background image

Characteristics of Application Security

<< Security Functions | Security Implementation Mechanisms >>
<< Security Functions | Security Implementation Mechanisms >>

Characteristics of Application Security

Ideally, properly implemented security mechanisms will also provide the following
functionality:
Easy to administer
Transparent to system users
Interoperable across application and enterprise boundaries
Characteristics of Application Security
Java EE applications consist of components that can contain both protected and unprotected
resources. Often, you need to protect resources to ensure that only authorized users have access.
Authorization provides controlled access to protected resources. Authorization is based on
identification and authentication. Identification is a process that enables recognition of an entity
by a system, and authentication is a process that verifies the identity of a user, device, or other
entity in a computer system, usually as a prerequisite to allowing access to resources in a system.
Authorization and authentication are not required for an entity to access unprotected
resources. Accessing a resource without authentication is referred to as unauthenticated or
anonymous access.
These and several other well-defined characteristics of application security that, when properly
addressed, help to minimize the security threats faced by an enterprise, include the following:
Authentication
: The means by which communicating entities (for example, client and
server) prove to one another that they are acting on behalf of specific identities that are
authorized for access. This ensures that users are who they say they are.
Authorization
, or Access Control: The means by which interactions with resources are
limited to collections of users or programs for the purpose of enforcing integrity,
confidentiality, or availability constraints. This ensures that users have permission to
perform operations or access data.
Data integrity
: The means used to prove that information has not been modified by a third
party (some entity other than the source of the information). For example, a recipient of
data sent over an open network must be able to detect and discard messages that were
modified after they were sent. This ensures that only authorized users can modify data.
Confidentiality
or Data Privacy: The means used to ensure that information is made
available only to users who are authorized to access it. This ensures that only authorized
users can view sensitive data.
Non-repudiation
: The means used to prove that a user performed some action such that the
user cannot reasonably deny having done so. This ensures that transactions can be proven to
have happened.
Quality of Service (QoS)
: The means used to provide better service to selected network
traffic over various technologies.
Overview of Java EE Security
The Java EE 5 Tutorial · September 2007
770