Enterprise Computing · Week 7 Lab — Part 1

EJB Security
Server Project

Build a secured EJB Module with role-based access control, deploy to GlassFish, and configure users in the File Realm.

NetBeans IDE GlassFish MySQL EJB Security glassfish-ejb-jar.xml File Realm Users

Note

A complete sample project is on the Week 7 Moodle block. Build your own copy first using these steps, then compare with the sample if you get stuck.

Before You Start — Prerequisites

Services that must be running

✔
MySQL Server — started and accessible on localhost
✔
GlassFish Server — started in NetBeans Services tab
✔
MySQL Workbench — for creating the database

Tip

Check the NetBeans Services tab → expand Servers → GlassFish should show a green arrow. MySQL should show a connected icon under Databases.

What we will build

Figure: Architecture — the client (Part 2) calls the secured EJB over JNDI.

Steps 1 – 2

Create the EJB Module
& Add the GlassFish Descriptor

Set up the project, add the sample entity/bean files, and wire in the security descriptor.

Step 1 — Create the EJB Module Project

If you have forgotten how to create an EJB Module, refer back to Week 5 Lab — Part 2.

1
New Project → Java with Jakarta EE → EJB Module
2
Name the project: W7P1EJBModule
3
Select GlassFish as the server, Jakarta EE 10 as the version.
4
Add the sample source files to your project under au.edu.cqu.week7 package:
- Book.java and CD.java — entity classes (JPA)
- ItemEJB.java — the session bean with security annotations
- ItemLocal.java / ItemRemote.java — local and remote interfaces

Why two interfaces?

ItemLocal is for clients in the same JVM (e.g., another EJB in the same server). ItemRemote is for clients in a different JVM (e.g., a standalone Java client in Part 2). The security rules apply to both.

Step 2 — Add the GlassFish Descriptor

EJB security roles must be mapped to GlassFish groups using a server-specific descriptor file.

1
Right-click W7P1EJBModule → New → Other…
2
In the New File dialog:

Categories: GlassFish → File Types: GlassFish Descriptor
Click Next.
3
The wizard shows the file will be created as:
src/conf/glassfish-ejb-jar.xml
Click Finish.

Common issue — file not visible in Projects tab

After clicking Finish, the file may not appear under "Configuration Files" in the Projects panel. This is a NetBeans display bug. The file has been created — see the next slide for how to find it.

Fix — `glassfish-ejb-jar.xml` Not Visible

This is the same family of issue as when persistence.xml doesn't show in the Projects tab. The file exists on disk — NetBeans just isn't displaying it in that view.

Solution: Use the Files Tab

1
Go to Window → Files (or press Ctrl+2)
2
In the Files tab, expand:
W7P1EJBModule → src → conf
3
You will see glassfish-ejb-jar.xml there. Double-click it to open the editor.

If the file is truly missing

Repeat Step 2 from the previous slide. Make sure you selected GlassFish (not Payara or WebLogic) in the Categories list.

Tip — also try this

Right-click the project → Clean and Build. Sometimes this triggers NetBeans to refresh the project tree and the file becomes visible in the Projects tab too.

Step 2b — Add Security Role Mappings

Open glassfish-ejb-jar.xml and switch to the Security tab in the editor. Add two role mappings:

EJB Security Role	GlassFish Group Name	Who goes in this group?
`student`	`Enterprise`	Users with read-only access (e.g., Mike)
`staff`	`StaffEnterprise`	Users with full/admin access (e.g., Stephen)

Why map roles to groups?

Your Java code uses logical role names like "student" and "staff". GlassFish uses its own group system to hold real users. This XML file is the bridge — it tells GlassFish: "when my code asks for role student, check GlassFish group Enterprise."

Via the GUI (Security tab):

Click Add Security Role Mapping
Security Role Name: staff
Click Add Group → type StaffEnterprise
Repeat for student → group Enterprise

Resulting XML (XML tab):

<glassfish-ejb-jar>
  <security-role-mapping>
    <role-name>student</role-name>
    <group-name>Enterprise</group-name>
  </security-role-mapping>
  <security-role-mapping>
    <role-name>staff</role-name>
    <group-name>StaffEnterprise</group-name>
  </security-role-mapping>
</glassfish-ejb-jar>

Steps 3 – 4

Verify the XML
& Build Successfully

Check the descriptor is correct, then compile the project.

