Chapter 6. Securing web applications
This chapter covers
- Configuring web security
- Web authentication
- Web authorization
- Encrypted web communication
While working on different projects, we’ve seen project teams spend a lot of time writing custom authentication and authorization code. But this code functions in much the same way as the security model defined by the Java EE specification. In many cases, you don’t have to write custom security code for every new web application you write; the standard web security features of Java EE can obviate writing security code altogether, allowing you to add security to your application entirely through configuration.
In chapter 4, we talked about the fundamentals of JBoss security and showed you how to configure security domains and login modules. In chapter 5, we talked about the basics of web applications and how to package, deploy, and configure them. In this chapter, we bring these two concepts together, and you’ll learn how to configure web security.
First, we explore the configuration files necessary to enable security; then we talk about how to enable authentication and authorization for URLs relative to your application’s context path. We also look at how to enable secure communication for server authentication, mutual authentication, and client-certificate authentication.