Saturday 26 June 2010

GlassFish Security Review

GlassFish is Sun Microsystems open source application server. It is a competitor to Jboss AS and Apache Geronimo in the open source arena, and is my app server of choice.

Packt Publishing requested that I review one of their latest titles on the subject of GlassFish: GlassFish Security by Masoud Kalali, available to buy from Packt's web site.

I first took a look at GlassFish around 2007 whilst investigating EJB 3.0 and container managed persistence using JPA. Since then GlassFish has been my favourite platform for building web applications and web services, backed by EJB and JPA, sometimes taking advantage of GlassFish's load balancing and clustering features and excellent integration with other open source projects.

GlassFish Security has been a worth while read, adding to my awareness and knowledge of Java EE security best practices. I will definitely be applying the information presented in the book to current projects and future system design and development work.

GlassFish Security covers a very wide range of security topics, some of which will be applicable to web applications deployed on any JEE application server, whilst others are GlassFish and even host operating system specific.

The book doesn't just focus on programmatic security, making use of security APIs, annotations and XML configuration, but takes more of a complete systems view. OS and network security constraints, as well as enterprise wide system architecture considerations are explored.

The book is targeted at developers and system administrators, who have a sound footing working with JEE application servers, EJB development and have a working knowledge of Linux. To fully take advantage of this book you should know your way around the latest versions of GlassFish and probably NetBeans, have a Debian or Ubuntu install available, and have a keen interest in designing systems with security built in from the start.

The title of the book could quite easily have been GlassFish Security with OpenDS and OpenSSO, as they feature heavily in the later chapters. If your project has no need to interact with an LDAP server, or your organisation has no strategy for a single sign on solution or identity federation management, then these chapters may not be useful to you.

The book starts out from first principals with an overview of Java EE architecture and application modularisation and deployment. It's a slow start for an audience with experience of developing enterprise Java applications, but it establishes common terminology and is a good starting point to introduce fundamental security topics from.

The pace quickly picks up, security concepts such as authentication and authorisation, programmatic EJB security, XML configuration vs annotations, and roles, principals and groups are explained and demonstrated.

Covered next are the default security realms available to GlassFish and how to implementing custom realms and authentication methods.

A source code download for this and subsequent chapters is provided, although currently the source code for chapter two seems to be a duplicate of chapter three. Also, the book states that the build and deployment system used for the source is Maven, which it isn't. The source comes with standard NetBeans project files which use Ant for build and deployment.

Chapter three is probably the most useful for developers starting out with EJB development and web application security, and where the first real bit of programming starts. The chapter guides us through the end-to-end development and deployment of a JEE web application. The code uses a JPA persistence layer for accessing a MySQL database, a servlet containing some business logic and a simple JSP front end. Security constraints are are applied to the application, with authentication and authorisation done via interaction with a file security realm.

Some Linux administration knowledge is required for the next chapter concerned with locking down security on the host operating system and Java virtual machine. The examples given are intended for Debian based Linux distributions and consist of configuring user, file system, disk quota, network interface and port restrictions. JVM and GlassFish policy file configuration are explored, as well as a discussion on the advantages of enabling default auditing modules.

Naturally following on from the previous chapter, chapter five is concerned with configuring the GlassFish server itself, both from the command line and the admin interface. Restricting the IP addresses authorised to access network listeners and isolating applications using virtual servers are covered.

From chapter six onwards the book takes more of an architectural approach to security considerations.

This chapter describes to us the hierarchical nature of security data, and why it might not be best stored in a relational database, and instead in a directory service. OpenDS, an open source LDAP server is introduced, and its installation, administration, configuration and integration with our applications are explored.

Chapters seven, eight and nine, the remainder of the book, revolve around another open source project OpenSSO. OpenSSO is a single sign on solution which integrates seamlessly with GlassFish. Useful topics from chapter seven include using RESTful calls to the OpenSSO API to authenticate and authorise users.

Chapter eight introduces SSO Agents and filters configured in an applications web.xml to intercept calls and apply security measures. OpenSSO allows for very fine grained access controls which require no changes to application code and can be managed all from one place, very useful stuff that I'd like to take advantage of in future systems.

Finally, chapter nine builds on how to use OpenSSO in conjunction with a Web Services Agent to secure a simple SOAP web service deployed on GlassFish.

Overall this is a good book, covering a much wider range of security aspects than I expected. It gives you a great starting point on a breadth of topics but doesn't get to cover them in great depth.

As a developer I would have liked to see more advanced examples for chapters one to five, really getting to the nitty gritty of some real world examples. Maybe some advice on good practice when faced with tough design choices, how to avoid common pitfalls, security patterns and anti-patterns; the sort off stuff above and beyond what you might get from online GlassFish tutorials and Javadoc.

OpenSSO probably deserves a book in its own right, and although I have no immediate application for the information in the chapters that feature it, I'm glad I read them and now have a basic understanding to build on in the future. GlassFish Security benefits form these inclusions and they help it to be the comprehensive introduction to security that it is.

I was disappointed that source code printed in the book and available for download occasionally contained errors and wasn't supplied with Maven build scripts. These things slightly reduce the quality of an otherwise well written and well structured book.

I will definitely be implementing some of the information presented in this book in future Enterprise Java projects; I'll always consider the pros and cons of using a directory server before storing user credentials in relational tables; and GlassFish Security will be my first reference when considering system security design and implementation.

Downloads From Packt

Source

Here is some of the Packt example code repackaged as Maven projects.

Errata

Here are some errors I found in the printed code and xml configuration. Check the Packt support page for a complete listing.

  • Page 22 - missing closing XML tag </web-resource-name>.
  • Page 32 - missing double quotes and comma for @DeclareRoles annotation parameters.
  • Page 50 - missing single quotes around manager on second sql insert statement.
  • Page 85 - empty, unused method proccessRequest in Converter servlet.
  • Page 237 - stringEcho method annotation should be @WebMethod.