GlassFish Security

GlassFish Security
eBook: $26.99
Formats: PDF, PacktLib, ePub and Mobi formats
save 15%!
Print + free eBook + free PacktLib access to the book: $71.98    Print cover: $44.99
save 37%!
Free Shipping!
UK, US, Europe and selected countries in Asia.
Also available on:
Table of Contents
Sample Chapters
  • Secure your GlassFish installation and J2EE applications
  • Develop secure Java EE applications including Web, EJB, and Application Client modules
  • Secure web services using GlassFish and OpenSSO web service security features
  • Support SSL in GlassFish including Mutual Authentication and Certificate Realm with this practical guide

Book Details

Language : English
Paperback : 296 pages [ 235mm x 191mm ]
Release Date : May 2010
ISBN : 1847199380
ISBN 13 : 9781847199386
Author(s) : Masoud Kalali
Topics and Technologies : All Books, Networking and Servers, Security and Testing, Java, Open Source, Web Services

Table of Contents

Chapter 1: Java EE Security Model
Chapter 2: GlassFish Security Realms
Chapter 3: Designing and Developing Secure Java EE Applications
Chapter 4: Securing GlassFish Environment
Chapter 5: Securing GlassFish
Chapter 6: Introducing OpenDS: Open Source Directory Service
Chapter 7: OpenSSO, the Single sign-on Solution
Chapter 8: Securing Java EE Applications using OpenSSO
Chapter 9: Securing Web Services by OpenSSO
  • Chapter 1: Java EE Security Model
    • Overview of Java EE architecture
    • Understanding a typical Java EE application
    • Accessing protected resource inside a Web module
      • Deployment descriptors
      • Understanding Java EE security terms
      • Defining constraints on resources
      • Authenticating and authorizing users
        • Adding authentication to a web application
        • Authorizing using deployment descriptor
      • Managing session information
      • Adding transport security
      • Using programmatic security in web applications
      • Using security annotations
    • Understanding the EJB modules
      • Securing EJB modules using annotations
      • Mapping roles to principals and groups
      • Accessing the security context programmatically
      • Using EJB interceptors for auditing and security purposes
      • Enforcing authentication in EJB modules
    • Understanding the application client module
    • Declaring security roles in Application level
    • Summary
  • Chapter 2: GlassFish Security Realms
    • Security realms
      • Authenticating using security realms
      • Reusing security assets
    • GlassFish security realms
      • Administrating security realms
      • Creating a file realm
      • Creating the JDBC realm
      • Using the LDAP realm to secure web applications
        • Downloading and installing OpenDS 2.2
        • Creating the LDAP realm
      • Creating the certificate realm
        • Public key cryptography
        • Digital signature
        • Key stores and trust stores
        • Managing certificates
      • Creating the Solaris realm
      • Developing custom realms
        • Developing the custom realm
        • Installing and configuring
    • Adding a custom authentication method to GlassFish
    • Summary
  • Chapter 3: Designing and Developing Secure Java EE Applications
    • Understanding the sample application
    • Analyzing sample application business logic
    • Implementing the Business and Persistence layers
      • Implementing the Persistence layer
    • Developing the Presentation layer
      • Implementing the Conversion GUI
        • Implementing the Converter servlet
        • Implementing the authentication frontend
        • Configuring deployment descriptors
        • Specifying the security realm
    • Deploying the application client module in the Application Client Container
      • Configuring Application Client Container security
    • Summary
  • Chapter 4: Securing GlassFish Environment
    • Securing a host operating system
      • Defining security at the OS level
        • Creating the installation directory
        • Creating the GlassFish user
        • Logging in as a GlassFish user
        • Restricting access to the filesystem
        • Restricting access to network interfaces
        • Restricting access to ports
        • Enforcing storage usage limitation
      • Implementing restrictions in the application server level
        • Securing the Java Runtime environment from unprivileged access
        • Implementing the policy manager
        • Securing the GlassFish using security manager
        • Alternative container policy providers
    • Estimating security risks: Auditing
      • Enabling the default auditing module
      • Developing custom auditing modules
    • Summary
  • Chapter 5: Securing GlassFish
    • Administrating GlassFish
      • Using CLI for administration tasks
        • Implementing security in CLI
    • Securing different network listeners
      • Securing HTTP listeners
      • Securing ORB listeners
      • Securing JMX listeners
    • Hosting multiple domains using one IP
    • Sharing security context between different applications using SSO
      • Enabling SSO in virtual server
    • Summary
  • Chapter 6: Introducing OpenDS: Open Source Directory Service
    • Storing hierarchical information: Directory services
      • Connecting directory services to software systems
    • Introducing OpenDS
      • Understanding OpenDS backend and services
    • Installing and administrating OpenDS
      • Installing OpenDS and DSML gateway
        • Understanding the system requirements
        • Downloading and installing OpenDS server
        • Studying the OpenDS directory structure
        • Installing and configuring the DSML gateway
    • Administrating and managing OpenDS
      • Importing and exporting data
        • Importing LDIF files
        • Exporting database content into LDIF file
      • Backing up and restoring data
        • Creating a backup of OpenDS data
        • Restoring server state using backups
      • Enabling JMX Connection Handler
    • Embedding OpenDS
      • Benefits of embedded mode capability of OpenDS
      • Preparing the environment
    • Replicating Directory Information Tree (DIT)
      • OpenDS replication mechanism
      • Setting up an Asynchronous replication infrastructure
    • Summary
  • Chapter 7: OpenSSO, the Single sign-on Solution
    • What is SSO
    • What is OpenSSO
      • OpenSSO functionalities
        • Controlling user access
        • Federation Management
        • Identity Web Services
        • OpenSSO architecture
        • OpenSSO realms
      • Installing OpenSSO in GlassFish
      • Configuring OpenSSO for authentication and authorization
    • Authentication chaining
      • Realm Authentication
      • User Authentication
    • Securing our applications using OpenSSO
      • Authenticating users by the RESTful interface
      • Authorizing using REST
      • SSO using REST
    • Summary
  • Chapter 8: Securing Java EE Applications using OpenSSO
    • Understanding Policy Agents
      • Specifying access privileges by defining policies
      • Protecting diverse types of containers using Policy Agents
      • Working of OpenSSO agents
        • Protecting different types of resources
      • Exploring outstanding features of Policy Agents
        • Managing Centralized Agent Configuration
        • Managing agents in groups
        • Applying agents configuration on-the-fly
        • Having more control over the installation process
    • Installing J2EE Agent 3.0 for GlassFish
      • Placing the sample application under OpenSSO protection
        • Changing sample application descriptor files
        • Configuring the agent to protect the sample application
        • Defining access rules
    • Summary
  • Chapter 9: Securing Web Services by OpenSSO
    • Java EE and Web Services security
      • Securing Web Services in a Web module
      • Web Services security in EJB modules
      • EJB-based Web Services authentication in GlassFish
    • Understanding Web Services security
      • Understanding SOAP message structure
    • Developing secure Web Services
    • Downloading and installing Web Services security agents
      • Creating a Web Service Client profile
      • Creating a Web Service Provider profile
    • Securing the Echo Web Service
      • Developing an Echo Service Consumer
      • Authenticating a service call using WSP
        • Configuring WSP for enforcing authentication
        • Configuring WSC to support authentication
    • Summary

