GlassFish security book contest: Here are the lucky winners

Thank you all who accepted the challenge and took the quiz. Now it is time to see who are the luckier ones winning the prizes which are copies of GlassFish Security book. To give you an statistic about the quiz participants,

GlassFish Security Book

I had 156 participants. though some of them, maybe 20 – 30 are quiz result submitted more than once by some of the participants.

Before we jump to the list of winners, I should explain the questions which I posted in the quiz.  The questions I selected for the quiz are mostly based on chapter 3 of the book which is available for free in packt website.

So the questions, the answers and the explanation about each question are as follow.

1. Which one of the following statements is correct?

A. We can specify which security realm we want our web module to use in the sun-web.xml.
B. We can specify which security realm we want our web module to use in the web.xml.
C. We can use sun-application.xml to specify which security realm we want our enterprise application to use
D. B and C are correct.

We can use both the web.xml and sun-application.xml to specify the security realm. In the web.xml we use the login-conf element as shown below:


And in the sun-application.xml we can specify the application wide security realm as shown in the following snippet.


The realm is an immediate child of the sun-application element.

2. Which one of the following statements shows new security features included in Java EE 6?

A. The programmatic login and logout methods in logout in HttpServletRequest interface.
B. Inclusion of @ServletSecurity Annotation to annotate a Servlet and enforce security.
C. Inclusion of the authenticate method in the HttpServletRequest interface.
D. All of the above.

Yes, all of this new features are included in Java EE 6 to enhance the security APIs and ease their use.

3. Where we should place the login-config element?

A. In web.xml
B. In sun-web.xml
C. In sun-application.xml
D. In A and C

The login-conf element goes to web.xml to specify the security realm and the authentication method. To see an snippet about this look at the explanation of the first question

4. What are j_username and j_password when it come to Java EE security?

A. These are two per-defined filed names which we must use in FORM authentication to pass the username and the password to the container.
B. These are two per-defined filed names which we must use in BASIC authentication type to pass the username and the password to the container.
C. Both of A and B are correct.
D. None of the above items.

To see some snippet about how we can have FORM authentication, you can take a look at the GlassFish security book chapter 3 which is freely available.

5. When we talk about security, which of the following sequences is more accurate?

A. Identification, Authentication, Authorization
B. Authentication, Authorization, Identification
C. Authentication, Identification, Authorization
D. Authorization, Authentication, Identification

‌Before we try to authenticate a credential we should receive a credential showing who the requester is claiming to be. After we received the credentials, we should check the credentials validity and finally after we find that the credentials are valid we can check the access level of the provided credentials.

And now the winners
The paper copy goes to: Bruno Antunes
First ebook copy goes to: Alireza Haghighatkhah
Second ebook copy goes to: Deny Wuysan

I have not received replys from some of the participants about their country of residence so I put them into the second list. I will contact the winners to coordinate the distribution of the copies with them.

I am looking for a way to have more contest about GlassFish security book in the coming month. Specially small 2 question quiz which the winner will receive a e-book copy of the title.

Try your chance for winning a copy of GlassFish Security book by taking a 5 questions quiz.

It is something like 5 months since Packt has published my book, GlassFish Security, which covers Java EE security and GlassFish application server security in great details by including OpenSSO and OpenDS into the mix.

Buy GlassFish Security Book

The book received around 10 reviews and all of these reviews unanimously agree that the book content is very useful and the book is something that every Java EE developer or GlassFish administrator may like to have in the shelve.

Now that a chapter of the book, chapter 3, is available for free in the Packt website, I thought I can form a simple contest in my weblog by including some questions from that chapter and give away some copies of the book to 3 lucky winners who answered all 5 questions correctly.

We will give away 1 paper copy to someone in USA or Europe and two e-books to any lucky winner either in those two continent or not.

It wont take more than 2-3 minutes to answer the questions and you will get the chance to receive a copy of the book when I draw the winners on October 10th.

