Secure Web apps using an assembly tool

 

+

Search Tips   |   Advanced Search

Use three types of Web login authentication mechanisms to configure a Web app:

• basic authentication
• form-based authentication
• client certificate-based authentication

Protect Web resources in a Web app by assigning security roles to those resources.

To secure Web apps, determine the Web resources that need protecting and determine how to protect them.

This procedure might not match the steps that are required when using the assembly tool, or match the version of the assembly tool that we are using. You should follow the instructions for the tool and version that we are using.

The following steps detail securing a Web app using an assembly tool.

 

1. Import the WAR or EAR file.

2. In the Project Explorer folder, locate the Web app.

3. Right-click the deployment descriptor and click...

   Open With | Deployment Descriptor Editor

4. Create security roles...

   Security tab | Security Roles | Add

   If created at the Web module level, the role also displays in the application level. If created at the application level, the role does not display in all of the Web modules.

5. Enter the security role name and description, then click Finish.

6. Create security constraints to map Web resources to roles.

   1. On the Security tab of a Web deployment descriptor editor, click Security Constraints...

      • Add / remove security constraints for specific security roles.

      • Add / remove Web resources and their HTTP methods.

      • Define which security roles are authorized to access the Web resources.

      • Specify None, Integral, or Confidential constraints on user data.

        None	The application does not require transport guarantees.
        Integral	Data cannot be changed in transit between the client and the server.
        Confidential	Data content cannot be observed while it is in transit.

      Integral and Confidential usually require the use of SSL.

      When deploying applications that are available over public networks, specify Confidential for the Web Applications constraints

   2. Under Security Constraints, click Add.

   3. Under Constraint name, specify a display name for the security constraint and click Next.

   4. Type a name and description for the Web resource collection.

   5. Select one or more HTTP methods. The HTTP method options are:

      GET, PUT, HEAD, TRACE, POST, DELETE, and OPTIONS

   6. Beside the Patterns field, click Add.

   7. Specify a URL Pattern. For example, type - /*, *.jsp, /hello.

      Consult the Servlet spec V2.4 for instructions on mapping URL patterns to servlets. The security runtime uses the exact match first to map the incoming URL with URL patterns. If the exact match is not present, the security runtime uses the longest match. The wild card (*.,*.jsp) URL pattern matching is used last.

   8. Click Finish.

   9. Repeat these steps to create multiple security constraints.

7. Map security-role-ref and role-name elements to the role-link element.

   During the development of a Web app, we can create the security-role-ref element. The security-role-ref element contains only the role-name field. The role-name field contains the name of the role that is referenced in the servlet or JSP code to determine if the caller is in a specified role. Because security roles are created during the assembly stage, the developer uses a logical role name in the Role-name field and provides enough description in the Description field for the assembler to map the role actual. The Security-role-ref element is at the servlet level. A servlet or JSP file can have zero or more security-role-ref elements.

   1. Go to the References tab of a Web deployment descriptor editor.

      On the References tab, we can add or remove the name of an enterprise bean reference to the deployment descriptor. We can define five types of references on this tab:

      • EJB reference
      • Service reference
      • Resource reference
      • Message destination reference
      • Security role reference
      • Resource environment reference

   2. Under the list of EJB references, click Add.

   3. Specify a name and a type for the reference in the Name and Ref Type fields.

   4. Select either Enterprise Beans in the workplace or Enterprise Beans not in the workplace.

   5. If we select Enterprise Beans not in the workplace, select the type of enterprise bean in the Type field.

      We can specify either an entity bean or a session bean.

   6. Click Browse to specify values for the local home and local interface in the Local home and Local fields before you click Next.

   7. Map every role-name used during development to the role using the previous steps. Every role name used during development maps to the actual role.

8. Specify the RunAs identity for servlets and JSPs.

   The RunAs identity of a servlet is used to invoke enterprise beans from within the servlet code. When enterprise beans are invoked, the RunAs identity is passed to the enterprise bean for performing an authorization check on the enterprise beans. If the RunAs identity is not specified, the client identity is propagated to the enterprise beans. The RunAs identity is assigned at the servlet level.

   1. On the Servlets tab of a Web deployment descriptor editor, under Servlets and JSP, click Add. The Add Servlet or JSP wizard opens.

   2. Specify the servlet or JSP file settings, including the name, initialization parameters, and URL mappings and click Next.

   3. Specify the class file destination.

   4. Click Next to specify additional settings or click Finish.

   5. Click Run As on the Servlets tab, select the security role and describe the role.

   6. Specify a RunAs identity for each servlet and JSP file used by the Web app.

9. Set the login mechanism for the Web module.

   Applies to servlets, JSPs and HTML resources in the Web module.

   1. Click the Pages tab of a Web deployment descriptor editor and click Login.

      Select the required authentication method. Available method values include:

      • Unspecified
      • Basic
      • Digest
      • Form
      • Client-Cert

   2. Specify a realm name.

   3. If we select the Form authentication method, select a login page and an error page Web address.

      For example, we might use /login.jsp or /error.jsp. The specified login and error pages are present in the .war file.

   4. Install the client certificate on the browser or Web client and place the client certificate in the server trust keyring file, if ClientCert is selected.

10. Close the deployment descriptor editor and, when prompted, click Yes to save the changes.

 

Results

After securing a Web app, the resulting WAR file contains security information in its deployment descriptor. The Web module security information is stored in web.xml. When you work in the Web deployment descriptor editor, you also can edit other deployment descriptors in the Web project, including information on bindings and IBM extensions in the ibm-web-bnd.xmi and ibm-web-ext.xmi files.

 

Next steps

After using an assembly tool to secure a Web app, we can install the Web app using the admin console. During the Web application installation, complete the steps in Deploy secured applications to finish securing the Web app.

Role-based authorization
Web component security
Delegations
Portlet URL security

 

Related tasks

Deploy secured applications

 

Related

Security: Links