Overviewof Web Application Security

<< Securing Web Applications | Working with Security Roles >>

Overviewof Web Application Security

Overview of Web Application Security

In the Java EE platform, web components provide the dynamic extension capabilities for a web
server. Web components are either Java servlets, JSP pages, JSF pages, or web service endpoints.
The interaction between a web client and a web application is illustrated in

Figure 301

Web components are supported by the services of a runtime platform called a web container. A
web container provides services such as request dispatching, security, concurrency, and
life-cycle management.

Certain aspects of web application security can be configured when the application is installed,
or deployed, to the web container. Annotations and/or deployment descriptors are used to relay
information to the deployer about security and other aspects of the application. Specifying this
information in annotations or in the deployment descriptor helps the deployer set up the
appropriate security policy for the web application. Any values explicitly specified in the
deployment descriptor override any values specified in annotations. This chapter provides
more information on configuring security for web applications.

For secure transport, most web applications use the HTTPS protocol. For more information on
using the HTTPS protocol, read

"Establishing a Secure Connection Using SSL" on page 785

Web

Client

HttpServlet

Request

HttpServlet

Response

Web Server

HTTP

Request

HTTP

Response

Web

Components

Web

Components

Web

Components

Web

Components

Web

Components

JavaBeans

Components

FIGURE 301

Java Web Application Request Handling

Overview of Web Application Security

The Java EE 5 Tutorial · September 2007

840