8/12/2019 WJ-3104-EE5-Lab3
1/16
Lab 3-1Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A
Lab 3
Implementing a Security Policy
Objectives
Upon completion of this lab, you should be able to:
Secure thePortfolioControllerservlet
Use the EJB security API to get the user's identity in an EJBcomponent
Create roles and users
Create a web tier security policy
Create an EJB tier security policy
Describe Java EE security
8/12/2019 WJ-3104-EE5-Lab3
2/16
Introduction
Lab 3-2Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A
Introduction
At present, your application has no access control, so it is completely opento all users. In this lab, you implement an end-to-end security policy. Thatis, you implement a policy that encompasses the business logic and all ofits clients, including thePortfolioControllerservlet, any JSPcomponents, and standalone clients. This policy is defined in terms of twoJava EE roles,adminandcustomer:
Members of theadminrole have complete access to all of thecomponents of the application. They can, therefore, view theportfolio of any customer.
Members of thecustomerrole can only view their own portfoliodetails.
Users in any other role, or in no role at all, cannot use any part of theapplication.
For ease of testing, you implement the security policy step-by-step, testingat each stage. The first step is to complete thePortfolioControllerservlet. At present, when the user clicks the Show Portfolio link, it resultsin a call togetAllCustomerShareson theBrokerDelegateobject. TheBrokerDelegatecalls thegetAllCustomerSharesmethod on theBrokerModelEJB component. This method should use the EJB securityAPI to determine the current user.
The next stage is to apply a security constraint to the web application, sothat only authenticated users can invoke the application. Finally, youapply security constraints to the methods of theBrokerEJB component,to give finer control over access than can be accomplished at the web tier.
8/12/2019 WJ-3104-EE5-Lab3
3/16
Exercise 1: Using the EJB Security API to Get the User's Identity in an EJB
Implementing a Security Policy Lab 3-3Copyright 2007 SunMicrosystems, Inc. All Rights Reserved. SunServices,Revision A
Exercise 1: Using the EJB Security API to Get the User'sIdentity in an EJB Component
This exercise contains the following sections and is an example of
programmatic access control. Task 1 Securing thegetAllCustomerSharesMethod
Task 2 Deploying and Testing the Session Bean
In this exercise, you add security to theBrokerModelImplsession bean.ThegetAllCustomerShares method returns an array ofCustomerShares. The method is modified to use the EJB security API todetermine who is logged in. If no user is logged in, it throws an exception.
Preparation
This exercise assumes that the application server and Derby database areinstalled and running.
Task 1 Securing thegetAllCustomerSharesMethod
Implement thegetAllCustomerSharesmethod in theBrokerModelImpclass as follows:
1. Make sure thegetAllCustomerSharesmethod declares that itthrows aBrokerException.
2. Use thegetCallerPrincipalmethod to get ajava.security.Principalobject for the current logged-in user.
ThegetCallerPrincipalmethod is defined on theSessionContextobject that is injected by the container when itinitializes the EJB component. Declare a@ResourceSessionContext ctx; if you do not already have aSessionContextreference.
3. Call thegetNamemethod on thePrincipalobject to get aStringrepresentation of the user ID of the logged-in user.
4. If the user ID isguest oranonymous (in any mixture of uppercase orlowercase) then no user is logged in. In this case, throw aBrokerExceptionwith the textNot logged in.
8/12/2019 WJ-3104-EE5-Lab3
4/16
Exercise 1: Using the EJB Security API to Get the User's Identity in an EJB
Lab 3-4Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A
Task 2 Deploying and Testing the Session Bean
Complete the following steps:
1. Deploy the BrokerTool Java EE application.
2. Test the session bean by pointing your web browser at:
http://localhost:8080/BrokerTool-war/CustomerController
3. Follow the link calledViewin the Portfolio column.
You should see the error message indicating that you are not loggedin.
8/12/2019 WJ-3104-EE5-Lab3
5/16
Exercise 2: Creating Roles, Users, and Groups
Implementing a Security Policy Lab 3-5Copyright 2007 SunMicrosystems, Inc. All Rights Reserved. SunServices,Revision A
Exercise 2: Creating Roles, Users, and Groups
This exercise contains the following sections:
Task 1 Creating Roles in the Application
Task 2 Creating Users and Groups in the Application Server
Task 3 Mapping Roles to Groups
So far, you have coded the application to the extent that it is able todetermine the details of the current user. However, you do not yet have amethod to log in, or any user credentials against which to verify a loginattempt.
In this exercise, you define the customer and admin security roles at theapplication level and create two user groups in the application server. You
then map the roles onto the user groups.
Preparation
This exercise assumes that the application server and the Java DBdatabase are installed and running.