Masoud Kalali

Masoud Kalali has been working on software development projects since 1998, which gives him a broad perspective on software development in general and changes in the software development landscape in the past 1.5 decades. Masoud has experience with a variety of technologies (.NET, J2EE, CORBA, and COM+) on diverse platforms (Solaris, Linux, and Windows). He has a masters degree in Information Systems with a bachelor degree in Software Engineering. Masoud has authored a fair number of articles and other types of material, including several articles at and Dzone. He is the author of multiple refcardz, published by Dzone, including but not limited to Using XML in Java ( and Security and GlassFish v3 ( refcardz. Masoud is one of the founding members of NetBeans Dream Team ( and a GlassFish community spotlighted developer ( Masoud is the author of GlassFish Security ( that was published in 2010, covering GlassFish v3 security and Java EE 6 security. Masoud's main area of research and interest includes service-oriented architecture and large-scale systems development and deployment. In his spare time he enjoys photography, mountaineering, and climbing. Masoud's Twitter handle is @MasoudKalali if you want to know what he is up to.

Code Downloads

Download the code and support files for this book.

Submit Errata

Please let us know if you have found any errors not listed on this list by completing our errata submission form. Our editors will check them and add them to this list. Thank you.


- 5 submitted: last submission 09 Aug 2012

Errata type: Graphics | Page number: 52 | Errata date: 02/02/2012

In the additional properties table, the entry for Digest Algorithm should be the word none instead of being empty.

