Securing Containers

<< Transport-Layer Security | Using Annotations >>

Securing Containers

Message-Layer Security

In message-layer security, security information is contained within the SOAP message and/or
SOAP message attachment, which allows security information to travel along with the message
or attachment. For example, a portion of the message may be signed by a sender and encrypted
for a particular receiver. When the message is sent from the initial sender, it may pass through
intermediate nodes before reaching its intended receiver. In this scenario, the encrypted
portions continue to be opaque to any intermediate nodes and can only be decrypted by the
intended receiver. For this reason, message-layer security is also sometimes referred to as
end-to-end security.

The advantages of message-layer security include the following:

Security stays with the message over all hops and after the message arrives at its destination.

Security can be selectively applied to different portions of a message (and to attachments if
using XWSS).

Message security can be used with intermediaries over multiple hops.

Message security is independent of the application environment or transport protocol.

The disadvantage of using message-layer security is that it is relatively complex and adds some
overhead to processing.

The Application Server supports message security. It uses Web Services Security (WSS) to
secure messages. Because this message security is specific to the Application Server and not a
part of the Java EE platform, this tutorial does not discuss using WSS to secure messages. See the
Sun Java System Application Server 9.1 Administration Guide and Sun Java System Application
Server 9.1 Developer's Guide for more information.

Securing Containers

In Java EE, the component containers are responsible for providing application security. A
container provides two types of security: declarative and programmatic. The following sections
discuss these concepts in more detail.

Using Deployment Descriptors for Declarative
Security

Declarative security expresses an application component's security requirements using
deployment descriptors. A deployment descriptor is an XML document with an .xml extension
that describes the deployment settings of an application, a module, or a component. Because
deployment descriptor information is declarative, it can be changed without the need to modify
the source code. At runtime, the Java EE server reads the deployment descriptor and acts upon
the application, module, or component accordingly.

Securing Containers

The Java EE 5 Tutorial · September 2007

774