Securing web application (.war)s using the Assembly Toolkit

There are three types of Web login authentication mechanisms that you can configure on a web application (.war): basic authentication, form-based authentication and client certificate-based authentication. Protect Web resources in a Web application by assigning security roles to those resources.

To secure Web applications, determine the Web resources that need protecting and determine how to protect them.

  1. Open the web application (.war) file. This file can be a Web archive (WAR) file or an application archive (EAR) file that contains one or more Web modules. In the Assembly Toolkit, open a deployment descriptor editor on the web application (.war) file. In a J2EE Hierarchy view, right-click the file and click Open With > Deployment Descriptor Editor.If you selected Web archive (WAR) file, a Web deployment descriptor editor opens. If you selected an enterprise application (EAR) file, an application deployment descriptor editor opens. To see online information about the editor, press F1 and click the editor name.

  2. Create security roles either at the application level or at Web module level.If a security role is created at the Web module level, the role also displays in the application level. If a security role is created at the application level, the role does not display in all the Web modules. You can copy and paste a security role at the application level to one or more Web module security roles.

    • Create a role at a Web-module level. In a Web deployment descriptor editor, select the Security tab. Under Security Roles, click Add. Double-click (New Security Role) and type the security role. Under Details, describe the security role.

    • Create a role at the application level. In an application deployment descriptor editor, select the Security tab. Under the list of security roles, click Add. In the Add Security Role wizard, name and describe the security role; then click Finish.

  3. Create security constraints. Security constraints are a mapping of one or more Web resources to a set of roles.

    1. On the Security tab of a Web deployment descriptor editor, click Security Constraints.On the Security Constraints tab that opens, you can do the following:

      • Add or remove security constraints for specific security roles.

      • Add or remove Web resources and their HTTP methods.

      • Define which security roles are authorized to access the Web resources.

      • Specify None, Integral, or Confidential constraints on user data. None means that the application requires no transport guarantees. Integral means that data cannot be changes in transit between client and server. And Confidential means that data content cannot be observed while it is in transit. Integral and Confidential usually require the use of SSL.

    2. Under Security Constraints, click Add.

    3. Under Details, specify a display name for the security constraint.

    4. Under Web Resource Collections, click Add. The Web Resource Collections wizard opens.

    5. Type a name and description for the Web resource collection.

    6. Select one or more HTTP methods. The HTTP method options are... GET, PUT, HEAD, TRACE, POST, DELETE, and OPTIONS.

    7. Beside URL Patterns, click Add. Double-click on (New URL pattern) and type a URL pattern (for example: - /*, *.jsp, /hello). Consult the Servlet specification Version 2.3 for instructions on mapping URL patterns to servlets. Security run time uses the exact match first to map the incoming URL with URL patterns. If the exact match is not present, the security run time uses the longest match. The wild card (*.,*.jsp) URL pattern matching is used last.

    8. Repeat these steps to create multiple security constraints.

  4. Map security-role-ref and role-name elements to the role-link element. During the development of a web application (.war), you can create the security-role-ref element. The security-role-ref element contains only the role-name field at this stage. The role-name field contains the name of the role that is referenced in the servlet or JSP code to determine if the caller is in a specified role (isUserInRole()). Since security roles are created during the assembly stage, the developer uses a logical role name in the role-name field and provides enough description in the description field for the assembler to map the role actual (role-link). The Security-role-ref element is at the servlet level. A servlet or JSP file can have zero or more security-role-ref elements.

    1. Go to the References tab of a Web deployment descriptor editor.On the References tab, you can add or remove the name of an enterprise bean reference to the deployment descriptor. There are 5 types of references you can define on this tab...

      • EJB

      • EJB Local (J2EE 1.3 only)

      • Resource

      • Resource Environment (J2EE 1.3 only)

      • JSP Tag Library

      This article describes how to define an EJB reference for a web application (.war).

    2. Under the list of EJB references, click Add. Double-click on (New EJB Ref) and type an EJB reference.

    3. Under Details, click Browse beside Link and select a link for the EJB reference. Select a link type of ENTITY or SESSION. Select Home and Remote values, and describe the link.

    4. Map every role-name used during development to the role (role-link) using the previous steps.Every role name used during development maps to the actual role.

  5. Specify the RunAs identity for servlets and JSP files.The RunAs identity of a servlet is used to invoke enterprise beans from within the servlet code. When enterprise beans are invoked, the RunAs identity is passed to the enterprise bean for performing an authorization check on the enterprise beans. If the RunAs identity is not specified, the client identity is propagated to the enterprise beans. The RunAs identity is assigned at the servlet level.

    1. On the Servlets tab of a Web deployment descriptor editor, under Servlets and JSPs, click Add. The Add Servlet or JSP wizard opens.

    2. Select whether to add a servlet or JavaServer page (JSP), define which servlet or JSP to add, and click OK.

    3. Under Run As, select the security role and describe the role.

    4. Specify a RunAs identity for each servlet and JSP file used by your web application (.war).

  6. Configure the login mechanism for the Web module. This configured login mechanism applies to all the servlets, JSP files and HTML resources in the Web module.

    1. On the Pages tab of a Web deployment descriptor editor, under Login, select the required authentication method. Available method values include: Unspecified, Basic, Digest, Form, and Client-Cert.

    2. Specify a realm name.

    3. If you select the Form authentication method, select a login page and an error page URLs (for example: /login.jsp and /error.jsp). The specified login and error pages are present in the .war file.

    4. Install the client certificate on the browser or Web client and place the client certificate in the server trust keyring file, if ClientCert is selected.

  7. Close the deployment descriptor editor and, when prompted, click Yes to save the changes.

After securing a web application (.war), the resulting WAR file contains security information in its deployment descriptor. The Web module security information is stored in the web.xml file. When you work in the Web deployment descriptor editor, you also can edit other deployment descriptors in the Web project, including information on bindings and IBM extensions in the ibm-web-bnd.xmi and ibm-web-ext.xmi files.

After using the Assembly Toolkit to secure a web application (.war), you can install the web application (.war) using the administrative console. During the Web application installation, complete the steps in the Deploying secured applications article to finish securing the web application (.war).

 

See Also

Web component security
Delegations
Security: Resources for learning