+ All Categories
Home > Documents > WJ-3104-EE5-Lab3

WJ-3104-EE5-Lab3

Date post: 03-Jun-2018
Category:
Upload: srinivasa-helavar
View: 219 times
Download: 0 times
Share this document with a friend

of 16

Transcript
  • 8/12/2019 WJ-3104-EE5-Lab3

    1/16

    Lab 3-1Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A

    Lab 3

    Implementing a Security Policy

    Objectives

    Upon completion of this lab, you should be able to:

    Secure thePortfolioControllerservlet

    Use the EJB security API to get the user's identity in an EJBcomponent

    Create roles and users

    Create a web tier security policy

    Create an EJB tier security policy

    Describe Java EE security

  • 8/12/2019 WJ-3104-EE5-Lab3

    2/16

    Introduction

    Lab 3-2Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A

    Introduction

    At present, your application has no access control, so it is completely opento all users. In this lab, you implement an end-to-end security policy. Thatis, you implement a policy that encompasses the business logic and all ofits clients, including thePortfolioControllerservlet, any JSPcomponents, and standalone clients. This policy is defined in terms of twoJava EE roles,adminandcustomer:

    Members of theadminrole have complete access to all of thecomponents of the application. They can, therefore, view theportfolio of any customer.

    Members of thecustomerrole can only view their own portfoliodetails.

    Users in any other role, or in no role at all, cannot use any part of theapplication.

    For ease of testing, you implement the security policy step-by-step, testingat each stage. The first step is to complete thePortfolioControllerservlet. At present, when the user clicks the Show Portfolio link, it resultsin a call togetAllCustomerShareson theBrokerDelegateobject. TheBrokerDelegatecalls thegetAllCustomerSharesmethod on theBrokerModelEJB component. This method should use the EJB securityAPI to determine the current user.

    The next stage is to apply a security constraint to the web application, sothat only authenticated users can invoke the application. Finally, youapply security constraints to the methods of theBrokerEJB component,to give finer control over access than can be accomplished at the web tier.

  • 8/12/2019 WJ-3104-EE5-Lab3

    3/16

    Exercise 1: Using the EJB Security API to Get the User's Identity in an EJB

    Implementing a Security Policy Lab 3-3Copyright 2007 SunMicrosystems, Inc. All Rights Reserved. SunServices,Revision A

    Exercise 1: Using the EJB Security API to Get the User'sIdentity in an EJB Component

    This exercise contains the following sections and is an example of

    programmatic access control. Task 1 Securing thegetAllCustomerSharesMethod

    Task 2 Deploying and Testing the Session Bean

    In this exercise, you add security to theBrokerModelImplsession bean.ThegetAllCustomerShares method returns an array ofCustomerShares. The method is modified to use the EJB security API todetermine who is logged in. If no user is logged in, it throws an exception.

    Preparation

    This exercise assumes that the application server and Derby database areinstalled and running.

    Task 1 Securing thegetAllCustomerSharesMethod

    Implement thegetAllCustomerSharesmethod in theBrokerModelImpclass as follows:

    1. Make sure thegetAllCustomerSharesmethod declares that itthrows aBrokerException.

    2. Use thegetCallerPrincipalmethod to get ajava.security.Principalobject for the current logged-in user.

    ThegetCallerPrincipalmethod is defined on theSessionContextobject that is injected by the container when itinitializes the EJB component. Declare a@ResourceSessionContext ctx; if you do not already have aSessionContextreference.

    3. Call thegetNamemethod on thePrincipalobject to get aStringrepresentation of the user ID of the logged-in user.

    4. If the user ID isguest oranonymous (in any mixture of uppercase orlowercase) then no user is logged in. In this case, throw aBrokerExceptionwith the textNot logged in.

