Using GlassFish domain templates to easily create several customized domains

It might have happened to you to require some customization the GlassFish behavior after you create the domain in order to make the domain fit the  basic requirements that you have in your organization or for your development purpose. Some of the files that we usually manipulate to customize GlassFish includes, keystore.jks, cacert.jks, default-web.xml, server.policy and domain.xml. These files can be customized through different asadmin commands, or JDK commands like keytool, policytool or manually using a text editor after you created the domain in the config directory of the domain itself.  But repeating the steps for multiple domains is a laborious task which can be prevented by changing the template files that GlassFish domains are created using them. The templates are located atAnd we can simply open them and edit the properties to make them more fit to our needs.

The benefit of modifying the templates rather than copy pasting the config directory of one domain to another is the domain specific behaviors like port numbers which have placeholders in the domain.xml to be filled by asadmin command. An example of a placeholder is %%%JMS_PROVIDER_PORT%%% which will be replaced by JMS provider port by asadmin command.

GlassFish security book contest: Here are the lucky winners

Thank you all who accepted the challenge and took the quiz. Now it is time to see who are the luckier ones winning the prizes which are copies of GlassFish Security book. To give you an statistic about the quiz participants,

GlassFish Security Book

I had 156 participants. though some of them, maybe 20 – 30 are quiz result submitted more than once by some of the participants.

Before we jump to the list of winners, I should explain the questions which I posted in the quiz.  The questions I selected for the quiz are mostly based on chapter 3 of the book which is available for free in packt website.

So the questions, the answers and the explanation about each question are as follow.

1. Which one of the following statements is correct?

A. We can specify which security realm we want our web module to use in the sun-web.xml.
B. We can specify which security realm we want our web module to use in the web.xml.
C. We can use sun-application.xml to specify which security realm we want our enterprise application to use
D. B and C are correct.

We can use both the web.xml and sun-application.xml to specify the security realm. In the web.xml we use the login-conf element as shown below:


And in the sun-application.xml we can specify the application wide security realm as shown in the following snippet.


The realm is an immediate child of the sun-application element.

2. Which one of the following statements shows new security features included in Java EE 6?

A. The programmatic login and logout methods in logout in HttpServletRequest interface.
B. Inclusion of @ServletSecurity Annotation to annotate a Servlet and enforce security.
C. Inclusion of the authenticate method in the HttpServletRequest interface.
D. All of the above.

Yes, all of this new features are included in Java EE 6 to enhance the security APIs and ease their use.

3. Where we should place the login-config element?

A. In web.xml
B. In sun-web.xml
C. In sun-application.xml
D. In A and C

The login-conf element goes to web.xml to specify the security realm and the authentication method. To see an snippet about this look at the explanation of the first question

4. What are j_username and j_password when it come to Java EE security?

A. These are two per-defined filed names which we must use in FORM authentication to pass the username and the password to the container.
B. These are two per-defined filed names which we must use in BASIC authentication type to pass the username and the password to the container.
C. Both of A and B are correct.
D. None of the above items.

To see some snippet about how we can have FORM authentication, you can take a look at the GlassFish security book chapter 3 which is freely available.

5. When we talk about security, which of the following sequences is more accurate?

A. Identification, Authentication, Authorization
B. Authentication, Authorization, Identification
C. Authentication, Identification, Authorization
D. Authorization, Authentication, Identification

‌Before we try to authenticate a credential we should receive a credential showing who the requester is claiming to be. After we received the credentials, we should check the credentials validity and finally after we find that the credentials are valid we can check the access level of the provided credentials.

And now the winners
The paper copy goes to: Bruno Antunes
First ebook copy goes to: Alireza Haghighatkhah
Second ebook copy goes to: Deny Wuysan

I have not received replys from some of the participants about their country of residence so I put them into the second list. I will contact the winners to coordinate the distribution of the copies with them.

I am looking for a way to have more contest about GlassFish security book in the coming month. Specially small 2 question quiz which the winner will receive a e-book copy of the title.

Try your chance for winning a copy of GlassFish Security book by taking a 5 questions quiz.

It is something like 5 months since Packt has published my book, GlassFish Security, which covers Java EE security and GlassFish application server security in great details by including OpenSSO and OpenDS into the mix.

Buy GlassFish Security Book

The book received around 10 reviews and all of these reviews unanimously agree that the book content is very useful and the book is something that every Java EE developer or GlassFish administrator may like to have in the shelve.

