WJ-3104-EE5-Lab3

8/12/2019 WJ-3104-EE5-Lab3

1/16

Lab 3-1Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A

Lab 3

Implementing a Security Policy

Objectives

Upon completion of this lab, you should be able to:

Secure thePortfolioControllerservlet

Use the EJB security API to get the user's identity in an EJBcomponent

Create roles and users

Create a web tier security policy

Create an EJB tier security policy

Describe Java EE security

8/12/2019 WJ-3104-EE5-Lab3

2/16

Introduction


Introduction

At present, your application has no access control, so it is completely opento all users. In this lab, you implement an end-to-end security policy. Thatis, you implement a policy that encompasses the business logic and all ofits clients, including thePortfolioControllerservlet, any JSPcomponents, and standalone clients. This policy is defined in terms of twoJava EE roles,adminandcustomer:

Members of theadminrole have complete access to all of thecomponents of the application. They can, therefore, view theportfolio of any customer.

Members of thecustomerrole can only view their own portfoliodetails.

Users in any other role, or in no role at all, cannot use any part of theapplication.

For ease of testing, you implement the security policy step-by-step, testingat each stage. The first step is to complete thePortfolioControllerservlet. At present, when the user clicks the Show Portfolio link, it resultsin a call togetAllCustomerShareson theBrokerDelegateobject. TheBrokerDelegatecalls thegetAllCustomerSharesmethod on theBrokerModelEJB component. This method should use the EJB securityAPI to determine the current user.

The next stage is to apply a security constraint to the web application, sothat only authenticated users can invoke the application. Finally, youapply security constraints to the methods of theBrokerEJB component,to give finer control over access than can be accomplished at the web tier.

8/12/2019 WJ-3104-EE5-Lab3

3/16

Exercise 1: Using the EJB Security API to Get the User's Identity in an EJB

Implementing a Security Policy Lab 3-3Copyright 2007 SunMicrosystems, Inc. All Rights Reserved. SunServices,Revision A

Exercise 1: Using the EJB Security API to Get the User'sIdentity in an EJB Component

This exercise contains the following sections and is an example of

programmatic access control. Task 1 Securing thegetAllCustomerSharesMethod

Task 2 Deploying and Testing the Session Bean

In this exercise, you add security to theBrokerModelImplsession bean.ThegetAllCustomerShares method returns an array ofCustomerShares. The method is modified to use the EJB security API todetermine who is logged in. If no user is logged in, it throws an exception.

Preparation

This exercise assumes that the application server and Derby database areinstalled and running.

Task 1 Securing thegetAllCustomerSharesMethod

Implement thegetAllCustomerSharesmethod in theBrokerModelImpclass as follows:

1. Make sure thegetAllCustomerSharesmethod declares that itthrows aBrokerException.

2. Use thegetCallerPrincipalmethod to get ajava.security.Principalobject for the current logged-in user.

ThegetCallerPrincipalmethod is defined on theSessionContextobject that is injected by the container when itinitializes the EJB component. Declare a@ResourceSessionContext ctx; if you do not already have aSessionContextreference.

3. Call thegetNamemethod on thePrincipalobject to get aStringrepresentation of the user ID of the logged-in user.

4. If the user ID isguest oranonymous (in any mixture of uppercase orlowercase) then no user is logged in. In this case, throw aBrokerExceptionwith the textNot logged in.

8/12/2019 WJ-3104-EE5-Lab3

4/16

Exercise 1: Using the EJB Security API to Get the User's Identity in an EJB


Task 2 Deploying and Testing the Session Bean

Complete the following steps:

1. Deploy the BrokerTool Java EE application.

2. Test the session bean by pointing your web browser at:

http://localhost:8080/BrokerTool-war/CustomerController

3. Follow the link calledViewin the Portfolio column.

You should see the error message indicating that you are not loggedin.

8/12/2019 WJ-3104-EE5-Lab3

5/16

Exercise 2: Creating Roles, Users, and Groups



This exercise contains the following sections:

Task 1 Creating Roles in the Application

Task 2 Creating Users and Groups in the Application Server

Task 3 Mapping Roles to Groups

So far, you have coded the application to the extent that it is able todetermine the details of the current user. However, you do not yet have amethod to log in, or any user credentials against which to verify a loginattempt.

In this exercise, you define the customer and admin security roles at theapplication level and create two user groups in the application server. You

then map the roles onto the user groups.

Preparation

This exercise assumes that the application server and the Java DBdatabase are installed and running.

