To protect any resources in a web folder, you need to declare security constraints in web.xml. In the security constraints, you can declare URLs that are to be protected, and which roles can access the protected URLs. Open web.xml in the CourseManagementMavenWebApp project and add the following declarations within the <web-app> tag:
<security-constraint>
<display-name>Admin resources</display-name>
<web-resource-collection>
<web-resource-name>admins</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin </role-name>
</auth-constraint>
<!--
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
-->
</security-constraint>
<security-role>
<description>Admins</description>
<role-name>admin</role-name>
</security-role>
Here, we are declaring all the resources accessed with the /admin/*
URL to be protected, and also that only users in the admin role can access these resources. We are also declaring the admin role using the <security-role> tag. If you want the URL resources to be accessed only over SSL (using HTTPS), then set <transport-guarantee> to CONFIDENTIAL. However, you will need to obtain (buy) an SSL certificate from certificate authorities, such as Verisign, and install it on the server.
See https://www.verisign.com/en_US/website-presence/website-optimization/ssl-certificates/index.xhtml for details about SSL certificates.
Each server has a different process for installing the certificates. However, we will not discuss how to install an SSL certificate in this book. Therefore, the <user-data-constraint> configuration is described in the preceding code.
See https://javaee.github.io/tutorial/security-webtier002.html#specifying-security-constraints for more details on security constraints.
At this point, let’s see how the application works. Before deploying the application in GlassFish, let's create a protected resource. Since we have protected all the accessed resources using the /admin/* URL, create a folder named admin in the src/main/webapp folder. Inside this folder, create admin.jsp using the following content:
<!DOCTYPE HTML>
<html>
<head>
<title>Course Management Admin</title>
</head>
<body>
Welcome to Course Management Admin<br>
</body>
</html>
Refer to the
Configuring GlassFish server in Eclipsesection in Chapter 7, Creating JEE Applications with EJB, for information on adding the GlassFish 5 Server to your Eclipse workspace.
We need to build two applications: CourseManagementMavenWebApp and CourseManagementMavenEAR. The EAR project is just a container project; the real content is served from CourseManagementMavenWebApp. So, we need to build both projects. Right-click on CourseManagementMavenWebApp in Eclipse Project Explorer, and select Run As | Maven Install. Do the same for the CourseManagementMavenEAR
project. Then, deploy CourseManagementMavenEAR-1.ear from the target folder in GlassFish 5.
Configuring Datasource in GlassFishsection in Chapter 7, Creating JEE Applications with EJB. Then, click on the Application node and deploy CourseManagementMavenEAR-1.ear
.
Once the application is deployed, browse to http://localhost:8080/CourseManagementMavenWebApp/course.xhtml and make sure the page can be accessed without any authentication required, because this is an unprotected resource/page. Now, try to browse to http://localhost:8080/CourseManagementMavenWebApp/admin/admin.jsp. Since we have marked the /admin/* URL pattern as a protected resource, the browser pops up this authentication dialog box:
We have not configured our application to authenticate the user. So, authentication will fail in the preceding dialog box, no matter what you enter as the username and password. Let’s fix this by configuring the database to authenticate users in GlassFish.