8/12/2019 WJ-3104-EE5-Lab3
6/16
Exercise 2: Creating Roles, Users, and Groups
Lab 3-6Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A
Task 1 Creating Roles in the Application
Complete the following step:
Tool Reference:Java EE Development: Editing Deployment Descriptors:Enterprise Application Deployment Descriptor
1. Add a class-level annotation inBrokerModelImpl. The annotationdefines the two available user roles for this class:@javax.annotation.security.DeclareRoles(value={"admin,
customer"})
Previous versions of the EJB specification would have required you tomodify theapplication.xmldeployment descriptor in theBrokerToolproject. Addingsecurity-roleelements within theapplicationelement such as:
admin
customer
Task 2 Creating Users and Groups in the Application
Server
Tool Reference Server Resources: Java EE Application Servers:Administering Security
Use the administration console to create two users, 111-11-1111 and 999-90-8765. If these users no longer exist in your application, you can usealternative users. Put user 111-11-111 in the level1 and level2 groups, andput user 999-90-8765 in the level1 group. Use the information in Table 3-1to configure these users.
Table 3-1 Users in the Security Realm
User ID Password Group List
111-11-1111 password level1, level2
999-90-8765 password level1
8/12/2019 WJ-3104-EE5-Lab3
7/16
Exercise 2: Creating Roles, Users, and Groups
Implementing a Security Policy Lab 3-7Copyright 2007 SunMicrosystems, Inc. All Rights Reserved. SunServices,Revision A
Task 3 Mapping Roles to Groups
Complete the following steps to map roles to groups:
1. Edit thesun-application.xmldeployment descriptor in the
BrokerToolproject.2. Add the mapping inside thesun-applicationelement.
admin
level2
customer
level1
At the end of this task, the Java EE security role,customer, ismapped onto the level1 server group, and the admin role is mappedonto the level2 group.
8/12/2019 WJ-3104-EE5-Lab3
8/16
Exercise 3: Creating a Web Tier Security Policy
Lab 3-8Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A
Exercise 3: Creating a Web Tier Security Policy
This exercise contains the following sections:
Task 1 Creating a Security Constraint
Task 2 Deploying and Testing the Application
In this exercise, you apply security constraints to the URL patterns thatthe web browser invokes. This has two effects. First, it restricts access tothose URLs to certain users. Second, it forces the web server to prompt theuser to authenticate.
Preparation
This exercise assumes that the application server and Java DB databaseare installed and running.
Task 1 Creating a Security Constraint
Complete the following steps to create a security constraint in the webmodule, so the/PortfolioControllerURL is accessible only to thecustomerandadminroles:
Tool Reference Java EE Development: Web Modules: Configuring WebDeployment Descriptors
1. Edit theweb.xmldeployment descriptor in theBrokerTool-warproject.
2. Add a security constraint inside theweb-appelement:
Portfolio Access
portfolio access
/PortfolioController
admin
customer
8/12/2019 WJ-3104-EE5-Lab3
9/16
Exercise 3: Creating a Web Tier Security Policy
Implementing a Security Policy Lab 3-9Copyright 2007 SunMicrosystems, Inc. All Rights Reserved. SunServices,Revision A
This security constraint restricts access to the/PortfolioControllerURL to users in theadminorcustomerroles.
3. Add alogin-configelement inside theweb-appelement after thesecurity-constraintelement:
BASIC
BrokerTool Realm
This login configuration instructs the server to use basicauthentication to authenticate users.
Task 2 Deploying and Testing the Application
To deploy and test the application, complete the following steps:
1. Deploy theBrokerToolJava EE application. Resolve any errorsbefore you continue.
2. Point your web browser at:
http://localhost:8080/BrokerTool-war/CustomerController
Attempt to view a customers portfolio. TheCustomerControllerURL now has a security constraint, and if you have not yet loggedin, you should be prompted to log in.
3. Type the user ID and password for user 999-90-8765.You should see the customer portfolio. Because you are no longercalling theBrokerModelImplsgetAllCustomerSharesmethod asthe guest or anonymous user, you can see the portfolio data, if thistest is successful, it shows that the web tier has authenticated theuser and propagated the user credentials to the EJB tier.
4. View other customer portfolios. This should also succeed regards ofwhat user you logged in as. This is not what is required by theapplications security, because only members of theadminroleshould be able to view other customers' portfolios. Members of the
customer role, such as user 999-90-8765, should only be able to viewtheir own accounts. You fix this in the next exercise.
8/12/2019 WJ-3104-EE5-Lab3
10/16
Exercise 4: Creating an EJB Tier Security Policy
Lab 3-10Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A
Exercise 4: Creating an EJB Tier Security Policy
In Exercise 1, you restricted access to theBrokerModelImplsgetAllCustomerSharesmethod programmatically, allowing onlylogged- in users to execute the method. In Exercise 3, you protected theweb page that shows the results of theBrokerModelImplsgetAllCustomerShares method, thereby causing the calls to theBrokerModelImplsgetAllCustomerSharesto have role and principalcredentials.
If other pages are restricted with different roles, then any of those pagescould execute theBrokerModelImplsgetAllCustomerSharesmethod.In this exercise, you restrict all unallowed access to theBrokerModelImplsgetAllCustomerSharesmethod both declarativelyand programmatically.
