Securing Servlets and JSPs in Sun Java System Application Server, Part 1
In part 1 of this series, you'll see how to use declarative security in the Sun Java System Application Server (SJSAS) deployment descriptors to declare roles, users, groups, and realms. We'll create from scratch a file realm, a JDBC realm, and a certificate realm. In part 2, we'll implement authentication mechanisms for these realms (HTTP basic authentication, form-based authentication, and HTTPS authentication). Along the way, we'll talk about security annotations, programmatic security, and common attacks on JSPs pages (cross-site scripting, securing data in GET requests, securing data in cookies, container vulnerabilities, and SQL injection).
Securing Java EE Applications: Overview
Let's review briefly how you secure Java EE applications. As you know, Java EE applications are multi-tier (usually three tiers), with components running on different kinds of containers (for example, SJSAS, JBoss, WebSphere, and so on), and they're exposed to a large and diverse audience of users. The containers are responsible for providing application security, and they do this in two ways:
- Declarative security. Expresses an application component's security requirements by using deployment descriptors, which are XML documents (for example, web.xml or sun-web.xml). We won't get into how to create these descriptors from scratch, but we'll talk about the main security settings that can be addressed in the descriptors.
- Programmatic security. Security requirements embedded in the application. Programmatic security usually helps declarative security to improve the security level. In part 2 of this series, we'll discuss how to use programmatic security to secure servlets and JSPs.
One further note: We'll use an annotations mechanism (metadata) to specify security requirements within the class file. The main idea of annotations is to provide a "declarative" programming style, which takes advantage of both declarative and programmatic security. The security settings from deployment descriptors override annotations settings, however, so you need to be careful to use them in such a way that the annotations settings will not be excluded.