background image

Securing Java EE Applications

<< Secure Interoperability | Securing Enterprise Beans >>
<< Secure Interoperability | Securing Enterprise Beans >>

Securing Java EE Applications

Securing Java EE Applications
Java EE applications are made up of components that can be deployed into different containers.
These components are used to build multitier enterprise applications. Security services are
provided by the component container and can be implemented using declarative or
programmatic techniques. Java EE security services provide a robust and easily configured
security mechanism for authenticating users and authorizing access to application functions
and associated data. Java EE security services are separate from the security mechanisms of the
operating system.
The ways to implement Java EE security services are discussed in a general way in
"Securing
Containers" on page 774
. This chapter provides more detail and a few examples that explore
these security services as they relate to Java EE components. Java EE security services can be
implemented in the following ways:
Metadata annotations (or simply, annotations) enable a declarative style of programming.
Users can specify information about security within a class file using annotations. When the
application is deployed, this information can either be used by or overridden by the
application deployment descriptor.
Declarative security expresses an application's security structure, including security roles,
access control, and authentication requirements in a deployment descriptor, which is
external to the application.
Any values explicitly specified in the deployment descriptor override any values specified in
annotations.
Programmatic security is embedded in an application and is used to make security decisions.
Programmatic security is useful when declarative security alone is not sufficient to express
the security model of an application.
Some of the material in this chapter assumes that you have already read
Chapter 28,
"Introduction to Security in the Java EE Platform."
29
C H A P T E R
2 9
797