GlassFish - World's first Java EE 7 Application Server


<h1>Security Documentation Plan</h1>

            • DRAFT ***** WORK IN PROGRESS ********

People and Roles

Name Role Location Time Zone Email
  Debbie Carson Santa Clara, CA PST carson{{@dev.java.net}}
  Dixie Pine, June Parks     java.netID@dev.java.net
  Editor     java.netID@dev.java.net
  Kumar Jayanti     java.netID@dev.java.net
  QA Engineer     java.netID@dev.java.net

Audience

The security features described herein may be used by Java EE developers, GlassFish developers, or by GlassFish administrators.

Summary of the Feature From a User's Perspective

The features described herein are proposed enhancements to security service in GlassFish v3.

Availability

The enhanced security features will be available in GlassFish v3.

Statement of Work

Most of the enhanced security features will need to be documented in the GlassFish v3 Administration Guide. Some of the features will need to be documented in the GlassFish v3 Developer's Guide, and a few of the features will need to be documented in the Java EE tutorial. Some of the features will need to be documented in the Metro/WSIT User's Guide, which is out of the scope of this document, but which will be listed here for completeness.

Documentation Impact:

  • None
  • Minor
  • Moderate
  • Major
  • New

Note - If a document is task based (as opposed to reference), the changes should be determined from the user task analysis for the feature.

Changes to Books

GlassFish v3 Administration Guide Changes

Section Documentation Impact Writer Reviewers Description of Change
About Enterprise Server Security: Java Authorization Contract for Containers   Dixie Pine   JSR 196 allows you to develop pluggins at different layers. You can dfine plugins that change the way new authentication mechanims are configured, (i.e., AuthConfigProvider and AuthConfigFactory), and you can define new authentication mechanisms (ServerAuthModule, and ClientAuthModule). Suggest creating another section below JACC describing this type of plugin. See blog at http://blogs.oracle.com/enterprisetechtips/entry/adding_authentication_mechanisms_to_the for more info
Administering System Security New section on configuring a server authentication module Dixie Pine   Steps for configuring a server authentication module in the Admin Console can be found here: http://blogs.oracle.com/enterprisetechtips/entry/adding_authentication_mechanisms_to_the
Authentication New type of authentication needs to be mentioned: Digest Dixie Pine   Add Digest Authentication to list of types of authentication and add a brief description.
Java Authorization Contract for Containers   Dixie Pine   There will now be an alternate JACC Provider which can be selected from the Admin Console. This should be documented. Here is info from the Security One-Pager: Glassfish V3 would support an alternative InMemory implementation of the JSR 115 Provider. This would be available to glassfish users as an alternate provider that can be easily configured as the default via the Admin GUI. When configured this provider would be used for all deployed applications. The advantage of this provider is that it would not generate static policy files like the current (default) provider in GlassFish V2. Instead it would process the security constraint information of an application at load time and create in memory policy. This would provide simplifications in a clustered scenario where synchronization of static policy files is used currently in GlassFish V2. The downside ofcourse is the need to digest the web.xml security constraints everytime the application is loaded. This JACC Provider would also provide a way to plugin an application sepcific RoleMapper which has been a requirement from some of the users. V3-Prelude already includes this provider as a configurable provider in domain.xml. However the Admin GUI support is incomplete, this provider has also not been used to test CTS and TCK compliance of GlassFish V3, these are planned for the V3 Final Release.
Authentication Realms Minor Dixie Pine   Security One-Pager indicates that custom realms can be loaded without requiring a restart of the App Server.
Administering Authentication Realms Minor Dixie Pine   According to security one-pager, Admin Console is being enhanced to allow user management of any realm, not just file realm. Need to add info on adding users to various realms.
         
         
         

GlassFish v3 Developer's Guide Changes

Section Documentation Impact Writer Reviewers Description of Change
Securing Application Add section showing how to write, configure, and bind a server authentication module to your application. June Parks   JSR 196: Ron Monzillo is requesting that we describe how to use JSR-196 in the web tier to facilitate the injection of pluggable authentication modules within the servlet constraint processing engine. He gives code, etc., at his blog: http://blogs.oracle.com/enterprisetechtips/entry/adding_authentication_mechanisms_to_the
Supported Realms Include info on Digest Authentication with enhanced JDBC realm June Parks   Already contained in doc.
Creating a Custom Realms Minor June Parks   Security One-Pager indicates that custom realms can be loaded without requiring a restart of the App Server.
         
