background image

Overviewof Java EE Security

<< Introduction to Security | Initial Authentication >>
<< Introduction to Security | Initial Authentication >>

Overviewof Java EE Security

Overview of Java EE Security
Java EE, web, and web services applications are made up of components that can be deployed
into different containers. These components are used to build a multitier enterprise application.
Security for components is provided by their containers. A container provides two kinds of
security: declarative and programmatic security.
Declarative security expresses an application component's security requirements using
deployment descriptors. Deployment descriptors are external to an application, and include
information that specifies how security roles and access requirements are mapped into
environment-specific security roles, users, and policies. For more information about
deployment descriptors, read
"Using Deployment Descriptors for Declarative Security" on
page 774
.
Programmatic security is embedded in an application and is used to make security decisions.
Programmatic security is useful when declarative security alone is not sufficient to express
the security model of an application. For more information about programmatic security,
read
"Using Programmatic Security" on page 776
.
Annotations (also called metadata) are used to specify information about security within a
class file. When the application is deployed, this information can either be used by or
overridden by the application deployment descriptor. For more information about
annotations, read
"Using Annotations" on page 775
.
A Simple Security Example
The security behavior of a Java EE environment may be better understood by examining what
happens in a simple application with a web client, a JSP user interface, and enterprise bean
business logic.
In the following example, which is taken from JSR-244, the
Java EE 5 Specification
(http://www.jcp.org/en/jsr/detail?id=244)
, the web client relies on the web server to act
as its authentication proxy by collecting user authentication data from the client and using it to
establish an authenticated session.
Step 1: Initial Request
In the first step of this example, the web client requests the main application URL. This action is
shown in
Figure 28­1
.
Overview of Java EE Security
The Java EE 5 Tutorial · September 2007
766