Securing web applications can be viewed differently, depending on the role of the person. This chapter helps the administrator to gain an understanding of the security components in which a team of developers may be most interested. It then describes the aspects of securing web applications that will have an effect on or that will be influenced by external components in the enterprise infrastructure. The chapter describes the following:
- How to secure a WebSphere web application
- The function of groups in securing an application
- The function of roles in securing an application
- The use of deployment descriptors in securing applications
- Identify the type of information provided by deployment descriptors at the time of application deployment that plays a role in security
- A procedure to build, package, and deploy a secure application made of multiple modules
J2EE Applications can be made up of dynamic/Java web applications and EJB applications. Dynamic web applications may consist of a combination of components such as dynamic Java components (Servlets, JSP's, and so on) as well as static components (for example, HTML, CSS, images--JPEG). Therefore, WebSphere offers the capability to customize access to both types of applications: dynamic/Java web applications and EJB applications. This chapter explores securing Java web applications whereas the following chapter covers the securing of EJB applications. In the next couple of sub-sections you will learn of two different views of web application security.
In most cases, developer teams having a J2EE background outside of a WebSphere environment tend to see security of their applications from a purely programmatic point of view. Skilled developers use methods provided by the J2EE security API.
Through such a API, an application can gather information about the user making the request. For instance, the API provides methods to obtain information such as the request for user ID or to query the request object to find out if the user is enabled with a particular role, to mention a couple of methods. Knowing the role of a user will be useful to make decisions such as displaying or hiding objects on a resulting web page.
This book will not cover the API, as it is a topic that falls within the development realm. For our purposes, we will just mention one of the methods of the javax.servlet.http.HttpServletRequest object: getRemoteUser(), which returns the user ID value as a String object. This method will be used in this chapter's min-project later in the chapter.
The other view of web application security is based in making declarations about J2EE components and the attributes that define how and by whom a particular component may be made available. The places where these declarations are made are called deployment descriptors. For instance, as we saw in Chapter 3, WebSphere, through a user registry, is able to offer user information about the group or groups a user belongs to. In addition, applications will include declarations about types or classes that can have access (rights) to the application. These types or classes are denoted as roles. Therefore, creating relationships from groups to roles, an application can be made available only to the users that have, certain role. The group-role mapping creates a relationship between users and roles, and therefore, which users can access a given application.