This exercise contains the following sections that describe the tasks torestrict the use of theBrokerModelImplsgetAllCustomerSharesmethod to members of theadminorcustomerrole:
Task 1 RestrictingBrokerModelImplMethods
Task 2 CustomizingBrokerModelImplMethods by Role
Task 3 Deploying and Testing the Application
Preparation
This exercise assumes that the application server and Java DB databaseare installed and running.
Task 1 RestrictingBrokerModelImplMethods
In this task, you add themethod-permissionelements in theassembly-descriptorelement.
Complete the following steps:
1. Verify the class-level annotation toBrokerModelImplof:
@DeclareRoles(value={"admin","customer"})
This states that the admin and customer roles are used in this EJB.
8/12/2019 WJ-3104-EE5-Lab3
11/16
Exercise 4: Creating an EJB Tier Security Policy
Implementing a Security Policy Lab 3-11Copyright 2007 SunMicrosystems, Inc. All Rights Reserved. SunServices,Revision A
2. Add a method-level annotation to theBrokerModelImplsgetAllCustomerSharesmethod of:
@RolesAllowed(value={"admin","customer"})
This prohibits anyone not in theadminorcustomerrole from calling the
getAllCustomerSharesmethod.
Task 2 CustomizingBrokerModelImplMethods byRole
In the previous task, you declared that only theadmin andcustomer rolesare allowed to call thegetAllCustomerSharesmethod. A customershould not be allowed to view other customer shares. There is no way todefine this restriction declaratively, it must be done programmatically.
Complete the following steps:
1. Comment out the code at the beginning of thegetAllCustomerSharesmethod that deals with anonymous orguest users.
2. Modify thatgetAllCustomerSharesmethod so that aBrokerExceptionis thrown if:
a. The caller is not in theadminrole. Use thecontext.isCallerInRolemethod.
Note If you do not have a context reference you can obtain one byadding@Resource private SessionContext context; as a class levelvariable.
b. The principals name does not match the ID passed as anargument to thegetAllCustomerSharesmethod.
8/12/2019 WJ-3104-EE5-Lab3
12/16
Exercise 4: Creating an EJB Tier Security Policy
Lab 3-12Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A
Task 3 Deploying and Testing the Application
Complete the following steps:
1. Deploy the BrokerTool Java EE application. Resolve any errors before
you continue.2. Point your browser athttp://localhost:8080/BrokerTool-
war/CustomerController
3. Select a customers portfolio to view, you should be prompted for apassword. Enter the user name and password for an account in theadmin role. You should be able to view all customer portfolios.
4. Close all instance of your web browser to log out.
5. Launch a new web browser and point it athttp://localhost:8080/BrokerTool-war/CustomerController
6. Select a customers portfolio to view, you should be prompted for apassword. Enter the user name and password for an account NOT inthe admin role. You should only be able to view that customersportfolio.
8/12/2019 WJ-3104-EE5-Lab3
13/16
Exercise 5: Describing Java EE Security
Implementing a Security Policy Lab 3-13Copyright 2007 SunMicrosystems, Inc. All Rights Reserved. SunServices,Revision A
Exercise 5: Describing Java EE Security
In this exercise, you complete a fill-in-the-blank activity to check yourunderstanding of Java EE Security.
Preparation
No preparation is needed for this exercise.
Task
Fill in the blanks of the following sentences with the missing word orwords:
1. To check the calling user, an EJB would use its _______________.
2. The web tier equivalent ofisUserInRole(...)is____________________.
3. Two common security annotations used in an EJB are______________ and ______________.
4. Web-tier components configure their security settings in the_____________ file.
8/12/2019 WJ-3104-EE5-Lab3
14/16
Exercise Summary
Lab 3-14Copyright 2007 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A
Exercise Summary
?
!
Discussion Take a few minutes to identify what experiences, issues, ordiscoveries you had during the lab exercise.
Experiences
Interpretations
Conclusions
Applications
8/12/2019 WJ-3104-EE5-Lab3
15/16
Exercise Solutions
Implementing a Security Policy Lab 3-15Copyright 2007 SunMicrosystems, Inc. All Rights Reserved. SunServices,Revision A
Exercise Solutions
Use the following solutions to check your answers to the exercises in thislab.
Solutions for Exercises 1 Through 4
You can find example solutions for the exercises in this lab in thefollowing directory:solutions/Security.
Solution for Exercise 5: Describing Java EE Security
Compare your fill-in-the-blank responses to the following answers:
1. To check the calling user, an EJB would use itsEJBContext orSessionContext.
2. The web-tier equivalent ofisUserInRole(...) isisCallerInRole(...).
3. Two common security annotations used in an EJB are @DeclareRolesand@RolesAllowed.
4. Web-tier components configure their security settings in theweb.xmlfile.
8/12/2019 WJ-3104-EE5-Lab3
16/16
Exercise Solutions