  • 8/12/2019 WJ-3104-EE5-Lab3

    4/16

    Exercise 1: Using the EJB Security API to Get the User's Identity in an EJB

    Lab 3-4Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A

    Task 2 Deploying and Testing the Session Bean

    Complete the following steps:

    1. Deploy the BrokerTool Java EE application.

    2. Test the session bean by pointing your web browser at:

    http://localhost:8080/BrokerTool-war/CustomerController

    3. Follow the link calledViewin the Portfolio column.

    You should see the error message indicating that you are not loggedin.

  • 8/12/2019 WJ-3104-EE5-Lab3

    5/16

    Exercise 2: Creating Roles, Users, and Groups

    Implementing a Security Policy Lab 3-5Copyright 2007 SunMicrosystems, Inc. All Rights Reserved. SunServices,Revision A

    Exercise 2: Creating Roles, Users, and Groups

    This exercise contains the following sections:

    Task 1 Creating Roles in the Application

    Task 2 Creating Users and Groups in the Application Server

    Task 3 Mapping Roles to Groups

    So far, you have coded the application to the extent that it is able todetermine the details of the current user. However, you do not yet have amethod to log in, or any user credentials against which to verify a loginattempt.

    In this exercise, you define the customer and admin security roles at theapplication level and create two user groups in the application server. You

    then map the roles onto the user groups.

    Preparation

    This exercise assumes that the application server and the Java DBdatabase are installed and running.

  • 8/12/2019 WJ-3104-EE5-Lab3

    6/16

    Exercise 2: Creating Roles, Users, and Groups

    Lab 3-6Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A

    Task 1 Creating Roles in the Application

    Complete the following step:

    Tool Reference:Java EE Development: Editing Deployment Descriptors:Enterprise Application Deployment Descriptor

    1. Add a class-level annotation inBrokerModelImpl. The annotationdefines the two available user roles for this class:@javax.annotation.security.DeclareRoles(value={"admin,

    customer"})

    Previous versions of the EJB specification would have required you tomodify theapplication.xmldeployment descriptor in theBrokerToolproject. Addingsecurity-roleelements within theapplicationelement such as:

    admin

    customer

    Task 2 Creating Users and Groups in the Application

    Server

    Tool Reference Server Resources: Java EE Application Servers:Administering Security

    Use the administration console to create two users, 111-11-1111 and 999-90-8765. If these users no longer exist in your application, you can usealternative users. Put user 111-11-111 in the level1 and level2 groups, andput user 999-90-8765 in the level1 group. Use the information in Table 3-1to configure these users.

    Table 3-1 Users in the Security Realm

    User ID Password Group List

    111-11-1111 password level1, level2

    999-90-8765 password level1

  • 8/12/2019 WJ-3104-EE5-Lab3

    7/16

    Exercise 2: Creating Roles, Users, and Groups

    Implementing a Security Policy Lab 3-7Copyright 2007 SunMicrosystems, Inc. All Rights Reserved. SunServices,Revision A

    Task 3 Mapping Roles to Groups

    Complete the following steps to map roles to groups:

    1. Edit thesun-application.xmldeployment descriptor in the

    BrokerToolproject.2. Add the mapping inside thesun-applicationelement.

    admin

    level2

    customer

    level1

    At the end of this task, the Java EE security role,customer, ismapped onto the level1 server group, and the admin role is mappedonto the level2 group.

  • 8/12/2019 WJ-3104-EE5-Lab3

    8/16

    Exercise 3: Creating a Web Tier Security Policy

    Lab 3-8Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A

    Exercise 3: Creating a Web Tier Security Policy

    This exercise contains the following sections:

    Task 1 Creating a Security Constraint

    Task 2 Deploying and Testing the Application

    In this exercise, you apply security constraints to the URL patterns thatthe web browser invokes. This has two effects. First, it restricts access tothose URLs to certain users. Second, it forces the web server to prompt theuser to authenticate.

    Preparation

    This exercise assumes that the application server and Java DB databaseare installed and running.

