, open networks, such as the Internet. In such an environment,a substantial number of web applications will require some type of security.
The ways to implement security for Java EE applications are discussed in ageneral way inSecuring Containers. This chapter provides more detail and a few examplesthat explore these security services as they relate to web components.
Java EE security services can be implemented for web applications in the followingways:
Metadata annotations (or simply,annotations) are used to specify information about security within a class file. When the application is deployed, this information can either be used by or overridden by the application deployment descriptor.
Declarative security expresses an application’s security structure, including security roles, access control, and authentication requirements in a deployment descriptor, which is external to the application.
Any values explicitly specified in the deployment descriptor override any values specified in annotations.
Programmatic security is embedded in an application and is used to make security decisions. Programmatic security is useful when declarative security alone is not sufficient to express the security model of an application.
Some of the material in this chapter assumes that you have alreadyreadChapter 28, Introduction to Security in the Java EE Platform. This chapter also assumes that you are familiar with the webtechnologies discussed inChapter 3, Getting Started with Web Applications,Chapter 5, JavaServer Pages Technology, andChapter 10, JavaServer Faces Technology.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.Legal Notices