Tutorial: Applying End-to-End Security Across a Java Web Environment Using LDAP and Apache Fortress
This tutorial covers how to apply an end-to-end application security architecture featuring Apache
Fortress and OpenLDAP. It will be divided into four 30 minute segments:
- Install security infrastructure: OpenLDAP and Apache Fortress.
- Deploy a simple Java Web app into Apache Tomcat. Get authentication and coarse-grained authorization enabled to control page access.
- Add fine-grained authorization to Web application controls (buttons, list boxes, …) and database functions (create, read, update, delete).
- Generate keys and certs, enable TLS to HTTP, LDAP and JDBC connections.
The student will leave with understanding to apply proper security techniques to Web apps. A number of relevant standards including Java EE Security, Role-Based Access Controls (ANSI INCITS 359), Transport Level Security (TLS), and X.509 are followed. The sample code uses Java, but the techniques may be applied across many different platforms.
- All steps run on Debian machines running inside an IAAS cloud environment.
- Student should have some experience developing apps in Java and using containers like Apache Tomcat.
- Student should bring a PC or other device that can connect to the internet with a web browser and get to an ssh command prompt.
- Complete Apache Fortress 10 Minute Guide
- Complete Apache Wicket Security Tutorial
- Complete Apache Fortress Demo
- Enable TLS for OpenLDAP, MySQL and Tomcat.
- Run Selenium automated unit tests.
- Run manual tests to verify security policy.
This tutorial is based on a presentation that was given at JavaOne 2014 and ApacheCon North America 2015. The material that will be covered follows:
- Apache Fortress Ten Minute Guide:
- Apache Fortress & Wicket Example
- Apache Fortress End-to-End Tutorial
System Architect at Symas. Member of the OpenLDAP Engineering Team. Apache Directory PMC.