Steps 3–4 — Verify XML & Build

Step 3 — Check the XML

Open the XML tab of glassfish-ejb-jar.xml. Confirm it looks exactly like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-ejb-jar PUBLIC
  "-//GlassFish.org//DTD GlassFish
   Application Server 3.1...//EN"
   "...">
<glassfish-ejb-jar>
 <security-role-mapping>
  <role-name>student</role-name>
  <group-name>Enterprise</group-name>
 </security-role-mapping>
 <security-role-mapping>
  <role-name>staff</role-name>
  <group-name>StaffEnterprise</group-name>
 </security-role-mapping>
</glassfish-ejb-jar>

Step 4 — Build the Project

In the Output panel, you should see:

BUILD SUCCESSFUL (total time: X seconds)

Build failed?

Check that your persistence.xml has & not & in the JDBC URL, and that it is inside src/conf/META-INF/.

Steps 5 – 6

Database Setup
& Deploy to GlassFish

Create the MySQL database and JDBC resources, then deploy the built JAR.

Step 5a — Create the MySQL Database

Open MySQL Workbench and run the following:

-- Create the database for this project
CREATE DATABASE w7p1db;
USE w7p1db;
-- (Tables will be created automatically by JPA / GlassFish on first run)

Why do we need a database?

The entity classes Book.java and CD.java are JPA entities. GlassFish will map them to database tables via the JDBC data source. Without the database, deployment will fail.

Reminder from Week 5

If you haven't yet set up MySQL Connector/J in GlassFish, go back to Week 5 Lab Part 2. The connector JAR must be in GlassFish's lib folder for the JDBC pool to work.

Step 5b — JDBC Pool & Data Source in GlassFish

Go to the GlassFish Admin Console at http://localhost:4848

1 — Create the Connection Pool

1
Resources → JDBC → JDBC Connection Pools → New
2
Pool Name: W7P1Pool
3
Resource Type: java.sql.Driver
4
Driver Classname: com.mysql.jdbc.Driver
5
Add properties: url, user, password, DatabaseName=w7p1db
6
Click Ping to verify — should say "Ping Succeeded".

2 — Create the JDBC Resource

1
Resources → JDBC → JDBC Resources → New
2
JNDI Name: jdbc/W7P1DS
3
Pool Name: W7P1Pool (the one just created)
4
Click OK.

Check your persistence.xml

The <jta-data-source> value must exactly match: jdbc/W7P1DS

Step 6 — Deploy the EJB Module to GlassFish

Option A — Deploy from NetBeans

1
Right-click W7P1EJBModule in Projects tab
2
Click Deploy
3
Watch the Output tab — look for BUILD SUCCESSFUL and deploy successful

Option B — Deploy from Admin Console

1
Applications → Deploy
2
Browse for the .jar in dist/ folder
3
Click OK

Verify deployment

In GlassFish Admin Console → Applications, you should see W7P1EJBModule listed with engine type ejb and a green tick under Enabled.

Deployment failed?

Check GlassFish server log (Services tab → GlassFish → View Log Files)
Ensure MySQL is running and the pool Ping succeeds
Check persistence.xml is at src/conf/META-INF/persistence.xml

Steps 7 – 8

Create Security Groups
& Users in GlassFish

Add the real users that GlassFish will authenticate. These users are matched to EJB roles via the group names in glassfish-ejb-jar.xml.

Step 7 — Navigate to the GlassFish File Realm

GlassFish's File Realm stores usernames and passwords in a flat file on the server. We use it in development — real systems use database or LDAP realms.

1
Open GlassFish Admin Console: http://localhost:4848
2
In the left tree, navigate to:
Configurations → server-config → Security → Realms → file
3
Click the file realm to open it, then click Manage Users.

What is a Security Realm?

A realm is a database of users and their credentials. GlassFish ships with three realms: admin-realm (for admin console), certificate (SSL client certs), and file (simple text-file users). We use file for simplicity in development.

