sábado, 21 de fevereiro de 2009

EJB 3 Developer Guide: Errata on Web Security Sample


Today I was just working on the lab 4 / chapter 12 of this book [1] and then I got stuck into an issue...

The environment used on the tests was GlassFish Application Server v2 and the sample code concerns Web Container Security. It just didn't work as expected...

"lab4:

to run program enter http://localhost:8080/BankService/index.html in browser. http://localhost:8080 is url for web applications as shown by Glassfish on startup. If Glassfish provides port other than 8080 then modify url accordingly.

then enter scott/xyz username/password in login form. servlet menu for adding customer to database is then displayed.

enter ramon/abc username/password in login form. error page is then displayed."

The problem is that the page was never displayed despite using the proper user (i.e. "scott") because security always failed.

After googling for a while, I could realize some missing points in the book packaged sample [2].

Yet I made some small modifications in order to test the application with both users: "scott" (belonging to "bankemployee" group) and "ramon" (belonging to "bankcustomer" group).

So, the idea behind it was to forbid access to a specific servlet ("/addCustomer" address) whenever the user did not belong to "bankemployee" role. Also, to restrict access to "/findCustomer" servlet to both roles.

First of all, I modified the WEB descriptor file, "WEB-INF/web.xml", by adding "/findCustomer" servlet mapping, specifying "/addCustomer" URL pattern in the security constraint and an optional welcome file. Here's the entire code:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<servlet>
<servlet-name>AddCustomerServlet</servlet-name>
<servlet-class>ch12lab4.AddCustomerServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>FindCustomerServlet</servlet-name>
<servlet-class>ch12lab4.FindCustomerServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AddCustomerServlet</servlet-name>
<url-pattern>/addCustomer</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>FindCustomerServlet</servlet-name>
<url-pattern>/findCustomer</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>bank service most restricted</web-resource-name>
<url-pattern>/addCustomer</url-pattern>
<url-pattern>/addCustomer.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>bankemployee</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>bank service restricted</web-resource-name>
<url-pattern>/findCustomer</url-pattern>
<url-pattern>/findCustomer.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>bankcustomer</role-name>
<role-name>bankemployee</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>bankemployee</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>file</realm-name>
</login-config>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
</web-app>
The second detail was the creation of a Sun's specific descriptor, "WEB-INF/sun-web.xml", which did not exist in the sample code. The key point here was to map existing groups already specified in the application server's realm file into roles used inside the WEB application. In the current case they share the same names, "bankcustomer" and "bankemployee", on both environments. Here's the new file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Application Server 8.1 Servlet 2.4//EN"
"http://www.sun.com/software/appserver/dtds/sun-web-app_2_4-1.dtd">
<sun-web-app>
<context-root>/BankService</context-root>
<security-role-mapping>
<role-name>bankcustomer</role-name>
<group-name>bankcustomer</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>bankemployee</role-name>
<group-name>bankemployee</group-name>
</security-role-mapping>
</sun-web-app>
That's it, it worked at last and I ran the whole book sample codes!

Now I'm gonna take a rest watching "The Hunt for the Red October", which had just finished on the eMule's queue...! :D

References:

[1] Michael Sikora, "EJB 3 Developer Guide", http://www.packtpub.com/developer-guide-for-ejb3/book