Java Reference
In-Depth Information
Chapter 19. Java EE Security: Advanced Topics
This chapter provides advanced information on securing Java EE applications.
The following topics are addressed here:
• “
Working with Digital Certificates
”
on page
311
• “
Authentication Mechanisms
”
on page
316
• “
Using the JDBC Realm for User Authentication
”
on page
324
• “
Securing HTTP Resources
”
on page
328
• “
Securing Application Clients
” on page
331
• “
Securing Enterprise Information Systems Applications
”
on page
332
• “
Configuring Security Using Deployment Descriptors
”
on page
336
• “
Further Information about Security
” on page
337
Working with Digital Certificates
Digital certificates for the GlassFish Server have already been generated and can be found
in the directory
domain-dir
/config/
. These digital certificates are self-signed and are
intended for use in a development environment; they are not intended for production pur-
poses. For production purposes, generate your own certificates and have them signed by a
certificate authority (CA).
To use the Secure Sockets Layer (SSL), an application or web server must have an associ-
ated certificate for each external interface, or IP address, that accepts secure connections.
The theory behind this design is that a server should provide some kind of reasonable as-
surance that its owner is who you think it is, particularly before receiving any sensitive in-
formation. It may be useful to think of a certificate as a “digital driver's license” for an In-
ternet address. The certificate states with which company the site is associated, along with
some basic contact information about the site owner or administrator.
The digital certificate is cryptographically signed by its owner and is difficult for anyone
else to forge. For sites involved in e-commerce or in any other business transaction in which
authentication of identity is important, a certificate can be purchased from a well-known
CA such as VeriSign or Thawte. If your server certificate is self-signed, you must install it
in the GlassFish Server keystore file (
keystore.jks
). If your client certificate is self-
signed, you should install it in the GlassFish Server truststore file (
cacerts.jks
).