Now that a chapter of the book, chapter 3, is available for free in the Packt website, I thought I can form a simple contest in my weblog by including some questions from that chapter and give away some copies of the book to 3 lucky winners who answered all 5 questions correctly.

We will give away 1 paper copy to someone in USA or Europe and two e-books to any lucky winner either in those two continent or not.

It wont take more than 2-3 minutes to answer the questions and you will get the chance to receive a copy of the book when I draw the winners on October 10th.

And now the fun part, below you can find the 5 question quiz which can bring you a copy of GlassFish security book. Just note that we will only use the first result for each email address and consequent entries will be ignored.

“It seems that the quiz software I am using is not compatible with FireFox, please go with Google Chrome or Apple Safari


Make sure that you press the calculate result button when you are entering your name and email address so your information get stored into the database for the draw.

The contest is over and winners along with answers to these questions are announce at:

GlassFish Security book FAQ 1: Custom Security Realm in GlassFish

I decided to write down the answer for some questions which my book’s readers email me or ask me via twitter in my weblog so everyone can benefit from the answers. Here is the answer to the first question which involves custom security realms.

GlassFish supports 5 types of security realms out of the box which are sd follow:

  1. File Realm: Usefull for development and testing purposes. GlassFish provids a user/ group management interface for this realm. We can add user and groups using the administration console. When using this realm all usernames, passwords and groups are stored in a plain text file.
  2. JDBC Realm: In production environment we store user information including but not limited to username, passwords and groups in an RDBMS and then configure a JDBC realm to authenticate the given credentials againts the information stored in the datase.
  3. LDAP Realm: Sometimes we have all user details stored in an LDAP like Active Directory or Redhat Directory Server, OpenDS or Sun Java System Directory Server Enterprise Edition.
  4. Solaris Realm: This realm is used to authenticate users with a Solaris user directory.
  5. Certificate Realm: The certificate realm allows us to conduct mutual SSL authentication based on the client certificates.

Sometimes our users information is stored in a silo different than all of this mentioned storages and we need to use that source for authentication and access control. For example assume that we have our users information including username, passwords and group membership stored in an Object Database and we need to authenticate our enterprise application’s users with that storage. In such times we should either think about having a synchronized RDMBS keeping update user information and use JDBC realm for authentication and authorization or we should develop  a custom security realm which uses the object database as a source for authentication.

Setting up synchronization between the e.g object database and RDBS can be tricky while developing a custom authentication realm is much easier using GlassFish provided SPIs.

Second chapter of GlassFish security book discusses GlassFish security realms in details and discuss a sample application which uses these realms for authenticating and authorizing users. In the same chapter, developing custom security realms is discussed along with developing a sample realm.

In the same chapter GlassFish support for  JSR-196 (Java Authentication Service Provider Interface for Containers) is discussed to complete the ring of authentication and authorization in Java EE in general and GlassFish application server in particular.

Java EE Security Refcard is now available for download at no cost.

Java EE Security refcard is available for download. This refcard covers Java EE 6 security and discuss how each application server supports the specs. The refcard covers authentication, authorization, and transport security in Web Application, EJB application and web services by introducing the concept and the related annotations and deployment descriptors which help us realize the concept.

GlassFish, Geronimo and JBoss are discussed in the refcard to show how we can use the vendor specific deployent descriptors for implementing the security design of our applications.

Following list shows how what are covered in this.

  • Security in Java EE applications
  • Authentication an Authorization in Java EE
  • Web Applications Security
    • Authentication and Authorization in Web Module
    • Enforcing Transport Security
    • Other Security Elements of Web application deployment descriptors
    • Using Annotations to enforce security in Web modules
    • Programmatic Security in Web Module
  • EJB Applications Security
    • EJB module deployment descriptors
    • Security Annotation of EJB modules in Java EE 6
    • Securing EJB Modules programmatically
  • Application Client Security
    • Security enforcement in Geronimo ACC
    • Security enforcement in JBoss ACC
  • Defining Security in Enterprise application level
  • Securing Web Services in Java EE

  • Web Services Security in Web Modules
  • Web Services Security in EJB Modules
  • Web Services Authentication in GlassFish
  • Web Services Authentication in Geronimo
  • Web Services Authentication in JBoss

The refcard comes with 4 figures showing relation between different element and components in Java EE  along with 7 tables explaning the deployment descriptors elements and security annotations. For most of the above headings you will find sample code included in the refcard showing how we can do implement the discussed functionality according to Java EE and mentioned application Servers.