Errata type: Code | Page number: 50 | Errata date:

insert into groups values('jack',manager);
should be
insert into groups values('jack','manager');


Errata type: Code | Page number: 237 | Errata date: 06/29/2010

Method(operationName = "stringEcho")
should be
Method(operationName = "@WebMethod")


Errata type: Typo | Page number: 22 | Errata date: 07/03/2010

Here is a example snippet to add encryption support for a set of resources:
should be
Here is an example snippet to add encryption support for a set of resources:


Errata type: Technical | Page number: 104 | Errata date: 13 July 10

Install GlassFish in/opt/app-server and revoke all access permissions to this directory from groups who we do not want to allow to access the resource.
should be
Install GlassFish in /opt/app-server and revoke all access permissions to this directory from groups who we do not want to allow to access the resource.


Sample chapters

You can view our sample chapters and prefaces of this title on PacktLib or download sample chapters in PDF format.

Frequently bought together

GlassFish Security +    Mastering Zabbix =
50% Off
the second eBook
Price for both: £24.65

Buy both these recommended eBooks together and get 50% off the cheapest eBook.

What you will learn from this book

  • Develop secure Java EE applications including Web, EJB, and Application client modules.
  • Reuse the security assets you have by learning GlassFish security realms in great details along with the sample for each realm.
  • Secure GlassFish installation including operating system security and JVM policy configuration.
  • Secure Java EE applications using OpenSSO and set up Single Sign-On (SSO) between multiple applications.
  • Secure web services using Java EE built-in features, OpenSSO and WS-Security.
  • Secure network listeners and passwords using GlassFish provided facilities.
  • Learn using OpenSSO services, SDKs, and agents to secure Java EE enterprise applications including Web Services.
  • Learn using OpenDS both as administrator and as an LDAP solution developer.
  • All command lines and more than 90% of the book content applies for both GlassFish 3.x and 2.x.

In Detail

Security was, is, and will be one of the most important aspects of Enterprise Applications and one of the most challenging areas for architects, developers, and administrators. It is mandatory for Java EE application developers to secure their enterprise applications using Glassfish security features.

Learn to secure Java EE artifacts (like Servlets and EJB methods), configure and use GlassFish JAAS modules, and establish environment and network security using this practical guide filled with examples. One of the things you will love about this book is that it covers the advantages of protecting application servers and web service providers using OpenSSO.

The book starts by introducing Java EE security in Web, EJB, and Application Client modules. Then it introduces the Security Realms provided in GlassFish, which developers and administrators can use to complete the authentication and authorization setup. In the next step, we develop a completely secure Java EE application with Web, EJB, and Application Client modules.

The next part includes a detailed and practical guide to setting up, configuring, and extending GlassFish security. This part covers everything an administrator needs to know about GlassFish security, starting from installation and operating environment security, listeners and password security, through policy enforcement, to auditing and developing new auditing modules.

Before starting the third major part of the book, we have a chapter on OpenDS discussing how to install, and administrate OpenDS. The chapter covers importing and exporting data, setting up replications, backup and recovery and finally developing LDAP based solutions using OpenDS and Java.

Finally the third part starts by introducing OpenSSO and continues with guiding you through OpenSSO features, installation, configuration and how you can use it to secure Java EE applications in general and web services in particular. Identity Federation and SSO are discussed in the last chapter of the book along with a working sample.

Inspired from real development cases, this practical guide shows you how to secure a GlassFish installation and how to develop applications with secure authentication based on GlassFish, Java EE, and OpenSSO capabilities.


Security is driven by requirement and design and we implement security on the basis of the requirements provided by analysts. In this book, we take a programmatic approach to understand Java EE and GlassFish security.

You will find plenty of code samples in this book. It is easy to secure your application when you have a demonstration of a complete and working application explained in the book, isn't it? Each chapter starts with the importance and relevance of the topic by introducing some Java EE applications requirement, which will encourage you to read it further.

Who this book is for

This book is for application designers, developers and administrators who work with GlassFish and are keen to understand Java EE and GlassFish security.

To take full advantage of this book, you need to be familiar with Java EE and GlassFish application servers. You will love this book if you are looking for a book that covers Java EE security and using GlassFish features to create secure Java EE applications, or to secure the GlassFish installation and operating environment and using OpenSSO. 

Code Download and Errata
Packt Anytime, Anywhere
Register Books
Print Upgrades
eBook Downloads
Video Support
Contact Us
Awards Voting Nominations Previous Winners
Judges Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software
Open Source CMS Hall Of Fame CMS Most Promising Open Source Project Open Source E-Commerce Applications Open Source JavaScript Library Open Source Graphics Software