         

Java EE Tutorial Changes

Section Documentation Impact Writer Reviewers Description of Change
    Debbie Carson   Support for Annotations @RolesAllowed, @PermitAll and @DenyAll on Servlet WebServices: This feature would allow the use of annotations to define fine-grained access control ( authorization rules) for a web service. These annotations have been accepted as additional annotations to the Servlet 3.0 Specification. A blog by Shing Wai Chan ( http://blogs.oracle.com/swchan/entry/servlet_3_0_security_annotations

) that describes these annotations and shows how to use them has been published. Debbie Carson will describe these annotations and show how to use them with Servlets in the appropriate security chapter in the tutorial. There is no other GF doc impact.

Securing Web Applications Add Digest Authentication to types of authentication supported Debbie Carson   Wherever the types of authentication are mentioned, add Digest authentication. Create an example that uses Digest authentication.
         

Metro User's Guide Changes

Eric Jendrock is writing the Metro Doc Plan, this is excerpted from his analysis of Metro:

Section Documentation Impact Writer Reviewers Description of Change
  Issued Token Caching and Sharing, SSO among services: This is the one of most asked for features by the STS and WS-Trust implementation Metro user base. It extends the current use cases and is valuable for building large scale secured and trusted Web services solutions with Metro. Jiandong Guo specified that the Metro user guide should be updated for this feature and samples should be added to it. STS and WS-Trust are not currently mentioned in the Admin Guide nor the Dev Guide.      
  WS-Trust Renewing and Cancellation protocols: Token validation and token sharing among multiple services is already supported by Metro v1.x. This feature extends user control to the life cycles of issued tokens with STS. Jiandong Guo specified that the Metro user guide should be updated for this feature and samples should be added to it. STS and WS-Trust are not currently mentioned in the Admin Guide nor the Dev Guide.      
  Support for WS-Trust 1.4, WS-SecureConversation 1.4 and WS-SecurityPolicy 1.3: The Metro security developers need to make Metro compliant with WS-Trust 1.4, WS-SecureConversation 1.4, and WS-SecurityPolicy 1.3. The only doc impact is to update the versions of these three technologies where versions are called out - in the Metro User's Guide.      
  Support for Password Derived Keys: This feature, which is supported by the WS-SecurityPolicy specification but not by Metro v1.x, provides a way for a client with just a valid username and password to send a message that is both integrity and confidentiality-protected. Kumar Jyanti recommends that the Metro User's Guide be updated and samples that show how to use this feature be provided and explained in an associated blog. NetBeans tooling changes would be required and their associated documentation and OLH would need to be updated to reflect this feature. There is no direct doc impact to us.      
  Minor Security Features: Several relatively minor security enhancements that relate to a wide range of areas need to be implemented to provide adequate interoperability with Microsoft's .NET software, fix known bugs, improve logging and diagnostic messages, consolidate code, enforce best practices, propose what needs to be monitored by JMX management and monitoring, convert pipes to tubes, etc. The Metro User's Guide would need to be updated as each minor feature was implemented. No other GlassFish documentation impact. Additional samples may be required and all explanations to accompany these would be provided through blogs created by the Metro developers.
   
         

Changes to Online Help

Online Help Set Name Changes

Topic Title Documentation Impact Writer Reviewers Description of Change
         

Changes to Man Pages

Man Page Name and Section Documentation Impact Writer Reviewers Description of Change
         

Review Schedule

The review schedule for the documentation items that are affected by this feature is provided in the following table.

Item First Draft Start Date First Draft End Date Second Draft Start Date Second Draft End Date Final Version End Date Final Version End Date
             
             
             

Reviewers are listed in the Statement of Work.

Related Information

  • 1-pager
  • User task analysis
  • Design document

Email aliases:

  • [admin@glassfish.java.net]
  • [users@glassfish.java.net]
  • [docs@glassfish.java.net]