    Task 1 Creating a Security Constraint

    Complete the following steps to create a security constraint in the webmodule, so the/PortfolioControllerURL is accessible only to thecustomerandadminroles:

    Tool Reference Java EE Development: Web Modules: Configuring WebDeployment Descriptors

    1. Edit theweb.xmldeployment descriptor in theBrokerTool-warproject.

    2. Add a security constraint inside theweb-appelement:

    Portfolio Access

    portfolio access

    /PortfolioController

    admin

    customer

  • 8/12/2019 WJ-3104-EE5-Lab3

    9/16

    Exercise 3: Creating a Web Tier Security Policy

    Implementing a Security Policy Lab 3-9Copyright 2007 SunMicrosystems, Inc. All Rights Reserved. SunServices,Revision A

    This security constraint restricts access to the/PortfolioControllerURL to users in theadminorcustomerroles.

    3. Add alogin-configelement inside theweb-appelement after thesecurity-constraintelement:

    BASIC

    BrokerTool Realm

    This login configuration instructs the server to use basicauthentication to authenticate users.

    Task 2 Deploying and Testing the Application

    To deploy and test the application, complete the following steps:

    1. Deploy theBrokerToolJava EE application. Resolve any errorsbefore you continue.

    2. Point your web browser at:

    http://localhost:8080/BrokerTool-war/CustomerController

    Attempt to view a customers portfolio. TheCustomerControllerURL now has a security constraint, and if you have not yet loggedin, you should be prompted to log in.

    3. Type the user ID and password for user 999-90-8765.You should see the customer portfolio. Because you are no longercalling theBrokerModelImplsgetAllCustomerSharesmethod asthe guest or anonymous user, you can see the portfolio data, if thistest is successful, it shows that the web tier has authenticated theuser and propagated the user credentials to the EJB tier.

    4. View other customer portfolios. This should also succeed regards ofwhat user you logged in as. This is not what is required by theapplications security, because only members of theadminroleshould be able to view other customers' portfolios. Members of the

    customer role, such as user 999-90-8765, should only be able to viewtheir own accounts. You fix this in the next exercise.

  • 8/12/2019 WJ-3104-EE5-Lab3

    10/16

    Exercise 4: Creating an EJB Tier Security Policy

    Lab 3-10Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A

    Exercise 4: Creating an EJB Tier Security Policy

    In Exercise 1, you restricted access to theBrokerModelImplsgetAllCustomerSharesmethod programmatically, allowing onlylogged- in users to execute the method. In Exercise 3, you protected theweb page that shows the results of theBrokerModelImplsgetAllCustomerShares method, thereby causing the calls to theBrokerModelImplsgetAllCustomerSharesto have role and principalcredentials.

    If other pages are restricted with different roles, then any of those pagescould execute theBrokerModelImplsgetAllCustomerSharesmethod.In this exercise, you restrict all unallowed access to theBrokerModelImplsgetAllCustomerSharesmethod both declarativelyand programmatically.

    This exercise contains the following sections that describe the tasks torestrict the use of theBrokerModelImplsgetAllCustomerSharesmethod to members of theadminorcustomerrole:

    Task 1 RestrictingBrokerModelImplMethods

    Task 2 CustomizingBrokerModelImplMethods by Role

    Task 3 Deploying and Testing the Application

    Preparation

    This exercise assumes that the application server and Java DB databaseare installed and running.

    Task 1 RestrictingBrokerModelImplMethods

    In this task, you add themethod-permissionelements in theassembly-descriptorelement.

    Complete the following steps:

    1. Verify the class-level annotation toBrokerModelImplof:

    @DeclareRoles(value={"admin","customer"})

    This states that the admin and customer roles are used in this EJB.

  • 8/12/2019 WJ-3104-EE5-Lab3

    11/16

    Exercise 4: Creating an EJB Tier Security Policy

    Implementing a Security Policy Lab 3-11Copyright 2007 SunMicrosystems, Inc. All Rights Reserved. SunServices,Revision A

    2. Add a method-level annotation to theBrokerModelImplsgetAllCustomerSharesmethod of:

    @RolesAllowed(value={"admin","customer"})

    This prohibits anyone not in theadminorcustomerrole from calling the

    getAllCustomerSharesmethod.

