Building Secure Enterprise Beans in Java EE
Support for the Java EE specification in NetBeans IDE enables you to take full advantage of the many Java EE features simplifying application development. A significant development in the Java EE 5 specification was the incorporation of annotations. Using annotations enables you to eliminate a lot of the boilerplate code used when coding applications and minimizes the amount of configuration needed when deploying your application.
One area that has become greatly simplified through the use of annotations is the development and configuration of enterprise beans. Annotations enable you to specify many configuration properties that were previously specified in deployment descriptor files, making many of the deployment descriptor files unnecessary. Though applications may still require some deployment descriptor files (such as web.xml), the IDE's multi-view deployment descriptor editor makes editing the files much easier.
Using annotations, building secure enterprise beans is now much easier. Instead of configuring enterprise bean security in the ejb-jar.xml deployment descriptor you can use security annotations to configure authorization directly in the source code. Java EE 5 enterprise applications do not require ejb-jar.xml or application.xml.
For an overview of some of the features of the Java EE specification, see Introduction to Java EE Technology. For more information about annotation specifications, see JSR 250: Common Annotations for the Java Platform.
To follow this tutorial, you need the following software and resources.
For this tutorial you need to register a local instance of GlassFish server with the IDE. If you have installed the "Java EE" version of the IDE, the application server should already be installed and registered. If the application server is not registered in the IDE, choose Tools > Servers to register the server in the Servers manager. You cannot deploy enterprise applications to the Tomcat web server.
This document assumes you have some basic knowledge of, or programming experience with, the following technologies:
In this example, you only want users from the group bank_users to access the enterprise bean. You will create the user manager in the group bank_users in the file security realm on the application server.
Now that the user is created, you will create an enterprise application that will check that the user is able to see the data.
Creating a Java Class Library for the Remote Interface
In this exercise you will create a simple Java class library project that will contain the remote interfaces for the session bean. The compiled class library JAR will be added to the classpath of the EJB module and the application client that will be used to call the session bean.
In the next section you will create a session bean in an enterprise application. The session bean will be accessed via a remote interface. When you create the session bean, the IDE will automatically create the remote interface in the class library and add the class library JAR to the classpath of the enterprise application.
The enterprise application will consist of a simple session bean that is accessed via a remote interface in the class library project.
Creating the Enterprise Application Project
In this exercise you will create an enterprise application that contains an EJB module.
Securing a Method in a Session Bean
In this exercise you will create a session bean in the EJB module project. The session bean does not do anything fancy. It just returns a sample balance amount. You will create a getStatus method and secure the method bean by annotating it with the @RolesAllowed annotation and specify the security roles allowed to access the method. This security role is used by the application and is not the same as the users and groups on the server. You will map the security role to the users and groups later when you configure the deployment descriptors.
Security annotations can be applied individually to each method in a class, or to an entire class. In this simple exercise you will use the @RolesAllowed to annotate a method, but the Java EE specification defines other security annotations that can be used in enterprise beans.
Java EE enterprise applications usually do not require deployment descriptor files such as ejb-jar.xml. If you expand the Configuration Files node under Secure-ejb or the Secure enterprise application, you can see that there are no deployment descriptors. You can use annotations to specify many of the properties that were configured in ejb-jar.xml. In this example you specified the security roles for the EJB methods by using the @RolesAllowed annotation in the session bean.
However, when configuring security for an application you still have to specify some properties in the deployment descriptors. In this example you need to map the security roles used in the enterprise application (USERS) to the users and groups you configured on the application server. You created the group bank_users on the application server, and you now need to map this group to the security role USERS in the enterprise application. To do this you will edit the glassfish-application.xml deployment descriptor for the enterprise application.
Because the enterprise application does not need deployment descriptors to run, the IDE did not create the deployment descriptors by default. So you first need to create the deployment descriptor file and then edit the file in the multi-view editor to configure the security role mappings.
You can click on the XML tab in the multi-view editor to view deployment descriptor file in XML view. You can see that the deployment descriptor file now contains the following:
<glassfish-application> <security-role-mapping> <role-name>USERS</role-name> <group-name>bank_users</group-name> </security-role-mapping> </glassfish-application>
The getStatus method is now secure and only those users in the group bank_users that you specified on the server can access the method.
You now need a way to test the security settings. The simplest way is to create a basic application client that will prompt the user for a username and password.
Creating the Application Client
In this section you will create a simple application client to access the AccountStatus session bean. You will use the @EJB annotation in the code to call the bean via the remote interface and the IDE will automatically add the class library JAR that contains the interface to the classpath of the application client.
For more on applications clients, see Creating and Running an Application Client on the GlassFish Server.
The application is now ready. You will first deploy the enterprise application to the server. After you deploy the enterprise application you can run the application client to test that the method in the enterprise application is secure and that the user roles are mapped correctly. When you run the application client you will be prompted for a username and password for a user in the bank_users group.
This very basic example demonstrates how to use Java annotations to secure a method in an enterprise bean.
For more information about using annotations and deployment descriptors to secure enterprise beans, see the following resources:
For more information about using NetBeans IDE to develop Java EE applications, see the following resources:
To send comments and suggestions, get support, and keep informed on the latest developments on the NetBeans IDE Java EE development features, join the nbj2ee mailing list.