Part I Development Tasks and Tools
1. Setting Up a Development Environment
Part II Developing Applications and Application Components
GlassFish Server Specific Security Features
Roles, Principals, and Principal to Role Mapping
How to Set a Realm for an Application or Module
Changing Permissions for an Application
Enabling and Disabling the Security Manager
Configuring Message Security for Web Services
Message Security Responsibilities
Application Developer Responsibilities
Application Deployer Responsibilities
System Administrator Responsibilities
Application-Specific Message Protection
Using a Signature to Enable Message Protection for All Methods
Configuring Message Protection for a Specific Method Based on Digital Signatures
Understanding and Running the Sample Application
To Set Up the Sample Application
Programmatic Login Precautions
Granting Programmatic Login Permission
User Authentication for Single Sign-on
Adding Authentication Mechanisms to the Servlet Container
The GlassFish Server and JSR 196
Writing a Server Authentication Module
Sample Server Authentication Module
Compiling and Installing a Server Authentication Module
Configuring a Server Authentication Module
Binding a Server Authentication Module to Your Application
6. Using the Java Persistence API
7. Developing Web Applications
8. Using Enterprise JavaBeans Technology
9. Using Container-Managed Persistence
12. Developing Lifecycle Listeners
13. Developing OSGi-enabled Java EE Applications
Part III Using Services and APIs
14. Using the JDBC API for Database Access
15. Using the Transaction Service
16. Using the Java Naming and Directory Interface
Audit modules collect and store information on incoming requests (servlets, EJB components) and outgoing responses. You can create a custom audit module.
The following topics are addressed here:
For additional information about audit modules, see Audit Callbacks.
To configure an audit module, you can perform one of the following tasks:
To specify an audit module using the Administration Console, open the Security component under the relevant configuration, and select the Audit Modules component. For details, click the Help button in the Administration Console.
You can use the asadmin create-audit-module command to configure an audit module. For details, see the Oracle GlassFish Server 3.1-3.1.1 Reference Manual.
You can create a custom audit module by implementing a class that extends com.sun.enterprise.security.audit.AuditModule.
For Javadoc tool pages relevant to audit modules, go to http://glassfish.java.net/nonav/docs/v3/api/ and click on the com.sun.enterprise.security.audit package.
The AuditModule class provides default “no-op” implementations for each of the following methods, which your custom class can override.
public void init(Properties props)
The preceding method is invoked during server startup when the audit module is initially loaded. The props argument contains the properties defined for this module. The module can do any initialization it needs in this method. If the method returns without throwing an exception, the GlassFish Server assumes the module realm is ready to service audit requests. If an exception is thrown, the module is disabled.
public void authentication(String user, String realm, boolean success)
This method is invoked when an authentication request has been processed by a realm for the given user. The success flag indicates whether the authorization was granted or denied.
public void webInvocation(String user, HttpServletRequest req, String type, boolean success)
This method is invoked when a web container call has been processed by authorization. The success flag indicates whether the authorization was granted or denied. The req object is the standard HttpServletRequest object for this request. The type string is one of hasUserDataPermission or hasResourcePermission (see JSR 115).
public void ejbInvocation(String user, String ejb, String method, boolean success)
This method is invoked when an EJB container call has been processed by authorization. The success flag indicates whether the authorization was granted or denied. The ejb and method strings describe the EJB component and its method that is being invoked.
public void webServiceInvocation(String uri, String endpoint, boolean success)
This method is invoked during validation of a web service request in which the endpoint is a servlet. The uri is the URL representation of the web service endpoint. The endpoint is the name of the endpoint representation. The success flag indicates whether the authorization was granted or denied.
public void ejbAsWebServiceInvocation(String endpoint, boolean success)
This method is invoked during validation of a web service request in which the endpoint is a stateless session bean. The endpoint is the name of the endpoint representation. The success flag indicates whether the authorization was granted or denied.