6.7.4: Application security tutorial
During this tutorial, you will enable security in all three containers of
your simpleSession application:
You will use the Application Assembly Tool (AAT) to declare and define
J2EE security roles, as well as to control authorization on various J2EE
modules. You will also enable security in the application server runtime
and test your settings.
Authentication will be performed using the local operating system user
registry. This example only uses declarative security. It does not illustrate
any of the programmatic methods supported by the J2EE programming model.
Prerequisites
You need to have performed the Application deployment tutorial and Application
testing tutorial successfully in order to perform this tutorial successfully. If you ran into
trouble testing your application, you can still perform this tutorial to practice
the steps involved, but the testing phase of this tutorial will be unsuccessful.
Overview of steps (requires 45 to 60 minutes)
- Enable security in your application
- Enable security in the application server runtime
- Remove the unsecured version of the application
- Install the secured application
- Regenerate the Web server plug-in and save the server configuration
- Stop the administrative server and start it again
- Ensure the application, application server, and Web server are running
- Test the Web client
- Test the Java client
- Disable security in the application server runtime
Paths through the tutorial
- Quick path: If your objective is
to practice these steps as quickly as possible, skip the
explanations marked with the
graphic.
- Maximum learning path: If your objective is to understand and explore the
product capabilities, read the
notes and browse the links
they provide to additional documentation.
- Start the Application Assembly Tool,
as discussed in the Application assembly tutorial.
- Edit the Deployed_simpleSession.ear application.
On the Welcome to Application Assembly Tool panel:
- Click the Existing tab.
- Click Browse next to the File name field.
- Navigate to the Deployed_simpleSession.ear that was assembled in
the Simple Session Bean tutorial and select Select.
- Select OK.
-
Create a security role to which you will be granting authorization to the
session bean and servlet in the application:
-
In the .ear file, select the Security Roles folder.
-
Right-click it and select New.
-
On the General tab, enter GoodGuys for the Name.
-
Optionally, enter a Description.
-
Select the Bindings tab.
-
Associate your (native) user ID with this security role:
-
Click Add... (next to the Users: area).
-
Specify your user ID in the Name field.
-
Click OK.
-
Click OK.
-
Authorize methods on the enterprise bean. You will authorize all home and
remote methods to security role GoodGuys:
-
In the tree view, expand EJB Modules.
-
Expand the EJB11.
-
Create a new security role:
-
Select Security Roles.
-
Right-click it and select New.
-
Enter GoodGuys as the Name.
-
Optionally, enter a description.
-
Click OK.
-
Create a new method permission:
-
In the tree view, select the Method Permissions under EJB11.
-
Right-click it and select New.
-
Add the methods:
- For the Name, specify myMethodPerm.
-
In the Methods area, click Add...
-
In the Add Methods dialog, expand the Ejb11.jar and the beans path:
com_ibm_websphere_gettingstarted_ejbs_SimpleSession
-
Select the Home and Remote interface folders (hold down the Shift
key to select both at once).
-
Click OK.
-
In the Roles area, click Add...
-
Select security role GoodGuys.
-
Click OK.
-
Click OK to close the New Method Permissions window.
-
Authorize a servlet. Add a login form to be used for authentication:
-
In the tree view, expand Web Modules -> SimpleSessionWar -> Files
-
Select Resource Files.
-
Right-click it and select Add Files.
-
Click Browse and navigate to the login.jar that you previously
downloaded.
-
Click OK.
-
Select login.html and error.jsp (hold down the Shift key
to select both at once).
-
Click Add.
-
Click
OK.
The files are displayed in the Application Assembly Tool, in the Resource Files
folder of the Web module.
-
In the tree view, click the .war file named SimpleSessionWar to display its properties.
-
Click the Advanced Tab.
-
Check the Login Configuration box.
-
Do the following:
-
Set Authentication Method to FORM
-
Enter Realm name : Getting Started
-
Enter Login Page: login.html
-
Enter Error Page: error.jsp
-
Click Apply when finished.
-
Add a security constraint:
-
Expand SimpleSessionWar.
-
Select Security Constraints.
-
Right-click it.
-
Click New.
-
Add a new security constraint:
-
Enter the Security Constraint Name: GoodGuys
-
Click Add... next to the Roles area.
-
Select the Security Role of GoodGuys.
-
Select OK.
-
Set Transport Guarantee to NONE.
-
Click OK.
-
Add a resource collection to the constraint:
-
Expand SimpleSessionWar -> Security Constraints -> GoodGuys
-
Select Web Resource Collections.
-
Right-click it and select New.
-
Add a new web resource collection:
-
Enter the Web Resource Name: SecureMe.
-
Click Add... in the
HTTP Methods section.
-
Change HTTP Method to POST .
-
Click OK.
-
Click Add... in the
HTTP Method section.
-
Change HTTP Method to GET.
-
Click OK.
-
Click Add... in the URLs section.
-
Enter /SimpleSession for the URL Pattern.
-
Click OK.
