corner imagecorner image
FeaturesPluginsDocs & SupportCommunityPartners

Building Secure Enterprise Beans in Java EE 5

Support for the Java EE 5 specification in NetBeans IDE enables you to take full advantage of the many Java EE 5 features simplifying application development. A significant development in the Java EE 5 specification was the incorporation of annotations. Using annotations enables you to eliminate a lot of the boilerplate code used when coding applications and minimizes the amount of configuration needed when deploying your application.

One area that has become greatly simplified through the use of annotations is the development and configuration of enterprise beans. Annotations enable you to specify many configuration properties that were previously specified in deployment descriptor files, making many of the deployment descriptor files unnecessary. Though applications may still require some deployment descriptor files (such as web.xml), the IDE's multi-view deployment descriptor editor makes editing the files much easier.

Using annotations, building secure enterprise beans is now much easier. Instead of configuring enterprise bean security in the ejb-jar.xml deployment descriptor you can use security annotations to configure authorization directly in the source code. Java EE 5 enterprise applications do not require ejb-jar.xml or application.xml.

For an overview of some of the features of the Java EE 5 specification, see Introduction to Java EE 5 Technology. For more information about annotation specifications, see JSR 250: Common Annotations for the Java Platform.

This document uses the NetBeans IDE 6.5 Release. The steps outlined in this document can also be applied if you are using the 6.0 or 6.1 version of the IDE, but there are some options available in NetBeans IDE 6.5 that are not available in earlier releases.

Expected duration: 30 minutes

Contents

Content on this page applies to NetBeans IDE 6.x

To follow this tutorial, you need the following software and resources.

Software or Resource Version Required
NetBeans IDE 6.5 Java, or 6.0/6.1 Web & Java EE
Java Development Kit (JDK) version 6 or version 5
GlassFish application server V2

For this tutorial you need to register a local instance of GlassFish/Sun Java System Application Server with the IDE. If you have installed the "Java" version of the IDE, the application server should already be installed and registered. If the application server is not registered in the IDE, choose Tools > Servers to register the server in the Servers manager. You cannot deploy enterprise applications to the Tomcat web server.

Prerequisites

This document assumes you have some basic knowledge of, or programming experience with, the following technologies:

  • Java Programming
  • NetBeans IDE

Creating a Security Group on the Application Server

In this example, you only want users from the group bank_users to access the enterprise bean. You will create the user manager in the group bank_users in the file security realm on the application server.

  1. Start the application server by right-clicking its node in the Services window and choosing Start.
  2. Right-click the application server node and choose View Admin Console. Log into the admin console and select Configuration > Security > Realms > file in the left navigation bar.
  3. Click the Manage Users button in the center frame of the admin console. Under Current Users, click the New button.
  4. Type manager for the User ID, password for the Password, and bank_users for the Group List. Click OK.
File Users panel in admin console

Creating the Enterprise Application

The enterprise application will consist of a simple session bean and an application client that attempts to access it.

Creating the Enterprise Application Project

  1. Choose File > New Project (Ctrl-Shift-N) and select the Enterprise Application template from the Java EE category. Click Next.
  2. Type Secure for the Project Name and set the Project Location.
  3. Deselect the Use Dedicated Folder option, if selected.
    (This option is not available if you are using NetBeans IDE 6.0.)

    For this tutorial there is little reason to copy project libraries to a dedicated folder because you will not need to share libraries with other users or projects.

    Click Next.
  4. Set the server to GlassFish and set the Java EE Version to Java EE 5.
  5. Select Create EJB Module and Create Application Client Module and deselect Create Web Module. Click Finish.

Securing a Method in a Session Bean

The session bean does not do anything fancy. It just returns a sample balance amount. You will create a getStatus method and secure the method bean by annotating it with the @RolesAllowed annotation and specify the security roles allowed to access the method. This security role is used by the application and is not the same as the users and groups on the server. You will map the security role to the users and groups later when we configure the deployment descriptors.

Security annotations can be applied individually to each method in a class, or to an entire class. In this simple exercise you will use the @RolesAllowed to annotate a method, but the Java EE 5 specification defines other security annotations that can be used in enterprise beans.

  1. In the Projects window, right-click the EJB module's node (Secure-ejb) and choose New > Session Bean.
  2. Type AccountStatus for the bean name, bean for the package, and set the bean to have a remote interface. Click Finish.

    When you click Finish, the IDE creates AccountStatusBean and opens the file in the source editor. The IDE also creates the AccountStatusRemote remote interface for the bean.

  3. In the source editor, add the following field declaration (in bold) to AccountStatusBean:
    public class AccountStatusBean implements AccountStatusRemote {
    private String amount = "250";
  4. In the source editor, right-click in the class and choose Insert Code (Alt-Insert) and then select Add Business Method to open the Add Business Method dialog box.

