GlassFish - World's first Java EE 7 Application Server


Here is the proposed outline for the Security section of Volume 1 of the tutorial.

Link to Java EE 5 Tutorial: http://java.sun.com/javaee/5/docs/tutorial/doc/

Outline for Volume 2 Security Topics can be found here.

Topics for the Java EE Tutorial: Basic Topics in Security (Volume 1)

This section (Security) describes the way we want users to develop their applications with Java EE 6, so, for the basic version, we introduce all of the security concepts, but only discuss developing with annotations (using deployment descriptors only when needed to add functionality not available with annotations).

Chapter: Introduction to Security in Java EE

  1. Overview
    1. A Simple Example
    2. Security Functions
    3. Characteristics of Application Security
  2. Security Implementation Mechanisms
    1. Java SE Security Implementation Mechanisms
    2. Java EE Security Implementation Mechanisms
  3. Securing Containers
    1. Using Annotations
    2. Using Programmatic Security
    3. Using Deployment Descriptors
  4. Securing the Application Server
  5. Working with Realms, Users, Groups, and Roles
    1. What are Realms, Users, Groups, and Roles
    2. Manager Users and Groups on the Application Server
    3. Setting up Security Roles
    4. Mapping Roles to Users and Groups
  6. Establishing a Secure Connection Using SSL
    1. Installing and Configuring SSL Support
    2. Specifying a Secure Connection in Your Application Deployment Descriptor
    3. Verifying SSL Support
    4. Working with Digital Certificates
    5. Enabling Mutual Authentication Over SSL
  7. Further Information

Chapter: Security Annotations or Working with Security Roles

  1. @DeclareRoles(role)
  2. @RolesAllowed("listofroles")
  3. @PermitAll
  4. @DenyAll
  5. @RunAs

Chapter: Securing Web Applications

blurb about annotations and a link to Vol 2 for advanced topics and depl. Descr. info

  1. Overview of Web App Security
  2. Working with Roles
    1. Declaring Security Roles
    2. Specifying Security Roles
    3. Mapping Security Roles to GlassFish Groups
    4. Checking Caller Identity Programmatically
      1. getRemoteUser
      2. isUserInRole
      3. getUserPrincipal
    5. Declaring and Linking Role References
      1. Declaring Roles
  3. Defining Security Requirements for a Web App using Annotations
    1. Refer to Chapter that describes the security-related annotations
  4. Different types of Web App Authentication
    1. Basic
    2. Form
      1. Login forms
    3. Digest (new?)
    4. Client
      1. mutual
  5. Specifying a Secure Connection

Chapter: Securing Enterprise Applications

Blurb about using annotations and a link to Vol. 2 for more advanced topics.

  1. Securing Enterprise Beans
    1. Accessing an Enterprise Bean Caller's Security Context
      1. Using getCallerPrincipal()
      2. Using isCallerInRole(String roleName)
      3. Using @DeclareRoles with isCallerInRole(String rolename)
      4. Permissions and JACC
      5. Example using these methods
    2. Declaring Security Roles using @DeclareRoles
    3. Defining Security Roles using @RolesAllowed
    4. Specifying Method Permissions using @RolesAllowed, @PermitAll, and @DenyAll
    5. Propagating a Security Identity using @RunAs
    6. Deployment Descriptor Elements needed to secure enterprise bean
      1. Specifying an Authentication Mechanism
        1. username-password
        2. others?
      2. Mapping Security Roles to App Server Groups
      3. IOR config?
  2. Securing application clients
    1. Using JAAS to create login modules
      1. (javax.security.auth.callback.CallbackHandler)- discuss, link to JAAS docs
    2. Using Programmatic Login
      1. (com.sun.appserv.security.ProgrammaticLogin) - discuss, link to AppServer Dev Guide

Chapter: Examples Demonstrating Security

  1. Securing Web Applications
      1. Define a User Authentication Method in Depl. Descr.
      2. Define a Transport Guarantee in DD
    2. Basic Auth with Servlet
    3. Basic Auth with JAX-WS
    4. Form Auth with JSP Page
    5. Digest Auth??
    6. Mutual Auth (command line only, not NetBeans)
  2. Securing Enterprise Beans or EJB Endpoints
    1. Securing an EJB using username-password authentication
    2. Demonstrate other authentication methods for EJBs?
    3. Securing an EJB application using the isCallerInRole and getCallerPrincipal Methods