GlassFish allows you to define users for the application using the concept of realms. As we mentioned in the previous section, a security realm can be treated as a mechanism that allows us to define users and groups. GlassFish offers various credential realms, including FileRealm, JDBCRealm, JNDIRealm, LDAPRealm, and so on. In this example, we will use an existing FileRealm that comes with GlassFish by default. Here are the steps for adding users and groups to the FileRealm in GlassFish:
- Start the GlassFish server. If you are new to the GlassFish server, take a look at the tutorial at https://javaee.github.io/glassfish/doc/4.0/quick-start-guide.pdf.
- Log in as the administrator to Admin interface.
- Navigate to Configurations | server-config | Security | Realms | File. In this example, we use a file to store the user information. In a real-life scenario, you may use LDAP or RDBMS:
- Click on the Manage User button at the top of the page:
- On the File Users page, click on New, add a user, and give a password. Set the appropriate Group List value. In web.xml, we have configured Users as a group, so specify the same name as a value for Group List, for this example:
- Click on OK to save the changes.
Now, you can deploy the secured RESTful web service application into the server. The client can use the username and password that we configured in this section for accessing the RESTful web APIs.
The basic authentication methods described here have a fundamental security hole. It sends the credentials as clear text in every HTTP request. Therefore, we need a mechanism to ensure that the credentials cannot be spoofed during a transaction. The solution is to use the Secure Socket Layer (SSL) or Transport Layer Security (TLS) protocol.
TLS/SSL is a well-understood web protocol, and because the RESTful web services we implemented in the previous chapters are nothing more than the server components, all we need to do is configure GlassFish to use the TLS/SSL; therefore, every request and response message between the clients and servers, assuming the TLS/SSL has been configured properly, will now be encrypted.
Just remember that once the TLS/SSL has been turned on, the requests will be HTTPS requests; this means that URIs take the form of https://<REST-RESOURCE-URI> (note the https prefix in the address).
To learn how to set up the SSL configuration on the Jersey client, take a look at Section 5.9, Securing a Client in the Jersey 2.26 User Guide. The link to the documentation is https://jersey.github.io/documentation/latest/index.html.