Setting Security Parameters using Studio
Overview
A security role is a semantic grouping of permissions that a user must have in order to use a application or part of it, successfully. Use the User Manager Tool with integrated JAAS API to develop and test applications under real-world security deployment requirements. This tool is used for testing purposes such as using the XML security realm, enabling creation of components such as LDAP, DB, and flat files that can be deployed on a production-server with any realm.
The application assembler defines a set of security roles for an application:
- Security role name such as `administrator' and a description as `full access'. Defining multiple roles is possible
- Method permissions for each security role in the deployment descriptor
- Deployer assigns groups to the security roles stored in the deployment descriptor. The groups are defined in the target operational environment
Securing application access
To secure the application access in Studio, the steps are:
- Define security role and security role references for JSPs in the web.xml or at packaging time
- Define security role and security role references for EJBs in the ejb-jar.xml or at packaging time
- Using the User Manager to create groups before deployment
- Map security references in the application to groups at deploy time.
Securing EJB components
Java modules, EJB modules and EJB archives, make references to security roles to create a secure environment. To add security roles, use ejb-jar.xml or add it to the specific JAR at packaging time. Specify the home and remote interface methods that each security role should be allowed to invoke. This is method permission. To define method permissions, use the Method Permission node in ejb-jar.xml or the specific JAR at packaging time.
The method permission for each bean includes a list of security roles and a list of methods. All listed security roles can invoke all listed methods.
Note: If there are no security roles defined in the Java Module, EJB module or JAR, then everybody has a free access to all the bean methods inside them. An assignment restricts the access to a method.
Securing web components
Define security parameters for web components as defined for EJB components. Right click on the web module and select web.xml or open the WAR in Package Tool.
Enter the following data:
- Define roles: Identify different logical roles that can be assumed for the concerned module. To add roles, click on Security Roles node. Click Add to add roles and Delete to delete roles.
Note: Adding roles to the module, through Security Role function, involves giving the role a name such as Guest, User, or Administrator
- Define resource references: Identify the resources whose access should be restricted. Use the Security Role-Refs tab for the concerned JSP or servlet in the web.xml or in the WAR file at packaging time
- Security Constraints: Right-click on security constraints and select Add. Click New and define the name of resource collection. Define resources for HTTP methods and URL patterns. Specify the role access to each collection
- Define login configuration: Studio supports `Basic' and `Form' authentications of the login of the role allowed into the module. This authentication mode uses a built-in dialog to accept login and password for a browser. Use the Login Configuration node in the web.xml or the WAR file at packaging time
Setting security constraints
To set security constraints:
- Right click on the WAR file and select Open to open the Package Tool.
- Right click on the Security Constraint node in the Package Tool and select Add Security Constraints.
- To add a security constraint to a WAR, define the login configuration first.
Note: A WAR can contain multiple security-constraints.
Adding resource collection
Click New in the Security Constraint panel to create a new resource collection. Identify the resources to be secured and access to be restricted. Group these related resources with respect to security into a resource-collection.
Note: The resources can be servlets, JSPs, HTML files, or GIFs. Specify the resource as a URL pattern for example, /admin/*
Removing security constraints
In the Security Constraints panel, right click on a security constraint node and select Remove. It deletes all the resource collections for that constraint.
Setting login configuration
To set the login configurations, click on the Login Configuration node in web.xml file or in the WAR file at packaging time. Use this to configure the authentication method and realm name to be used for this application, and the attributes required by the form login mechanism. Choose from the following options:
- Basic
- Form
- Login Page: Defines the location in the web application where the login page is located
- Error Page: This defines the location in the web app where the error page that is displayed when login is not successful, can be found
- None: Select this option if the application does not require a login
- Session Timeout Details: Defines the default session timeout interval for all sessions created in the web application. Specified timeout should be a whole number expressed in minutes. Default value is `-1'
Creating groups and users
Groups and users are created using the User Manager. Groups are defined in the target server environment. Define users and assign them to groups, ensures that the context entered to access the servlet through the web page remains valid through the application. All EJB methods can recognize the user that logged in through the web page and activate appropriate method permissions to grant or deny access throughout the application session.
To define users and roles select Tools > User Manager from the main menu. User Manager tool consists of:
- Users pane:
User name root and password pramati are the default values in the User Manager for which administrative privileges are already created. To add a user, give the username and a password and click Add. It is possible to view the groups that the user belongs to. To modify any users in the list, click Modify. For example, click on any group where you want to add a user and click Modify or change the password and click Modify. - Groups pane:
The default group in the User Manager is `administrator'. The User Manager allows to add, remove, and create sub-groups. To modify these groups and sub-groups, click Modify
Mapping security references to groups
The application deployer maps the security references defined in JARs and WARs onto groups, at deploy time. The available groups are defined using User Manager and obtained from security service started by the server. To map security references to groups, use the Map Security Roles node in the Deploy Tool. For any problem in obtaining the security service from the server, check the Server log in logs directory, and server output window in Studio.
