background image

Securing Web Applications

<< Digest Authentication | Using Form-Based Authentication >>
<< Digest Authentication | Using Form-Based Authentication >>

Securing Web Applications

Examples: Securing Web Applications
There are several ways in which you can secure web applications. These include the following
options:
You can define a user authentication method for an application in its deployment
descriptor. Authentication verifies the identity of a user, device, or other entity in a
computer system, usually as a prerequisite to allowing access to resources in a system. When
a user authentication method is specified for an application, the web container activates the
specified authentication mechanism when you attempt to access a protected resource.
The options for user authentication methods are discussed in
"Specifying an Authentication
Mechanism" on page 858
. All of the example security applications use a user authentication
method.
You can define a transport guarantee for an application in its deployment descriptor. Use
this method to run over an SSL-protected session and ensure that all message content is
protected for confidentiality or integrity. The options for transport guarantees are discussed
in
"Specifying a Secure Connection" on page 857
.
When running over an SSL-protected session, the server and client can authenticate one
another and negotiate an encryption algorithm and cryptographic keys before the
application protocol transmits or receives its first byte of data.
SSL technology allows web browsers and web servers to communicate over a secure
connection. In this secure connection, the data is encrypted before being sent, and then is
decrypted upon receipt and before processing. Both the browser and the server encrypt all
traffic before sending any data. For more information, see
"Establishing a Secure
Connection Using SSL" on page 785
.
Digital certificates are necessary when running HTTP over SSL (HTTPS). The HTTPS
service of most web servers will not run unless a digital certificate has been installed. Digital
certificates have already been created for the Application Server.
The following examples use annotations, programmatic security, and/or declarative security to
demonstrate adding security to existing web applications:
"Example: Using Form-Based Authentication with a JSP Page" on page 868
"Example: Basic Authentication with a Servlet" on page 877
"Example: Basic Authentication with JAX-WS" on page 885
"Discussion: Securing the Duke's Bank Example" on page 831
The following examples demonstrate adding basic authentication to an EJB endpoint or
enterprise bean:
"Example: Securing an Enterprise Bean" on page 820
"Example: Using the isCallerInRole and getCallerPrincipal Methods" on page 826
"Discussion: Securing the Duke's Bank Example" on page 831
Examples: Securing Web Applications
Chapter 30 · Securing Web Applications
867