Step 8 — Add Users Mike & Stephen

In File Users → click New and fill in each user:

Field	User 1	User 2
User ID	`Mike`	`Stephen`
Group List	`Enterprise`	`StaffEnterprise`
Password	(set any password)	(set any password)

Remember the password!

The client application in Part 2 will need these credentials to call the EJBs. Write them down now.

How the chain works

Mike logs in → GlassFish checks File Realm → Mike is in group Enterprise → glassfish-ejb-jar.xml maps Enterprise → role student → @RolesAllowed("student") methods are accessible.

Verify

After adding both users, the File Users screen should show two entries: Mike (Enterprise) and Stephen (StaffEnterprise). The "User: Stephen" label will appear in the GlassFish page header because you were logged in as Stephen to create that account.

Understanding the Security Code in ItemEJB

Look at how ItemEJB.java uses security annotations. Here is a simplified version:

@Stateless
@RolesAllowed("student")
public class ItemEJB
    implements ItemRemote,
               ItemLocal {

  // Any student or staff can list
  public List<Book> findAllBooks() {
    return em.createQuery(
      "SELECT b FROM Book b",
       Book.class
    ).getResultList();
  }

  // Only staff can create items
  @RolesAllowed("staff")
  public Book createBook(Book b) {
    em.persist(b);
    return b;
  }
}

What does each annotation mean here?

Annotation	Effect
`@RolesAllowed("student")` on the class	Default: all methods are accessible to `student` AND `staff` roles.
`@RolesAllowed("staff")` on a method	Overrides class default — only `staff` can call this specific method.

Wait — staff has student access too?

Not automatically. The staff role would need to be explicitly added to class-level allowed roles, or managed through role inheritance in the deployment descriptor.

Knowledge Check — Lab Part 1

Q1: After adding the GlassFish Descriptor and clicking Finish, the file doesn't appear in the Projects tab. What should you do?

The file is created at src/conf/glassfish-ejb-jar.xml but the Projects tab doesn't always show it. The Files tab always shows the actual filesystem, so you can find and open it there.

Q2: What is the purpose of glassfish-ejb-jar.xml in this project?

The glassfish-ejb-jar.xml is a server-specific deployment descriptor. Its job in this lab is to bridge the gap between the role names used in your Java code (@RolesAllowed("student")) and the group names used in GlassFish's File Realm (Enterprise).

Verification Checklist — Part 1 Complete?

Click each item as you confirm it. All boxes must be ticked before starting Part 2.

EJB Module project W7P1EJBModule created in NetBeans
Sample files added: Book.java, CD.java, ItemEJB.java, ItemLocal.java, ItemRemote.java
GlassFish Descriptor added → src/conf/glassfish-ejb-jar.xml exists (check Files tab)
Security role mappings added: student → Enterprise and staff → StaffEnterprise
Project builds successfully with BUILD SUCCESSFUL
MySQL database w7p1db created
GlassFish JDBC pool W7P1Pool created and Ping succeeds
GlassFish JDBC data source jdbc/W7P1DS created
EJB Module deployed to GlassFish — visible under Applications
GlassFish File Realm user Mike in group Enterprise created
GlassFish File Realm user Stephen in group StaffEnterprise created

What's Next — Part 2

Part 2 Preview

You will build a client application (a standalone Java app) that:

Connects to GlassFish over JNDI
Logs in as Mike (student role) or Stephen (staff role)
Calls methods on ItemEJB remotely
Demonstrates that role restrictions are enforced — if Mike tries to call a @RolesAllowed("staff") method, he will get an EJBAccessException

Part 1 Summary

What you did	Why it matters
Created EJB Module with security annotations	Defines the access rules in code
Added glassfish-ejb-jar.xml	Maps code roles to server groups
Built & deployed to GlassFish	Makes the EJB callable over the network
Created users in File Realm	Gives GlassFish real identities to authenticate

Before starting Part 2

Make sure all 11 checklist items on the previous slide are ticked. Part 2 will fail immediately if the EJB is not deployed or the users don't exist.