And now the fun part, below you can find the 5 question quiz which can bring you a copy of GlassFish security book. Just note that we will only use the first result for each email address and consequent entries will be ignored.

“It seems that the quiz software I am using is not compatible with FireFox, please go with Google Chrome or Apple Safari


Make sure that you press the calculate result button when you are entering your name and email address so your information get stored into the database for the draw.

The contest is over and winners along with answers to these questions are announce at:

I will be speaking at JavaZone 2010 about NIO.2

Well, my abstract for a session in JavaZone 2010 accepted and I will be speaking about NIO.2, you may call it new new IO, more new IO or technically JSR-203,on 8th of September in saloon 1. I will be the second speaker in the first day of the conference so the timing will be something like 10:15 to 11:15. The session will be in English and I will give the audience an overview of IO features in Java 7 and its differences improvements over old IO framework. I estimated that  I will be speaking for 55 minutes to present something around 35 slides which I have prepared their sketch.

JavaZone 2010, Oslo
JavaZone 2010, JavaZone logo

Majority of the slides will discuss the file system capabilities included in the NIO.2, some slides will cover the differences between I/O with Java 7 and I/O in older releases. Some slides will discuss Asynchronous I/O, and other cool features of NIO.2. Almost all slides come with a sample code showing the concept in action. I will try to include more about my presentation and slides while I am completing the sketch and the first draft.

My weblog is now migrated to its new location,

I have been blogging for the past 4 years in my blog which is now 301 redirected to its new home at In mid 2006 I joined Netcat 50, NetBeans quality asurance team for netbeans 5.0 release, and it was the starting point for me to get involved with Java community in more open way and lead to filing a request to get a weblog at

The main reason and motive behid starting the blog was sharing my experience about NetBeans platform and java development but in years the blog grown up to a point where I post 6 chapters of my unpublished GlassFish book there and post many other long articles discussing Java EE and other topics including security and software architecture among others.

In the past 4 years, I post 74 blog entries and  my weblog served around 200,000 page views and 160,000 visits. Majority of visitors were using Linux and Firefox according to my, now deleted by mistake, google analytics data. The biggest referal site was itself where my weblog get promoted to the first page and google was the main search engine leading readers to my weblog.

What I will always remember from my blog is friends I found through the blog and the friendly community and staff behind and its infrastructure which were and are working around the clock to keep a professional environment for everyone involved and uses Even when I was leaving they did not stop taking care of my request and kindly applied 301 redirects to all my current blog entries to redirect them to their new location, which in my opinion show how professional they act and think.

But the reason behind moving to my personal domain from the exceptional hosting and community is the flexibility I need to keep all my content in the sam place instead of keeping some content on blog and some other content on my personal website.

In the next few weeks I will include more pages to my new website including a page for my GlassFish security book to have a better communication channel with my readers and a new page for the book I am authoring now. My new website will include my photoblog as anothe part. I am not a professional photographer and I will look for comments and advices from friends and readers whom are more experienced on photography compared to what I know and experienced.

If  you are a reader of my weblog then you can follow me using the new domain and the new feed url. The new domain will serve readers and visitors in a more interactive and easy to find way.

Long live and its professional team.

Java EE Security Refcard is now available for download at no cost.

Java EE Security refcard is available for download. This refcard covers Java EE 6 security and discuss how each application server supports the specs. The refcard covers authentication, authorization, and transport security in Web Application, EJB application and web services by introducing the concept and the related annotations and deployment descriptors which help us realize the concept.

GlassFish, Geronimo and JBoss are discussed in the refcard to show how we can use the vendor specific deployent descriptors for implementing the security design of our applications.

Following list shows how what are covered in this.

