Configuring Security in Glassfish v3

Saturday, July 17, 2010

Joe Morrissey

4e714dc795dc50b932e2a837e3efc472

Problem StatementI want to let Glassfish handle access and authentication for my web app but I want it to tie in with the user the credentials I already have in my database“.

Configuring a security realm in Glassfish v3 to tie in with your pre-existing MySQL database for user credentials is actually easier than you might think.

So here goes…

Step 1 – Create a Connection Pool and JNDI Source

Make sure that the current MySQL JDBC connector jar file is in the following directory:-

$GLASSFISH_HOME/glassfish/domains/YOURDOMAIN/lib/ext

Restart your app server then fire up the admin console and from the navigation tree on the left click:-

JDBC -> Connection_Pools -> New

Give your connection pool a name and fill in the rest of the fields as shown below, click next.

add-connection-pool

Add New Connection Pool

The datasource classname should have populated to

com.mysql.jdbc.jdbc2.optional.MysqlDataSource

Next we need to fill in a few fields in the ‘additional properties’ section:-

  • user – (your database user name)
  • password – (the password for your database user)
  • databaseName – (your database name)
  • portNumber – (usually 3306)
  • serverName – (e.g. localhost)
  • URL – jdbc:mysql://localhost:3306/your_DB_name_here

Save these settings and then click ‘ping’ to test everything is ok:-

image

The message you should see:

From the navigation tree on the left click:-

JDBC -> JDBC_Resources -> New

Give the Resource a name and select your connection pool from the previous step then go ahead and hit the save button.

image

New JDBC Resource

Step 2 – Create a new security realm

Ok, so before we  point Glassfish to our database, we’ll need to have the following information from your database available:-

  1. The name of the table in which your user’s username and password are stored.
  2. The column names where the username and password are stored.
  3. The name of the table where the users are assigned to user groups.
  4. The column name in this table which stores the user group name.

Here’s an example:-

Users Table – user_details

user_name password user1 password user2 mypassword

Groups Table – user_groups

username group user1 Admin-Group user1 Regular-Group user2 Regular-Group

So, to create a new Realm; from the navigation tree, click:-

Security -> Realms -> New

 Give your realm a name.

Select com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm in the ‘Class Name’ field.

Enter the ‘JAAS Context’ as jdbcRealm.

In the ‘JNDI’ field, enter the name of your JDBC Resource from the previous step.

Fill in the table and column fields with your database info you have ready from the above step.

If your passwords are stored as MD5 hashes, enter MD5 in the ‘Digest Algorithm’ field.

The database username and password is already set in the connection pool so no need to duplicate here.

You can leave the rest of the fields blank.

image

New Security Realm

That’s it s far as Glassfish is concerned! easy huh?

Next we’ll take a quick look at how to implement basic authentication in a web app.

Step 3 – Set up your web app to use this security method

If you’re not familiar Java EE security using realms, users, groups and roles here is a good tutorial to get you started.

Ok, so we’re gonna use some example user credentials, groups and roles to implement security in our web app.

Users can belong to:-

Admin-Group or Regular-Group (these are mapped to users in the group table in your database).

First we’ll map some security roles to our groups; this is done in our sun-web.xml config file in the WEB-INF folder of our web application.

For convenience sake, we’ll create one role for each group with the same name as the group.

So, Admin-Group will have the role Admin-Group assigned to it (and the same goes for Regular-Group).

Go ahead and paste this into your sun-web.xml file:-

Regular-Group
Regular-Group

Admin-Group
Admin-Group

Next we’ll set a security constraint in our web.xml file (also in the WEB-INF folder of our web application).

You have to give the constraint a name, set the url pattern and state which roles are allowed to access this secure area.

As you can see we are securing the whole web app by supplying  ’/*’ as the url pattern.

Add this snippet to your web.xml file:-


SecurePlace

Secure Place
Description here
/*

descrition here
Regular-Group
Admin-Group

We also need to tell the web app to actually implement security by forcing the users to login (this is also done in the web.xml file).

For this example we are using basic authentication, so we set the auth-method to ‘BASIC’.

Then we specify the jdbcRealm we created earlier for the realm-name.

Then we add all of the roles we want to be able to log in.

Add this snippet to your web.xml file:-

BASIC

myRealm

Regular-Group

Admin-Group

And that’s it! If you test your web application in a browser, you should get prompted for a username and password to continue.

Cross-posted from The Ventiblog

Possibly Related Articles:
10817
Network Access Control
Authentication Security Management
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.