O'Reilly logo

JBoss at Work: A Practical Guide by Scott Davis, Tom Marrs

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 9. Security

If you’ve worked through all the previous chapters, you have a fully functional vertical slice of the JAW Motors application that allows you to run a credit check and view, add, edit (update), delete, and buy cars. Although this works, there’s a gaping hole—anyone with a browser who knows the application’s URL can modify JAW Motors’ inventory. So we need to add security to the application. In this chapter, we’ll secure the “Car Inventory” and “Add/Edit Car” pages so that only authorized users can modify cars in the inventory. We won’t secure the “Buy Car” or “Run Credit Check” pages (and their underlying functionality) because we still want all users to be able to buy a car or run a credit check without having to log in. We’ll discuss J2EE web-based security, Java Authentication & Authorization Service (JAAS), and EJB security. Along the way we’ll show how to deploy these security mechanisms on JBoss.

J2EE Security

Security is an important part of J2EE application architecture because the J2EE components and tiers used in a system’s architecture determine the choice of security technologies. If an application uses only web-based technologies, then it only needs to restrict access to JSPs, Servlets, and so on. But EJBs are now part of the JAW Motors architecture, so they must be protected as well. The system must create a security context that encompasses the entire J2EE stack from frontend web pages to backend business logic and data. We need a unified security ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required