  • Security in Java EE applications
  • Authentication an Authorization in Java EE
  • Web Applications Security
    • Authentication and Authorization in Web Module
    • Enforcing Transport Security
    • Other Security Elements of Web application deployment descriptors
    • Using Annotations to enforce security in Web modules
    • Programmatic Security in Web Module
  • EJB Applications Security
    • EJB module deployment descriptors
    • Security Annotation of EJB modules in Java EE 6
    • Securing EJB Modules programmatically
  • Application Client Security
    • Security enforcement in Geronimo ACC
    • Security enforcement in JBoss ACC
  • Defining Security in Enterprise application level
  • Securing Web Services in Java EE

  • Web Services Security in Web Modules
  • Web Services Security in EJB Modules
  • Web Services Authentication in GlassFish
  • Web Services Authentication in Geronimo
  • Web Services Authentication in JBoss

The refcard comes with 4 figures showing relation between different element and components in Java EE  along with 7 tables explaning the deployment descriptors elements and security annotations. For most of the above headings you will find sample code included in the refcard showing how we can do implement the discussed functionality according to Java EE and mentioned application Servers.

GlassFish Security Book Which Covers GlassFish v3 security, Java EE 6 security, and OpenSSO has just been published.

The Book in Details:

Security was, is, and will be one of the most important aspects of Enterprise Applications and one of the most challenging areas for architects, developers, and administrators. It is mandatory for Java EE application developers to secure their enterprise applications using Glassfish security features.

Learn to secure Java EE artifacts (like Servlets and EJB methods), configure and use GlassFish JAAS modules, and establish environment and network security using this practical guide filled with examples. One of the things you will love about this book is that it covers the advantages of protecting application servers and web service providers using OpenSSO.

The book starts by introducing Java EE security in Web, EJB, and Application Client modules. Then it introduces the Security Realms provided in GlassFish, which developers and administrators can use to complete the authentication and authorization setup. In the next step, we develop a completely secure Java EE application with Web, EJB, and Application Client modules.

The next part includes a detailed and practical guide to setting up, configuring, and extending GlassFish security. This part covers everything an administrator needs to know about GlassFish security, starting from installation and operating environment security, listeners and password security, through policy enforcement, to auditing and developing new auditing modules.

Before starting the third major part of the book, we have a chapter on OpenDS discussing how to install, and administrate OpenDS. The chapter covers importing and exporting data, setting up replications, backup and recovery and finally developing LDAP based solutions using OpenDS and Java.

Finally the third part starts by introducing OpenSSO and continues with guiding you through OpenSSO features, installation, configuration and how you can use it to secure Java EE applications in general and web services in particular.

Inspired from real development cases, this practical guide shows you how to secure a GlassFish installation and how to develop applications with secure authentication based on GlassFish, Java EE, and OpenSSO capabilities.

What you will learn from this book :

  • Develop secure Java EE applications including Web, EJB, and Application client modules.
  • Reuse the security assets you have by learning GlassFish security realms in great details along with the sample for each realm.
  • Secure GlassFish installation including operating system security and JVM policy configuration.
  • Secure Java EE applications using OpenSSO and set up Single Sign-On (SSO) between multiple applications.
  • Secure web services using Java EE built-in features, OpenSSO and WS-Security.
  • Secure network listeners and passwords using GlassFish provided facilities.
  • Learn using OpenSSO services, SDKs, and agents to secure Java EE enterprise applications including Web Services.
  • Learn using OpenDS both as administrator and as an LDAP solution developer.
  • All command lines and more than 90% of the book content applies for both GlassFish 3.x and 2.x.


Security is driven by requirement and design and we implement security on the basis of the requirements provided by analysts. In this book, we take a programmatic approach to understand Java EE and GlassFish security.

You will find plenty of code samples in this book. It is easy to secure your application when you have a demonstration of a complete and working application explained in the book, isn’t it? Each chapter starts with the importance and relevance of the topic by introducing some Java EE applications requirement, which will encourage you to read it further.

Who this book is written for

This book is for application designers, developers and administrators who work with GlassFish and are keen to understand Java EE and GlassFish security.

To take full advantage of this book, you need to be familiar with Java EE and GlassFish application servers. You will love this book if you are looking for a book that covers Java EE security and using GlassFish features to create secure Java EE applications, or to secure the GlassFish installation and operating environment and using OpenSSO.

var gaJsHost