    Task 2 CustomizingBrokerModelImplMethods byRole

    In the previous task, you declared that only theadmin andcustomer rolesare allowed to call thegetAllCustomerSharesmethod. A customershould not be allowed to view other customer shares. There is no way todefine this restriction declaratively, it must be done programmatically.

    Complete the following steps:

    1. Comment out the code at the beginning of thegetAllCustomerSharesmethod that deals with anonymous orguest users.

    2. Modify thatgetAllCustomerSharesmethod so that aBrokerExceptionis thrown if:

    a. The caller is not in theadminrole. Use thecontext.isCallerInRolemethod.

    Note If you do not have a context reference you can obtain one byadding@Resource private SessionContext context; as a class levelvariable.

    b. The principals name does not match the ID passed as anargument to thegetAllCustomerSharesmethod.

  • 8/12/2019 WJ-3104-EE5-Lab3

    12/16

    Exercise 4: Creating an EJB Tier Security Policy

    Lab 3-12Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A

    Task 3 Deploying and Testing the Application

    Complete the following steps:

    1. Deploy the BrokerTool Java EE application. Resolve any errors before

    you continue.2. Point your browser athttp://localhost:8080/BrokerTool-

    war/CustomerController

    3. Select a customers portfolio to view, you should be prompted for apassword. Enter the user name and password for an account in theadmin role. You should be able to view all customer portfolios.

    4. Close all instance of your web browser to log out.

    5. Launch a new web browser and point it athttp://localhost:8080/BrokerTool-war/CustomerController

    6. Select a customers portfolio to view, you should be prompted for apassword. Enter the user name and password for an account NOT inthe admin role. You should only be able to view that customersportfolio.

  • 8/12/2019 WJ-3104-EE5-Lab3

    13/16

    Exercise 5: Describing Java EE Security

    Implementing a Security Policy Lab 3-13Copyright 2007 SunMicrosystems, Inc. All Rights Reserved. SunServices,Revision A

    Exercise 5: Describing Java EE Security

    In this exercise, you complete a fill-in-the-blank activity to check yourunderstanding of Java EE Security.

    Preparation

    No preparation is needed for this exercise.

    Task

    Fill in the blanks of the following sentences with the missing word orwords:

    1. To check the calling user, an EJB would use its _______________.

    2. The web tier equivalent ofisUserInRole(...)is____________________.

    3. Two common security annotations used in an EJB are______________ and ______________.

    4. Web-tier components configure their security settings in the_____________ file.

  • 8/12/2019 WJ-3104-EE5-Lab3

    14/16

    Exercise Summary

    Lab 3-14Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A

    Exercise Summary

    ?

    !

    Discussion Take a few minutes to identify what experiences, issues, ordiscoveries you had during the lab exercise.

    Experiences

    Interpretations

    Conclusions

    Applications

  • 8/12/2019 WJ-3104-EE5-Lab3

    15/16

    Exercise Solutions

    Implementing a Security Policy Lab 3-15Copyright 2007 SunMicrosystems, Inc. All Rights Reserved. SunServices,Revision A

    Exercise Solutions

    Use the following solutions to check your answers to the exercises in thislab.

    Solutions for Exercises 1 Through 4

    You can find example solutions for the exercises in this lab in thefollowing directory:solutions/Security.

    Solution for Exercise 5: Describing Java EE Security

    Compare your fill-in-the-blank responses to the following answers:

    1. To check the calling user, an EJB would use itsEJBContext orSessionContext.

    2. The web-tier equivalent ofisUserInRole(...) isisCallerInRole(...).

    3. Two common security annotations used in an EJB are @DeclareRolesand@RolesAllowed.

    4. Web-tier components configure their security settings in theweb.xmlfile.

  • 8/12/2019 WJ-3104-EE5-Lab3

    16/16

    Exercise Solutions


Recommended