8/12/2019 WJ-3104-EE5-Lab3

6/16



Task 1 Creating Roles in the Application

Complete the following step:

Tool Reference:Java EE Development: Editing Deployment Descriptors:Enterprise Application Deployment Descriptor

1. Add a class-level annotation inBrokerModelImpl. The annotationdefines the two available user roles for this class:@javax.annotation.security.DeclareRoles(value={"admin,

customer"})

Previous versions of the EJB specification would have required you tomodify theapplication.xmldeployment descriptor in theBrokerToolproject. Addingsecurity-roleelements within theapplicationelement such as:

admin

customer

Task 2 Creating Users and Groups in the Application

Server

Tool Reference Server Resources: Java EE Application Servers:Administering Security

Use the administration console to create two users, 111-11-1111 and 999-90-8765. If these users no longer exist in your application, you can usealternative users. Put user 111-11-111 in the level1 and level2 groups, andput user 999-90-8765 in the level1 group. Use the information in Table 3-1to configure these users.

Table 3-1 Users in the Security Realm

User ID Password Group List

111-11-1111 password level1, level2

999-90-8765 password level1

8/12/2019 WJ-3104-EE5-Lab3

7/16



Task 3 Mapping Roles to Groups

Complete the following steps to map roles to groups:

1. Edit thesun-application.xmldeployment descriptor in the

BrokerToolproject.2. Add the mapping inside thesun-applicationelement.

admin

level2

customer

level1

At the end of this task, the Java EE security role,customer, ismapped onto the level1 server group, and the admin role is mappedonto the level2 group.

8/12/2019 WJ-3104-EE5-Lab3

8/16

Exercise 3: Creating a Web Tier Security Policy



This exercise contains the following sections:

Task 1 Creating a Security Constraint

Task 2 Deploying and Testing the Application

In this exercise, you apply security constraints to the URL patterns thatthe web browser invokes. This has two effects. First, it restricts access tothose URLs to certain users. Second, it forces the web server to prompt theuser to authenticate.

Preparation

This exercise assumes that the application server and Java DB databaseare installed and running.

Task 1 Creating a Security Constraint

Complete the following steps to create a security constraint in the webmodule, so the/PortfolioControllerURL is accessible only to thecustomerandadminroles:

Tool Reference Java EE Development: Web Modules: Configuring WebDeployment Descriptors

1. Edit theweb.xmldeployment descriptor in theBrokerTool-warproject.

2. Add a security constraint inside theweb-appelement:

Portfolio Access

portfolio access

/PortfolioController

admin

customer

8/12/2019 WJ-3104-EE5-Lab3

9/16



This security constraint restricts access to the/PortfolioControllerURL to users in theadminorcustomerroles.

3. Add alogin-configelement inside theweb-appelement after thesecurity-constraintelement:

BASIC

BrokerTool Realm

This login configuration instructs the server to use basicauthentication to authenticate users.


To deploy and test the application, complete the following steps:

1. Deploy theBrokerToolJava EE application. Resolve any errorsbefore you continue.

2. Point your web browser at:

http://localhost:8080/BrokerTool-war/CustomerController

Attempt to view a customers portfolio. TheCustomerControllerURL now has a security constraint, and if you have not yet loggedin, you should be prompted to log in.

3. Type the user ID and password for user 999-90-8765.You should see the customer portfolio. Because you are no longercalling theBrokerModelImplsgetAllCustomerSharesmethod asthe guest or anonymous user, you can see the portfolio data, if thistest is successful, it shows that the web tier has authenticated theuser and propagated the user credentials to the EJB tier.

4. View other customer portfolios. This should also succeed regards ofwhat user you logged in as. This is not what is required by theapplications security, because only members of theadminroleshould be able to view other customers' portfolios. Members of the

customer role, such as user 999-90-8765, should only be able to viewtheir own accounts. You fix this in the next exercise.

8/12/2019 WJ-3104-EE5-Lab3

10/16

Exercise 4: Creating an EJB Tier Security Policy



In Exercise 1, you restricted access to theBrokerModelImplsgetAllCustomerSharesmethod programmatically, allowing onlylogged- in users to execute the method. In Exercise 3, you protected theweb page that shows the results of theBrokerModelImplsgetAllCustomerShares method, thereby causing the calls to theBrokerModelImplsgetAllCustomerSharesto have role and principalcredentials.

