...

This article focuses on the web application security related features of the Apache Geronimo server. The sample application covered in this article is a basic time reporting system that uses Servlets, JSPs and J2EE declarative security using the geronimo SQLLoginModule and the derby database.
After reading this article you should be able to configure Geronimo application server for web applications with declarative security features.

...

NOTE: The sample does not actually add new employees when the manager function is executed. This capability may be added in the future. However the sample does demonstrate a method of implementing web application security using the pre-defined users.

...

This article is organized into the following sections.

...

Web Applications in Geronimo

...

Below is the main folder hierarchy of the Time Reporting application. It display both JSPs and configuration files used in the application.

...

...

In addition to the above JSPs and configurations, two other servlets are also required to fulfill the business logic of the application.

...

web.xml includes the standard security constraints relating user roles to resources in the web application.

...

...

The Geronimo deployment plan ( plan.xml found after building the project at timereport/timereport-jetty/target/resources/META-INF/plan.xml) includes the Geronimo specific security configuration including the security realm configuration and the principal-role mapping relating the principals from the security realm to the application roles defined above in web.xml This project uses two roles, manager and employee. There is a business rule that every manager is an employee. This is enforced through the principal-role mapping: both the EmployeeGroup and ManagerGroup imply the app specific employee role.

...

...

To restrict access to the Add Employee functionality from Time Report page, programmatic authentication has beeen used as in indicated below.

...

...

Testing of the Sample Application

...