    In NetBeans IDE 6.0 and 6.1, right-click in the class and choose EJB Methods > Add Business Method to open the dialog box.

  5. Type getStatus for the method name and set the return type to String.

    The IDE automatically exposes the business method in the remote interface.

  6. In the source editor, add the following line in bold to the getStatus method. 
    public String getStatus() {
    return "The account contains $" + amount;
}
  7. Type the following (in bold) to annotate the getStatus method. 
    @RolesAllowed({"USERS"})
public String getStatus() {

    This annotation means that only users in the security role USERS can access the getStatus method.

  8. Fix the import statements and save your changes. Make sure that javax.annotation.security.RolesAllowed is added to the file.

Accessing the Session Bean with an Application Client

The application only needs to have a simple method that will access the session bean. You will call the enterprise bean by using the @EJB annotation.

  1. In the Projects window, expand Secure-app-client > Source Packages > secure and double-click Main.java to open the file in the source editor.
  2. In the source editor, right-click in the class and choose Insert Code (Alt-Insert) and then select Call Enterprise Bean.

    In NetBeans IDE 6.0 and 6.1, right-click in the class and choose Enterprise Resources > Call Enterprise Bean.

  3. In the Call Enterprise Bean dialog box, expand the Secure-ejb node and select AccountStatusBean. Click OK.

    The IDE adds the following to the application client to look up the session bean.

    @EJB
private static AccountStatusRemote accountStatusBean;
  4. Modify the main method to add the following code and save your changes. 
    public static void main(String[] args) {
    System.out.println(accountStatusBean.getStatus());

Configuring the Deployment Descriptors

In Java EE 5, enterprise applications usually do not require deployment descriptor files such as ejb-jar.xml. If you expand the Configuration Files node under Secure-ejb or the Secure enterprise application, you can see that there are no deployment descriptors. You can use annotations to specify many of the properties that were configured in ejb-jar.xml. In this example you specified the security roles for the EJB methods by using the @RolesAllowed annotation in the session bean.

However, when configuring security for an application you still have to specify some properties in the deployment descriptors. In this example you need to map the security roles used in the enterprise application (USERS) to the users and groups you configured on the application server. You created the group bank_users on the application server, and you now need to map this group to the security role USERS in the enterprise application. To do this you will edit the sun-application.xml deployment descriptor for the enterprise appplication.

Because the enterprise application does not need deployment descriptors to run, the IDE did not create the deployment descriptors by default. So you first need to create the deployment descriptor and then configure it.

  1. Choose File > New File from the main menu to open the New File wizard. Alternatively, you can open the New File wizard by right-clicking the Secure enterprise application project in the Projects window and choosing New > Other from the pop-up menu.
  2. In the Categories pane of the New File wizard, select GlassFish and then the GlassFish Deployment Descriptor file type. Click Next and then click Finish in the next panel.
    When you click Finish, the IDE creates sun-application.xml and opens the file in the multi-view deployment descriptor editor. You will use the security tab of the multi-view editor to configure the security role mappings.
  3. In the Security tab, click Add Security Role Mapping and type USERS for the Security Role Name.
  4. Click Add Group, type bank_users for the Group Name and click OK.
  5. Save your changes.
screenshot of deployment descriptor editor

You can click on the XML tab in the multi-view editor to view deployment descriptor file in XML view. You can see that the deployment descriptor file now contains the following:

<sun-application>
  <security-role-mapping>
    <role-name>USERS</role-name>
    <group-name>bank_users</group-name>
  </security-role-mapping>
</sun-application>

Running the Application

The application is now ready. When you run the project you will be prompted for a username and password for a user in the bank_users group.

  1. Right-click the Secure project node and choose Run project. The IDE builds the EAR file, starts the application server (if it's not running) and deploys the EAR file to the application server. A dialog box appears prompting us for a username and password.
    Dialog prompting for username and password
  2. Enter the user name (manager) and password (password) in the dialog box and click OK. The following will appear in the Output window: 
    The account contains 250$

This is very basic example demonstrates how to secure a method in an enterprise bean using Java annotations.



See Also

For more information about using annotations to secure enterprise beans, see the following resources:

For more information about using NetBeans IDE to develop Java EE applications, see the following resources:

To send comments and suggestions, get support, and keep informed on the latest developments on the NetBeans IDE Java EE development features, join the nbj2ee mailing list.

Bookmark this page

del.icio.us furl simpy slashdot technorati digg
Companion
Projects: 		MySQL Database Server   GlassFish Community: an Open Source Application Server   Open Solaris  Open JDK: an Open SourceJDK   Mobile & Embedded Community     Sponsored by 
Sponsored by Sun Microsystems