6.7.4: Application security tutorial

During this tutorial, you will enable security in all three containers of your simpleSession application:

You will use the Application Assembly Tool (AAT) to declare and define J2EE security roles, as well as to control authorization on various J2EE modules. You will also enable security in the application server runtime and test your settings.

Authentication will be performed using the local operating system user registry. This example only uses declarative security. It does not illustrate any of the programmatic methods supported by the J2EE programming model.

Prerequisites

You need to have performed the Application deployment tutorial and Application testing tutorial successfully in order to perform this tutorial successfully. If you ran into trouble testing your application, you can still perform this tutorial to practice the steps involved, but the testing phase of this tutorial will be unsuccessful.

Overview of steps (requires 45 to 60 minutes)

  1. Enable security in your application
  2. Enable security in the application server runtime
  3. Install the secured application
  4. Regenerate the Web server plug-in and save the server configuration
  5. Stop the server and start it again
  6. Ensure the application, application server, and Web server are running
  7. Test the Web client
  8. Test the Java client
  9. Disable security in the application server runtime
Paths through the tutorial

Enable security in your application

  1. Start the Application Assembly Tool, as discussed in the Application assembly tutorial.
  2. Edit the Deployed_simpleSession.ear application.

    On the Welcome to Application Assembly Tool panel:

    1. Click the Existing tab.
    2. Click Browse next to the File name field.

      Browse for the file

    3. Navigate to the Deployed_simpleSession.ear that was assembled in the Simple Session Bean tutorial and select Select.
    4. Select OK.
  1. Create a security role to which you will be granting authorization to the session bean and servlet in the application:
    1. In the .ear file, select the Security Roles folder.

      Select Security Roles folder

    2. Right-click it and select New.
    3. On the General tab, enter GoodGuys for the Name.
    4. Optionally, enter a Description.

      Specifying general settings of a new security role

    5. Select the Bindings tab.
    6. Associate your (native) user ID with this security role:
      1. Click Add... (next to the Users: area).
      2. Specify your user ID in the Name field.
      3. Click OK.
    7. Click OK.
  1. Authorize methods on the enterprise bean. You will authorize all home and remote methods to security role GoodGuys:
    1. In the tree view, expand EJB Modules.
    2. Expand the EJB11.
    3. Create a new security role:
      1. Select Security Roles.
      2. Right-click it and select New.

        Select New

      3. Enter GoodGuys as the Name.
      4. Optionally, enter a description.

        Values entered in Security Roles dialog

      5. Click OK.
  1. Create a new method permission:
    1. In the tree view, select the Method Permissions under EJB11.
    2. Right-click it and select New.
    3. Add the methods:
      1. For the Name, specify myMethodPerm.
      2. In the Methods area, click Add...

        Adding a method

      3. In the Add Methods dialog, expand the Ejb11.jar and the beans path:
      4. com_ibm_websphere_gettingstarted_ejbs_SimpleSession
        
      5. Select the Home and Remote interface folders (hold down the Shift key to select both at once).

        Selecting the two folders

      6. Click OK.
      7. In the Roles area, click Add...
      8. Select security role GoodGuys.
      9. Click OK.

        Finished specifying values

    4. Click OK to close the New Method Permissions window.
    5. myMethodParm is displayed

  1. Authorize a servlet. Add a login form to be used for authentication:
    1. In the tree view, expand Web Modules -> SimpleSessionWar -> Files
    2. Select Resource Files.
    3. Right-click it and select Add Files.

      Select Add Files

    4. Click Browse and navigate to the login.jar that you previously downloaded.

      Browse for login.jar

    5. Click OK.
    6. Select login.html and error.jsp (hold down the Shift key to select both at once).

      Select the two files

    7. Click Add.

      Click Add

    8. Click OK.

      The files are displayed in the Application Assembly Tool, in the Resource Files folder of the Web module.

      The files are now displayed

    9. In the tree view, click the .war file named SimpleSessionWar to display its properties.
    10. Click the Advanced Tab.
    11. Check the Login Configuration box.
    12. Do the following:
      1. Set Authentication Method to FORM
      2. Enter Realm name : Getting Started
      3. Enter  Login Page: login.html
      4. Enter  Error Page: error.jsp
      5. Click Apply when finished.

      Servlet has been authorized

  1. Add a security constraint:
    1. Expand SimpleSessionWar.
    2. Select Security Constraints.
    3. Right-click it.
    4. Click New.
    5. Add a new security constraint:
      1. Enter the Security Constraint Name: GoodGuys
      2. Click Add... next to the Roles area.
      3. Select the Security Role of GoodGuys.
      4. Select OK.
      5. Set Transport Guarantee to NONE.

        Properties in New Security Constraint

      6. Click OK.
  1. Add a resource collection to the constraint:
    1. Expand SimpleSessionWar -> Security Constraints -> GoodGuys
    2. Select Web Resource Collections.
    3. Right-click it and select New.