If other pages are restricted with different roles, then any of those pagescould execute theBrokerModelImplsgetAllCustomerSharesmethod.In this exercise, you restrict all unallowed access to theBrokerModelImplsgetAllCustomerSharesmethod both declarativelyand programmatically.

This exercise contains the following sections that describe the tasks torestrict the use of theBrokerModelImplsgetAllCustomerSharesmethod to members of theadminorcustomerrole:

Task 1 RestrictingBrokerModelImplMethods

Task 2 CustomizingBrokerModelImplMethods by Role


Preparation

This exercise assumes that the application server and Java DB databaseare installed and running.

Task 1 RestrictingBrokerModelImplMethods

In this task, you add themethod-permissionelements in theassembly-descriptorelement.


1. Verify the class-level annotation toBrokerModelImplof:

@DeclareRoles(value={"admin","customer"})

This states that the admin and customer roles are used in this EJB.

8/12/2019 WJ-3104-EE5-Lab3

11/16



2. Add a method-level annotation to theBrokerModelImplsgetAllCustomerSharesmethod of:

@RolesAllowed(value={"admin","customer"})

This prohibits anyone not in theadminorcustomerrole from calling the

getAllCustomerSharesmethod.

Task 2 CustomizingBrokerModelImplMethods byRole

In the previous task, you declared that only theadmin andcustomer rolesare allowed to call thegetAllCustomerSharesmethod. A customershould not be allowed to view other customer shares. There is no way todefine this restriction declaratively, it must be done programmatically.


1. Comment out the code at the beginning of thegetAllCustomerSharesmethod that deals with anonymous orguest users.

2. Modify thatgetAllCustomerSharesmethod so that aBrokerExceptionis thrown if:

a. The caller is not in theadminrole. Use thecontext.isCallerInRolemethod.

Note If you do not have a context reference you can obtain one byadding@Resource private SessionContext context; as a class levelvariable.

b. The principals name does not match the ID passed as anargument to thegetAllCustomerSharesmethod.

8/12/2019 WJ-3104-EE5-Lab3

12/16





1. Deploy the BrokerTool Java EE application. Resolve any errors before

you continue.2. Point your browser athttp://localhost:8080/BrokerTool-

war/CustomerController

3. Select a customers portfolio to view, you should be prompted for apassword. Enter the user name and password for an account in theadmin role. You should be able to view all customer portfolios.

4. Close all instance of your web browser to log out.

5. Launch a new web browser and point it athttp://localhost:8080/BrokerTool-war/CustomerController

6. Select a customers portfolio to view, you should be prompted for apassword. Enter the user name and password for an account NOT inthe admin role. You should only be able to view that customersportfolio.

8/12/2019 WJ-3104-EE5-Lab3

13/16

Exercise 5: Describing Java EE Security


Exercise 5: Describing Java EE Security

In this exercise, you complete a fill-in-the-blank activity to check yourunderstanding of Java EE Security.

Preparation

No preparation is needed for this exercise.

Task

Fill in the blanks of the following sentences with the missing word orwords:

1. To check the calling user, an EJB would use its _______________.

2. The web tier equivalent ofisUserInRole(...)is____________________.

3. Two common security annotations used in an EJB are______________ and ______________.

4. Web-tier components configure their security settings in the_____________ file.

8/12/2019 WJ-3104-EE5-Lab3

14/16

Exercise Summary


Exercise Summary

?

!

Discussion Take a few minutes to identify what experiences, issues, ordiscoveries you had during the lab exercise.

Experiences

Interpretations

Conclusions

Applications

8/12/2019 WJ-3104-EE5-Lab3

15/16

Exercise Solutions


Exercise Solutions

Use the following solutions to check your answers to the exercises in thislab.

Solutions for Exercises 1 Through 4

You can find example solutions for the exercises in this lab in thefollowing directory:solutions/Security.

Solution for Exercise 5: Describing Java EE Security

Compare your fill-in-the-blank responses to the following answers:

1. To check the calling user, an EJB would use itsEJBContext orSessionContext.

2. The web-tier equivalent ofisUserInRole(...) isisCallerInRole(...).

3. Two common security annotations used in an EJB are @DeclareRolesand@RolesAllowed.

4. Web-tier components configure their security settings in theweb.xmlfile.

8/12/2019 WJ-3104-EE5-Lab3

16/16

Exercise Solutions

Date post:	03-Jun-2018
Category:	Documents
Upload:	srinivasa-helavar
View:	219 times
Download:	0 times

WJ-3104-EE5-Lab3

Documents