Information is very valuable these days and access to it should be limited. That is why application security is a very important and integral part to many applications. And, in this post, I will show you how you can get a secure web application up and running with minimal configuration overhead.
How, you ask? Payara Micro runs JavaEE7 applications on an embedded Payara Server and JavaEE offers security mechanisms out of the box. So when you combine these two, you don’t have to worry about server installation and you don’t need to come up with your own implementation of security or use additional tools.
Step 1 – Configure JavaEE web security
Assuming you have a web application, you need to define the security roles and the security constraints of the application in the web.xml file.
In my example application, there are two paths under the application root context, “authenticated” and “vip“. We will restrict the access to the pages under the path “authenticated” to users with the roles AUTHENTICATED_USERS and VIP_USERS, and to the pages under the path “vip” only to users with the VIP_USERS role.
In addition you will also configure the authentication method and the realm name in the web.xml file.
Since I will use a JDBC realm for the authentication in my application, we need to create three database tables. One of them will store the users with their passwords, the second one will store the security roles and the third one the assignments of users to roles.
My SQL script to set up the database tables looks like this:
Once the tables have been created, the roles configured in the application should be saved to the database and, to test the application later, a couple of users should be created and assigned to the roles.
Step 3 – Configure the JDBC realm
On Payara Micro you don’t have access to an admin console, which is why you need to manually add the configuration of the security realm, the JDBC pool and the JDBC resource to a domain.xml file.
You can just take the domain.xml that comes with Payara Micro and add the highlighted lines with the data according to your database configuration.
If you don’t want to create these lines manually and avoid errors which could later be difficult to troubleshoot, you can just start an instance of a full Payara server and create the configurations there. Afterwards you can open the domain.xml of the full server and copy the configuration onto the domain.xml of Payara Micro.
To configure the security realm in the admin console you have to go to “Configurations > server-config > Security > Realms > jdbcRealm” and enter the following data.
In addition to the realm you need to configure the JDBC connection pool, which you find under “JDBC > JDBC Connection Pools“. There you need to enter a name for the pool, select the resource type and enter the datasource class name for your specific database. Under “Additional Properties” you have to enter the information needed to connect to your database.
Once the connection pool was created, you can create the JDBC resource under “JDBC > JDBC Resources“. Simply enter a JNDI name and select the connection pool you created previously.
Step 4 – Include JDBC driver in your application
Unless you use a derby database, the driver for your database will not be available out of the box on Payara Micro, in this case, you need to copy the driver to the WEB-INF/lib folder of your application.
Step 5 – Create a file with system properties
As I worked on this blog post I discovered an issue in Payara Micro, which doesn’t load the login.conf file. The login modules for all security realms are in this file and security will not work when it is not loaded. The good news is that there is a very simple workaround. The better news is that the issue has been addressed and the fix should be available starting on version 188.8.131.52.
As for the workaround, you just need to create a system.properties file, which will be referenced in the next step, with this line in it.
Step 6 – Create an uber jar with Payara Micro
An uber jar is basically an executable jar that contains not only the application but also all of its dependencies (in this case, Payara Micro and a couple of configuration files). This means that the uber jar itself has no dependencies and can be executed wherever Java is installed.
Creating an uber jar with Payara Micro is very simple because their CLI offers a command for that. So just run Payara Micro with the following parameters:
–deploy the filename of your compiled war
–domainConfig the name of the file you created on step 3
–systemProperties the name of the file you created in step 5
–outputUberJar how you want your uber jar to be named
The command for my example application looks like this: