Enterprise Java Development@TOPIC@

Part XXII. JavaEE Security

Copyright © 2019 jim stafford (jim.stafford@jhu.edu)

2019-08-22 07:11 EST

Abstract

This presentation contains topics for securing EJB and Web applications.

Table of Contents

Purpose
1. Goals
2. Objectives
111. JavaEE Security Access Control Points
112. EJB Security
112.1. Declarative EJB Access Control
112.2. Programmatic Security
112.3. Optional Role Mapping: ejb-jar.xml
112.4. EJB Security Setup: META-INF/jboss-ejb3.xml
112.5. Summary
113. JBoss/Wildfly Security
113.1. Security Realm
113.2. Security Realm References
113.3. Security Domain
113.3.1. "other" Security Domain
113.4. Wildfly Built-in Authentication and Authorization
113.5. Summary
114. EJB Security RMI Client
114.1. JBoss Remoting
114.1.1. jndi.properties
114.1.2. JBoss Remoting JNDI Name
114.1.3. JBoss Remoting Authentication with JNDI InitialContext
114.1.4. Example Changing Users with JBoss Remoting
114.1.5. Optional Fixed Credentials
114.2. EJBClient
114.2.1. jndi.properties
114.2.2. EJBClient JNDI Name
114.2.3. EJBClient Authentication with JNDI InitialContext
114.2.4. Example Changing Users with EJBClient
114.2.5. Optional Fixed Credentials
114.3. Security Sanity Check
114.3.1. whoAmI
114.3.2. isCallerInRole
114.3.3. Client Issues Security Query Calls
114.3.4. Example Access Violation
114.3.5. Example Access Granted
114.4. Summary
115. run-as
115.1. Default security-identity: use-caller-identity
115.2. Run-as security-identity: role-name
115.3. Run-as principal: identity
115.4. Invoking Protected EJB thru Run-as Proxy
115.5. Summary
116. JAX-RS Resource Security
116.1. Web Security Setup
116.1.1. Assign WAR security-domain: jboss-web.xml
116.1.2. Assign WAR auth-method: web.xml
116.2. JAX-RS Resource Class
116.2.1. JAX-RS Debug Methods
116.3. JAX-RS Client Authentication
116.3.1. Authorization Header
116.3.2. JAX-RS Client Authorization Filter
116.3.3. JAX-RS Client Authorization Filter Registration
116.3.4. Protect BASIC Credentials with HTTPS
116.4. Declarative Access Control
116.4.1. Two intermediate contexts defined to access Nested Pinger Resource
116.4.2. Same Nested Pinger Resource Exposed
116.4.3. Declarative Access Control Constraints
116.4.4. Nested Resource Called from Two URIs
116.5. Summary
117. Web Tier Access Control
117.1. Authentication
117.2. Security Constraints (web.xml)
117.3. FORM-based Login
117.4. BASIC Authentication
117.5. Summary