New Book on Glassfish Security available

Getting involved more into security requirements of real life production setups running Glassfish, I searched  the web for this topic. So far there was no book available focusing on security concerns, this just changed a few days ago..
I just get my hands on the new book by Masoud Kalali, Glassfish Security by Packt Publishing. Find more info here. Just started reviewing it, will update you soon.


Getting started with Glassfish V3 and SSL

UPDATE 2013-03-22: Please check the updated tutorial with GoDaddy and Glassfish V3.1.2 here.

At some stage developing web applications (operating outside you fix lan-wired, “secure” in-house network), your customer will hit you asking “How secure is my data ? Can I access the system via https and get the golden lock ?”. You will quickly answer “No problem ! We use Glassfish” (just because you remember vaguely seeing some https settings in the GF admin tool). It is indeed not that hard to get started but if you are not an security expert and not joggling certificates around, it might take you a while to get your web application running with the golden lock. I will summarize the steps in this tutorial to setup a Glassfish V3 domain running with https.  Please feel free to comment and feedback, I am not an security expert either (…yet).

Used for this tutorial:

  • Glassfish V3
  • Java keytool
  • Free 90 days SSL certificate from Comodo (link)


  • A  server with an IP address and/or domain ( We need to be the owner of the domain (or at least the technical contact, more on that later)
  • Basic knowledge of navigating around the Glassfish admin tool


Continue reading

Getting Started with Netbeans and Shiro – Part 1

Apache Shiro (formerly known as JSecurity and KI) is a security framework that handles authentication, authorization, enterprise session management and cryptography. With the move from sourceforge to Apache the GPL license turned into the Apache license. The current version is still 0.9 (still JSecurity), but you can build yourself a current version until the version is released. Shiro is NOT basd on JAAS.

Pre-Requirements for this tutorial:

  • Netbeans (any newer version 6.5.1 + already installed)
  • Maven (assuming most people dont use it yet)
  • Shiro code base (via svn)
  • Ubuntu (applies only to the installation of maven) Continue reading

JEE5 Security

Any new project or product that is used by more than 1 user and over any kind of network needs the “TripleA” AAA features: Authorization, Authentication, Auditing. That’s a must !

I am reading about the JEE5 Security features to outline a new design, or at least I try to find some comprehensive information about it. It seems one of the most important framework services is still being largely developed handmade according to the needs of specific project requirements and no generic solution is available (I think I need to rephrase this after some more investigation). I could  not find many books or online sources with samples or easy-digestible tutorials, just to share what I found so far. JAAS is part of JRE since version 1.4 and most of the information about is a bit old (2002).

SUN JAVA SE security (link) (link)
SUN JAAS Tutorial (link)

3rd Party Security Framework (based on JAAS)
JGuard on (link)
ESAPI  on OWASP (link)

Free JAAS Book (link)
Software Security Technologies (covering security in Java, C, Perl)

Software Security Technologies