Defining groups and users in the GlassFish server

GlassFish allows you to define users for the application using the concept of realms. As we mentioned in the previous section, a security realm can be treated as a mechanism that allows us to define users and groups. GlassFish offers various credential realms, including FileRealm, JDBCRealm, JNDIRealm, LDAPRealm, and so on. In this example, we will use an existing FileRealm that comes with GlassFish by default. Here are the steps for adding users and groups to the FileRealm in GlassFish:

  1. Start the GlassFish server. If you are new to the GlassFish server, take a look at the tutorial at https://javaee.github.io/glassfish/doc/4.0/quick-start-guide.pdf.
  2. Log in as the administrator to Admin interface.
  3. Navigate to Configurations | server-config | Security | Realms | File. In this example, we use a file to store the user information. In a real-life scenario, you may use LDAP or RDBMS:
  1. Click on the Manage User button at the top of the page:
  1. On the File Users page, click on New, add a user, and give a password. Set the appropriate Group List value. In web.xml, we have configured Users as a group, so specify the same name as a value for Group List, for this example:
  1. Click on OK to save the changes.

Now, you can deploy the secured RESTful web service application into the server. The client can use the username and password that we configured in this section for accessing the RESTful web APIs.

The basic authentication methods described here have a fundamental security hole. It sends the credentials as clear text in every HTTP request. Therefore, we need a mechanism to ensure that the credentials cannot be spoofed during a transaction. The solution is to use the Secure Socket Layer (SSL) or Transport Layer Security (TLS) protocol.

SSL is the standard for securing data transfer over the internet. HTTP over SSL (HTTPS) is used to secure connections between the internet browser client and server. The HTTPS protocol uses certificates to ensure secure communications between the client and server. The latest version of the SSL standard is called TLS.

TLS/SSL is a well-understood web protocol, and because the RESTful web services we implemented in the previous chapters are nothing more than the server components, all we need to do is configure GlassFish to use the TLS/SSL; therefore, every request and response message between the clients and servers, assuming the TLS/SSL has been configured properly, will now be encrypted.

Just remember that once the TLS/SSL has been turned on, the requests will be HTTPS requests; this means that URIs take the form of https://<REST-RESOURCE-URI> (note the https prefix in the address).

For the sake of brevity, we have not covered how to configure TLS/SSL in this book. The GlassFish server administration guide covers this topic in Chapter 14, Administering Internet Connectivity. You can download the administration guide from https://javaee.github.io/glassfish/doc/4.0/administration-guide.pdf.

To learn how to set up the SSL configuration on the Jersey client, take a look at Section 5.9, Securing a Client in the Jersey 2.26 User Guide. The link to the documentation is https://jersey.github.io/documentation/latest/index.html.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.39.133