Java Reference
In-Depth Information
Chapter 11. Securing JBoss AS 7
Applications
In the previous chapter we have described how to deploy your application in a robust
and reliable environment using clustering. The last stop in our journey will be learning
about security, which is a key element of any Enterprise application. You must be able
to control and restrict who is permitted to access your applications and what opera-
tions users may perform.
The Java Enterprise Edition (Java EE) specification defines a simple role-based se-
curity model for Enterprise JavaBeans (EJBs) and web components. The implement-
ation of JBoss security is delivered by the
Picketbox
framework (formerly known as
JBoss security), which is part of the application server and provides the authentica-
tion, authorization, auditing, and mapping capabilities to Java applications.
Here is the specific list of topics we will cover:
• A short introduction to the Java security API
• The foundation of the JBoss AS 7 security subsystem
• Defining and applying login modules for securing Java EE applications
• Using the Secure Sockets Layer (SSL) to encrypt the transport layer
Approaching the Java security API
Java EE security services provide a robust and easily configurable security mechan-
ism for authenticating users and authorizing access to application functions and asso-
ciated data. To better understand the topics related to security, we should at first give
some basic definitions:
•
Authentication
: It is the process by which you can verify who is currently
executing an application, regardless of whether it is an EJB or a servlet
(and so on). Authentication is usually performed by means of a
Login
module contained in a web/standalone application.
•
Authorization
: It is the process by which you can verify if a user has the
right (permission) to access system resources. Authorization, therefore,
presupposes that authentication has occurred; it would be impossible to
