Chapter 9. Security
If you’ve worked through all the previous chapters, you have a fully functional vertical slice of the JAW Motors application that allows you to run a credit check and view, add, edit (update), delete, and buy cars. Although this works, there’s a gaping hole—anyone with a browser who knows the application’s URL can modify JAW Motors’ inventory. So we need to add security to the application. In this chapter, we’ll secure the “Car Inventory” and “Add/Edit Car” pages so that only authorized users can modify cars in the inventory. We won’t secure the “Buy Car” or “Run Credit Check” pages (and their underlying functionality) because we still want all users to be able to buy a car or run a credit check without having to log in. We’ll discuss J2EE web-based security, Java Authentication & Authorization Service (JAAS), and EJB security. Along the way we’ll show how to deploy these security mechanisms on JBoss.
J2EE Security
Security is an important part of J2EE application architecture because the J2EE components and tiers used in a system’s architecture determine the choice of security technologies. If an application uses only web-based technologies, then it only needs to restrict access to JSPs, Servlets, and so on. But EJBs are now part of the JAW Motors architecture, so they must be protected as well. The system must create a security context that encompasses the entire J2EE stack from frontend web pages to backend business logic and data. We need a unified security ...
Get JBoss at Work: A Practical Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.