|
Sentry is the Java EE policy enforcement component. It uses
Fortress Core API's to provide authN & authZ inside of Tomcat,
Websphere (and sometimes JBoss) server envs. The quickstart package that you downloaded also installs Sentry automatically for you to Apache Tomcat server. The enmasse demo that is contained within the quickstart package utilizes JavaEE security (that Tomcat supports). Java EE security is configured inside the web.xml deployment descriptor (shown below). The policy here is applied to every request which must have an HTTP basic authN header along with a valid userid/password. In addition the user entity in the basic auth hdr must also be assigned to a role that is named 'role1'. The developer doesn't make changes to code in order for this kind of security to take place. It happens automatically by the application server infrastructure itself. The work here is performed by the deployer who sets this up for each participating app deployed within the container. Of course in a prod env we'd have turned on the standard SSL support as well. Pretty simple huh? That's the idea. Keep the application logic simple while doing the heavy lift inside the infrastructure. It's always best there because that way there are fewer overall moving parts to manage (there are less javaEE containers than applications). Enmasse also uses CXF interceptors later on in the transaction for doing role checks based on annotations that are dropped in the service interface classes... but we will talk about that on another day. ;-) Here's some more info on how to setup Tomcat (if you ever need to do it manually): http://www.joshuatreesoftware.us/iamfortress/javadocs/api-sentry/com/jts/fortress/sentry/tomcat/package-summary.html and also for Websphere: http://www.joshuatreesoftware.us/iamfortress/javadocs/api-sentry/com/jts/fortress/sentry/websphere/package-summary.html <security-constraint> <display-name>En Masse Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- Define the context-relative URL(s) to be protected --> <url-pattern>/*</url-pattern> <!-- If you list http methods, only those methods are protected --> <!--http-method>GET</http-method--> </web-resource-collection> <auth-constraint> <!-- Anyone with one of the listed roles may access this area --> <role-name>role1</role-name> </auth-constraint> </security-constraint> <!-- Default login configuration uses form-based authentication --> <login-config> <auth-method>BASIC</auth-method> <realm-name>Java Sentry Realm Authentication Area</realm-name> </login-config> <!-- Security roles referenced by this web application --> <security-role> <role-name>role1</role-name> </security-role> Shawn On 04/17/2013 06:46 AM, suman karki wrote:
-- shawn.mckinney@jts.us is my new email address |