Friday Sep 17, 2010

A Simple Secure Embedded Web Test Client in GlassFish v3.1

Following the posts (i), (ii) , (iii) related to deploying secure ejb applications in the Glassfish embedded mode, this post is about deploying a secure web-application in GlassFish in the embedded mode. Similar to the EmbeddedEjbContainer API, the EmbeddedWebContainer API in glassfish v3.1 can be used to deploy webapps. The deployed web-app could either be accessed using a URLConnection in the same EmbeddedTest Client or from a browser (provided the Embedded server with the Container is still running).In this post, we look at deploying a secure webapp (web-app protected by a user-data constraint)

Consider a simple webapp that is protected by a user-data constraint.

        <user-data-constraint>
            <description/>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>

To test this war file, one could write a simple Embedded Web Test Client that uses the EmbeddedWebContainer API to deploy this app.As can be observed from this test client, the server containing the embeddable webcontainer is not stopped immediately on program exit. So the deployed web-app can be accessed from a browser (http://localhost:8080/simpleweb). Since this app is protected by a user-data constraint, the redirection to https and the secure port (8181) can be observed.


Wednesday Mar 17, 2010

Running a secure application in Glassfish Embedded Server - Part II

Following the previous post illustrating how to run a secure ejb application on GlassFish embedded server, this post aims to focus on running a secure web application using GlassFish embedded server. Here is a sample web-app (with context-root - simpleweb) and restricts access to file users of group "tester". (Please examine the web.xml and sun-web.xml for details). It has been configured for BASIC auth using file-realm. To test this web-app, an embedded server could be configured to use an existing non-embedded GlassFish instance's filesystem. The web-app could then be deployed on this embedded server.

        Server.Builder builder = new Server.Builder("web-test");
        EmbeddedFileSystem.Builder efsBuilder = new EmbeddedFileSystem.Builder();
        efsBuilder.instanceRoot(new File(instanceRoot));
        builder.embeddedFileSystem(efsBuilder.build());
        Server server = builder.build();

        server.addContainer(ContainerBuilder.Type.web);
        server.start();
        EmbeddedDeployer deployer = server.getDeployer();
        String appName = deployer.deploy(new File(testWarDir, testWar), null);
        System.out.println("Deployed " + appName);

The non-embedded GlassFish instance should be configured to contain file users of group tester (that has been configured in sun-web.xml of the web-app).

./asadmin create-file-user --groups tester testuser

Now, the web-app can be accessed from the browser. (http://localhost:8080/simpleweb). In response to the challenge, the username (testuser) and password are provided to access the protected page. Here is the complete test file.

PS - The Embedded API in GlassFish 3.1 has undergone some changes (from the API used in this blog post. Please refer to this link for the latest Embedded API)

Thursday Feb 18, 2010

Running a secure application in Glassfish Embedded Server

The embedded server and the embedded API are a key new feature offered by the Glassfish v3 server. Among many advantages, it offers the ability to deploy and test web/ejb applications using an embedded server that can be run on the same VM as the test application. This document provides details on the embedded server, deploying and running applications and discusses the embedded API. If a user wants to deploy a secure application with protected methods, the user has to provide authentication credentials to the embedded server before invoking the protected methods. This post discusses how this could be done.

Lets consider a secure EJB, whose methods are protected by the RolesAllowed annotation - allowing access to users with role 'admin'. Let's assume that this role is mapped to the group admin using the sun-ejb-jar.xml. If not, the default principal-role-mapping could be enabled in the embedded server. To run the application, the ProgrammaticLogin API could be used to provide auth credentials. There are two ways to do access the file realm users: (i) Use an existing non-embedded instance of glassfish with existing file users and set it as the embedded server's file system. (ii) Use the asadmin command to create file users in the default embedded server.

Approach I - Using an existing instance of glassfish:

1. Create a file user (embedtester) belonging to the specified group (admin) in an existing non-embedded glassfish server instance using the admin console or the CLI.

2. If required, turn on the default principal-role mapping for the instance (through the admin-console or CLI) - when no principal-role mapping is provided in the application's sun-ejb-jar.xml

3. Using the following code snippet, use the instance to be set as the embedded server's instance root:

        EmbeddedFileSystem.Builder efsBuilder = new EmbeddedFileSystem.Builder();       
        efsBuilder.instanceRoot(new File(
<path to glassfish instance domain directory>));
        efsBuilder.configurationFile(new File(
<path to glassfish instance domain.xml>));
        Server.Builder builder = new Server.Builder("test");
        builder.embeddedFileSystem(efsBuilder.build());
        Server server = builder.build();

4. After deploying the embedded ejb (refer the document for more details ) , before invoking the protected method on the Ejb, call the ProgrammaticLogin's login method to authenticate the user:

            ProgrammaticLogin pgLogin = new ProgrammaticLogin();
            pgLogin.login("embedtester", "abc12345", "file", true);

Approach II - Creating file users using the asadmin command in the embedded server:

If the default embedded server has to be used without setting an existing configuration or instanceRoot, file users could be created in the embedded server using the asadmin command.

1. Create the embedded server and start it.

2. Run the asadmin create-file-user command :

        String command = "create-file-user";
        ParameterMap params = new ParameterMap();
        params.add("userpassword", "abc12345" );
        params.add("groups", "admin");
        params.add("username", "embedtester");
        CommandRunner runner = server.getHabitat().getComponent(CommandRunner.class);
        ActionReport report = server.getHabitat().getComponent(ActionReport.class);
        runner.getCommandInvocation(command, report).parameters(params).execute();

2. Deploy the application and invoke ProgrammaticLogin.login() before calling the protected method.

            ProgrammaticLogin pgLogin = new ProgrammaticLogin();
            pgLogin.login("embedtester", "abc12345", "file", true);

The ProgrammaticLogin API (com.sun.appserv.security.ProgrammaticLogin) is available as a part of security.jar in <GF-DOMAIN-DIR>/modules directory. Here is a sample test client (and the ejb) that invokes a protected method of the ejb (HelloWorldBean).

PS - The Embedded API in GlassFish 3.1 has undergone some changes (from the API used in this blog post. Please refer to this link for the latest Embedded API)


About

nitkal

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks