Privacy and security is very important and you really need to consider this at the first time when build and software application, which is lead to design your software application with authentication and authorization for the user. Recently I stumbled on Jerry article about what should and shouldn’t you do about securing password which is very good starting point when you want to build secure software application especially with Java. On Java EE, precisely Java EE 7 and below you will see how hard and not portable to configure authentication and authorization. The good news is, Java Security API finally receive big update and will be shipped on Java EE 8.
As Java EE 7 and below, your option on securing your software application is either depend on application container (application server such as Wildfly or Payara) or using third party library such as Spring Security or Apache Shiro. Today I would like to share my experience on configure Security on Payara 171, and yes this configuration will different with another Application Server.
Securing software application normally you will store your user credentials such as username and password on database and apply some hash or encryption method into the password (because never ever stored password as plain text). Every user need to be assigned on specific permission to restrict what he/she can and can’t do on your software application. So, your first task is design a database for storing user information and I know you will find many example about user and permission table.
Before you started to design your table look at this StackOverflow thread.To summarize from that thread, when you want to use Payara security realm, you need to design your permission table have relations to user or it’s a joined table between user and permission table. So, if you want user have only one permissions, make sure the holder of relations is the permissions table. But, mostly user can have more than one permissions this will lead you to make a master-detail table as join table which is my suggestion is create a view table.
Now you need initial data and of course you don’t want to stored the password as a plain text right? At least use hash and since default hash algorithm on Payara was SHA-256 so make sure the user password was stored after hash with SHA-256 algorithm. You could perform this with Java code like this.
For example username and password was admin so your query will be look like this.
Configure Payara Security Realm
To be able use authorization and authentication you must configure security realm, but before that make sure you already create JNDI for database resource since you need to access your database. Access security realm menu on Configuration > Server-Config > Security > Realms and click New button to create new security realm. Make sure to choose JDBCRealm on class name.
Below is the example value for the properties and of course following the database above and let some field that not mention below to be empty, the last don’t forget to click Save button.
- JAAS Context: jdbcRealm
- JNDI: jdbc/test
- User Table: account
- Username Column: username
- Password Column: password
- Group Table: v_account_role (yes, use the view table)
- Group Table Username Column: username
- Group Name Column: role_name
- Password Encryption Algorithm: AES (somehow this field not exist on Payara 172)
- Digest Algorithm: SHA-256
- Encoding: Base64
- Charset: UTF-8
With this everything is already done configure on Payara, the next steps was configure your Java EE project.
Create JSF Login Page
On your Java EE project you need to configure so your project will use the security realm from Payara. I give example how to create a login page using JSF so you need to configure your JSF on web.xml file.
Then create simple
login.xhtml JSF file that using old
Configure Security Configuration
Configure Security Role Mapping
Since you’re using Payara which is derivative from Glassfish you need to create
glassfish-web.xml , some tutorials will named it as
sun-web.xml but I think
glassfish-web.xml is for newest version. For your information this is what I said when the JAAS will be vary for each application server, you need to configure something like this but with a little different of course on another application server such as Wildfly, TomEE or Liberty. Inside of this file will be mapping for the user permissions.
Configure Login Method
Java EE as default provide 5 authentication mechanism like Basic, Form, Digest, Mutual, and Client. Because this authentication using form based you need to specify the Form authentication mechanism on
Configure Security Constraint
The last is specify which URI that need to be protected and which permission that can access the URI. you need to specify this on web.xml file.
Seeing how not portable the current JAAS API, I really excited with the new Security API which proclaimed will standardized the security API so moving to another application server won’t be pain anymore.
Momentarily, I just know Payara support Hash to protected the password but it will be great if you can use encryption method such as PKBDF2 or Bcrypt. Since I can’t found any decent tutorial using encryption for the password.
Actually, I have interest on Apache Shiro which proclaimed the easiest security frameworks but sadly I still can’t found any decent tutorial for implementing Apache Shiro into Java EE project from scratch until the end. But I will recommend to using this if you want to avoid JAAS on Java EE project below version 7.