      Creating a new resource collection

    4. Add a new web resource collection:
      1. Enter the Web Resource Name: SecureMe.
      2. Click Add... in the HTTP Methods section.
      3. Change HTTP Method to POST .
      4. Click OK.
      5. Click Add... in the HTTP Method section.
      6. Change HTTP Method to GET.
      7. Click OK.
      8. Click Add... in the URLs section.
      9. Enter /SimpleSession for the URL Pattern.

        Specifying the URL pattern

      10. Click OK.

        The Web resource collection exists

    5. Click OK.
  2. Save your .ear file using File -> Save As and save as
    product_installation_root/temp/tutorial/security/Deployed_simpleSessionSecure.ear
    

    Saving the .ear file

  3. Exit the AAT.

Enable security in the server runtime

  1. Start the application server, as discussed in the Application deployment tutorial.
  2. Open the administrative console
  3. Enable security:
    1. In the tree view,  expand Security.
    2. Select Local OS Authentication.

      Local OS User Registry panel

    3. Select Local OS User Registry in the right pane.
    4. Change the Server ID:             <operating system userid>
    5. Change the Server Password:  <operating system userid password>
    6. Click OK.
    7. In the topology tree, select Security.
    8. Check Enabled in the right pane.

      Enabling security

    9. Click OK.
    10. Save the configuration by clicking Configuration needs to be saved link at the top of the Security page.

Install the secured application

The deployment tutorial discussed how to install an application using the administrative console installation wizard. This tutorial shows an alternate method, the application installer command line tool. A key benefit, as described in the documentation for the application installer tool, is that the tool can be used with the application server stopped.

  1. Open a system command prompt.
  2. Change directory to:
    product_installation_root/bin
  3. Enter the command on a single line:
    SEAppInstall -install ../temp/tutorial/security/Deployed_simpleSessionSecure.ear 
                 -ejbdeploy false
    
    (Remember, on Windows systems, the forward slashes should be backslashes).
  4. Answer the questions when prompted (the prompts are summarized here, but not verbatim):

    Remove the application and reinstall it?
    Yes
    precompile all JSP files
    No
    precompile individual Web Applications
    No
    default data source for the EJB JAR
    Push Enter
    JNDI names
    Push Enter, which indicates the default value: gs/hello
    Subject Name for the Security Roles
    Verify the default value is U:userid, where userid is your native operating system user ID. Accept the default value by pushing Enter.
    Virtual Host name
    Verify the default is set to default_host and press Enter.
    Denying all unprotected methods
    Yes

    Application installer

Regenerate the Web server plug-in and save the server configuration

Installing an application requires regenerating the configuration for the WebSphere plug-in for the Web server. This task was discussed in the Application deployment tutorial, but the method used there required starting the server and opening the administrative console.

Try an alternate method that does not require the server to be running:

  1. Open a system command prompt.
  2. Run the GenPluginCfg script, pointing it to the default server XML configuration file.

    The script is located at:

    product_installation_root/bin/GenPluginCfg.sh|bat
    
    (Run the script as you usually would run a script or bat file on your particular operating system). Use the argument:
    -configFile ../config/server-cfg.xml
    

Running plug-in regeneration script

Stop the server and start it again

In this case, the server should be stopped already. Confirm this.

Start the server again, as you learned to do in the Application deployment tutorial.

Ensure the application, application server, and Web server are running

Recall learning this step in the Application testing tutorial.

Test the Web client

  1. Test the Web client the same way you tested the Web client for the unsecured simpleSession application, as discussed in the Application testing tutorial. That is, in a Web browser, type the URL:
    http://hostname:9080/gettingstarted3/SimpleSession?msg=Hi
    
  2. When the login screen is displayed, enter your native operating system user ID and password.
  3. Notice that your login credentials flowed to the EJB container as well because the above procedure established authorization of the EJB methods, as well as of the servlet.

Test the Java client

This, too, is similar to the way you did it in the Application testing tutorial, except you will reference the secured .ear file in the LaunchClient command.

  1. Open a system command prompt.
  2. Change directory to:
    product_installation_root/bin
  3. Enter the command:
    launchClient ../temp/tutorial/security/Deployed_simpleSessionSecure.ear
    
    (Remember, on Windows systems, the forward slashes should be backslashes).

    The client will proceed to the point of looking the EJB home before it prompts the user to log in.

    Issuing the launchClient command

  4. When the login pop-up is displayed, enter your native operating system user ID and password.

All finished with launchClient

Disable security in the application server runtime

  1. Start the application server, as discussed previously.
  2. Open the administrative console, as discussed in the Application deployment tutorial.
  3. Disable security.
    1. Click Console > Security Center on the console menu bar.
    2. On the General tabbed page of the Security Center, deselect the Enable Security check box.
    3. Click OK.
  4. Stop the application server and start it again, as discussed previously.

Do not forget to go back into the console and disable security if you are sharing the console with a colleague who will not know the correct ID and password the next time he or she tries to open the console!

What's next?

Now that you have assembled, deployed, and secured a Session bean application, you might want to try your hand at a CMP application. The Advanced application assembly and deployment tutorial describes how to do so.