-
Click OK.
-
Save your .ear file using File -> Save As and save as
product_installation_root/temp/tutorial/security/Deployed_simpleSessionSecure.ear
-
Exit the AAT.
- Start the application server, as discussed in the Application deployment tutorial.
- Open the administrative console
- Enable security:
- Click Console -> Security Center on the console menu bar.
- On the General tabbed page of the Security Center, click Enable Security.

- On the Authentication tabbed page, select Local Operating System.
- Specify the Security Server ID and password, namely your native operating system
- Click OK to exit the Security Center.
Remove the unsecured version of SimpleSessionApp as described in the Application
removal and cleanup tutorial. Then return here to proceed with the security tutorial.
- In the console tree view, right-click
WebSphere Administrative Domain -> Enterprise Applications.
- From the resulting menu, click Install Enterprise Application to launch the Install
Enterprise Application wizard.
- On the Specifying the Application or Module panel:
- Ensure that the Browse for file on node field is set to your current node.
- Ensure Install Application is selected.
- Click Browse, next to the Path field. Browse
for the Deployed_simpleSessionSecure.ear file and select it.
Verify that its name is displayed in the Path field now.
- Specify SimpleSessionSecure as the Application name.
- Click Next.
- Click No when prompted whether to deny access to unprotected methods.
- On the Mapping Users to Roles panel, verify that the Goodguys role is
mapped to your native user ID. Click Select... and make sure you can see
your native ID listed in the Selected Users/Groups area of the resulting
Select Users/Groups dialog. (To close the dialog after verification, click OK).
- Click Next.
- On the Mapping EJB RunAs Roles to Users panel, click Next.
- On the Binding Enterprise Beans to JNDI Names panel, verify that
the JNDI Name is set to gs/hello, and then click Next.
- On the Mapping EJB References to Enterprise Beans panel, verify that
the JNDI Name is set to gs/hello, and then click Next.
- On the Mapping Resource References to Resources panel, click Next.
- On the Specifying the Default Datasources for EJB Modules panel, click Next.
- On the Specifying Data Sources for Individual CMP Beans panel, click Next.
- On the Selecting Virtual Hosts for Web Modules panel, ensure that the Virtual Host
is set to default_host, then click Next.
- On the Selecting Application Server panel, ensure that the EJB11 and SimpleSessionWar
modules are going to reside on Application Server "Default Server," then click Next.
- Click Finish on the Completing the Application Installation Wizard panel.
- When prompted whether to regenerate code, click No.
- Look for the message confirming successful installation of the application. It might be a minute
before it is displayed.
You can now view SimpleSessionSecure in the console tree view.
- In the console tree view, right-click WebSphere Administrative Domain -> Nodes -> your_host_name.
- From the resulting menu, select Regen Webserver Plugin.
- In the area at the bottom of the console, look for the Event Message saying that the
Plugin regeneration has been completed. It might take a moment before it is displayed.
- To stop the administrative server, you can right-click your_host_name under
Nodes in the administrative console and select Restart from the resulting menu. The
console will close when you do so.
- Open the administrative console again after the administrative server starts. This time, you will be asked to log in, because
security is enabled.
- In the console tree view, click WebSphere Administrative Domain -> Nodes -> your_host_name
-> Application Servers -> Default Server.
- Ensure that the Module Visibility setting of the Default Server is set to "Compatibility."
Click Apply if you had to change it.
Recall learning this step in the Application testing tutorial.
- Test the Web client the same way you tested the Web client for the unsecured
simpleSession application, as discussed in the
Application testing tutorial. That is, in a Web browser, type the URL:
http://hostname:9080/gettingstarted3/SimpleSession?msg=Hi
- When the login screen is displayed, enter your native operating system
user ID and password.
Notice that your login credentials flowed to the EJB container as
well because the above procedure established authorization of the EJB methods,
as well as of the servlet.
This, too, is similar to the way you did it in the Application testing tutorial,
except you will reference the secured .ear file in the LaunchClient command.
- Open a system command prompt.
- Change directory to:
product_installation_root/bin
- Enter the command:
launchClient ../temp/tutorial/security/Deployed_simpleSessionSecure.ear
(Remember, on Windows systems, the forward slashes should be backslashes).
The client will proceed to the point of looking the EJB home before it
prompts the user to log in.
- When the login pop-up is displayed, enter your native operating system
user ID and password.
- Start the application server, as discussed previously.
- Open the administrative console, as discussed in the Application deployment tutorial.
- Disable security.
- Click Console > Security Center on the console menu bar.
- On the General tabbed page of the Security Center, deselect the Enable Security check box.
- Click OK.
- Stop the application server and start it again, as discussed previously.
Do not forget to go back into the console and disable security if you are sharing
the console with a colleague who will not know the correct ID and password the next
time he or she tries to open the console!
What's next?
Now that you have assembled, deployed, and secured a Session bean application, you
might want to try your hand at a CMP application. The Advanced
application assembly and deployment tutorial describes how to do so.