Security is an orthogonal concern for an application and we should assess it right from the start by reviewing the analysis we receive from business and functional analysts. Assessing the security requirements results in understanding the functionalities we need to include in our architecture to deliver a secure application covering the necessary requirements.
Security necessities can include a wide area of requirements, which may vary from a simple authentication to several sub-systems. A list of these sub-systems includes identity and access management system and transport security, which can include encrypting data as well.
In this article series, we will develop a secure Java EE application based on Java EE and GlassFish capabilities. In course of the article, we will cover the following topics:
- Analyzing Java EE application security requirements
- Including security requirements in Java EE application design
- Developing secure Business layer using EJBs
- Developing secure Presentation layer using JSP and Servlets
- Configuring deployment descriptors of Java EE applications
- Specifying security realm for enterprise applications
- Developing secure application client module
- Configuring Application Client Container
Developing Secure Java EE Applications in GlassFish is the second part of this article series.
Understanding the sample application
The sample application that we are going to develop, converts different length measurement units into each other. Our application converts meter to centimeter, millimeter, and inch. The application also stores usage statistics for later use cases.
Guest users who prefer not to log in can only use meter to centimeter conversion, while any company employee can use meter to centimeter and meter to millimeter conversion, and finally any of company’s managers can access meter to inch in addition to two other conversion functionalities. We should show a custom login page to comply with site-wide look and feel.
No encryption is required for communication between clients and our application but we need to make sure that no one can intercept and steal the username and passwords provided by members. All members’ identification information is stored in the company’s wide directory server.
The following diagram shows the high-level functionality of the sample application:
We have login action and three conversion actions. Users can access some of them after logging in and some of them can be accessed without logging in.