Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Added: | ||||||||
> > | http://java.sun.com/javase/6/docs/technotes/guides/security/ | |||||||
Chapter J2EE.3 of the j2ee 1.4 spec http://java.sun.com/products/j2ee/ (includes a simple example) Chapter 21 of the EJB spec http://java.sun.com/products/ejb/docs.html Chapter SRV.12 of the servlet spec http://java.sun.com/products/servlet/download.html |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Chapter J2EE.3 of the j2ee 1.4 spec http://java.sun.com/products/j2ee/ (includes a simple example) Chapter 21 of the EJB spec http://java.sun.com/products/ejb/docs.html Chapter SRV.12 of the servlet spec http://java.sun.com/products/servlet/download.html | ||||||||
Line: 6 to 6 | ||||||||
J2ee security can be implemented either as declarative (i.e. entirely in configuration files) or programmatic (i.e. implemented in code, using the Sun API's). Declarative is recommended. | ||||||||
Added: | ||||||||
> > | The Sapient j2ee framework called "Carbon" has a security module that looks pretty good. Nice intro page. | |||||||
Concepts | ||||||||
Changed: | ||||||||
< < | Subject - defined by JAAS as "any user of a computing service." Maps roughly onto Martin Fowler's idea of a "party." | |||||||
> > | Subject - defined by JAAS as "any user of a computing service." Maps roughly onto Martin Fowler's idea of a "party." http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/Subject.html | |||||||
Changed: | ||||||||
< < | Principal - an entity that can be authenticated, in fact a name that a Subject uses to interact with a service. Each user of the system will typically have a set of Principals which they use to interact with the system. A principal has a Principal Name and Authentication Data. | |||||||
> > | Principal - an entity (person or group) that can be authenticated, in fact a name that a Subject uses to interact with a service. Each user of the system will typically have a set of Principals which they use to interact with the system. A principal has a Principal Name and Authentication Data. http://java.sun.com/j2se/1.4.2/docs/api/java/security/Principal.html | |||||||
Credentials - data or attributes used to authenticate a Principal. Sun doesn't define any specific class to represent credentials, coders can use any object they want.
Realm - a set of security policies. Users belong to one realm. The default realm always exists. | ||||||||
Changed: | ||||||||
< < | Group - a user can be a part of a J2EE group. A J2EE group's scope is the entire J2EE environment. | |||||||
> > | Group - a user can be a part of a J2EE group, which is a type of principal. A J2EE group's scope is the entire J2EE environment. http://java.sun.com/j2se/1.4.2/docs/api/java/security/acl/Group.html | |||||||
Security Role - similar to a group, but scope is only within a single application. Roles are declared in the ear file. Each Principal is mapped into one or more roles. | ||||||||
Line: 30 to 32 | ||||||||
EJBEJB security can be declarative (in ejb-jar.xml) or procedural. For procedural security seeEJBContext , especially the getCallerPrincipal() and isCallerInRole() methods here. | ||||||||
Added: | ||||||||
> > |
Implementationhttp://www.developer.com/java/ejb/article.php/3077421 - how-to using JBoss and LDAP |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Chapter J2EE.3 of the j2ee 1.4 spec http://java.sun.com/products/j2ee/ (includes a simple example) Chapter 21 of the EJB spec http://java.sun.com/products/ejb/docs.html Chapter SRV.12 of the servlet spec http://java.sun.com/products/servlet/download.html | ||||||||
Line: 6 to 6 | ||||||||
J2ee security can be implemented either as declarative (i.e. entirely in configuration files) or programmatic (i.e. implemented in code, using the Sun API's). Declarative is recommended. | ||||||||
Changed: | ||||||||
< < | Concepts | |||||||
> > | Concepts | |||||||
Subject - defined by JAAS as "any user of a computing service." Maps roughly onto Martin Fowler's idea of a "party." | ||||||||
Line: 22 to 22 | ||||||||
There are two approaches to authorization: capabilities and permissions. Capabilities are user-oriented, i.e. the user can do this or that but not the other. Permissions work the other way. i.e. for this method on this EJB, only these roles can call it. | ||||||||
Changed: | ||||||||
< < | -- TobyCabot - 30 Jul 2001 | |||||||
> > | ServletServlet security can be declarative (in web.xml) or procedural. For procedural security seeHttpServletRequest , especially the getUserPrincipal() and isUserInRole() methods here.
EJBEJB security can be declarative (in ejb-jar.xml) or procedural. For procedural security seeEJBContext , especially the getCallerPrincipal() and isCallerInRole() methods here. |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Changed: | ||||||||
< < | J2EE SecurityChapter 21 of the j2ee spec http://java.sun.com/products/j2ee/ See also JAAS http://java.sun.com/security/jaas/doc/acsac.html | |||||||
> > | Chapter J2EE.3 of the j2ee 1.4 spec http://java.sun.com/products/j2ee/ (includes a simple example) Chapter 21 of the EJB spec http://java.sun.com/products/ejb/docs.html Chapter SRV.12 of the servlet spec http://java.sun.com/products/servlet/download.html See also JAAS http://java.sun.com/products/jaas/ , overview whitepaper: http://java.sun.com/security/jaas/doc/acsac.html | |||||||
J2ee security can be implemented either as declarative (i.e. entirely in configuration files) or programmatic (i.e. implemented in code, using the Sun API's). Declarative is recommended. Concepts | ||||||||
Changed: | ||||||||
< < | Subject - defined by JAAS as "any user of a computing service." Maps roughly onto an Axia "party." | |||||||
> > | Subject - defined by JAAS as "any user of a computing service." Maps roughly onto Martin Fowler's idea of a "party." | |||||||
Changed: | ||||||||
< < | Principal - an entity that can be authenticated, in fact a name that a Subject uses to interact with a service. Each user of the system will typically have a set of Principals which they use to interact with the system. A principal has a Principal Name and Authentication Data. Maps roughly onto an Axia "alias." | |||||||
> > | Principal - an entity that can be authenticated, in fact a name that a Subject uses to interact with a service. Each user of the system will typically have a set of Principals which they use to interact with the system. A principal has a Principal Name and Authentication Data. | |||||||
Changed: | ||||||||
< < | Credentials - data or attributes used to authenticate a Principal. | |||||||
> > | Credentials - data or attributes used to authenticate a Principal. Sun doesn't define any specific class to represent credentials, coders can use any object they want. | |||||||
Realm - a set of security policies. Users belong to one realm. The default realm always exists. |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
J2EE Security | ||||||||
Added: | ||||||||
> > | Chapter 21 of the j2ee spec http://java.sun.com/products/j2ee/ See also JAAS http://java.sun.com/security/jaas/doc/acsac.html | |||||||
J2ee security can be implemented either as declarative (i.e. entirely in configuration files) or programmatic (i.e. implemented in code, using the Sun API's). Declarative is recommended. Concepts | ||||||||
Changed: | ||||||||
< < | User - pretty much self-explanatory except that Java users don't map onto operating systems users. | |||||||
> > | Subject - defined by JAAS as "any user of a computing service." Maps roughly onto an Axia "party." Principal - an entity that can be authenticated, in fact a name that a Subject uses to interact with a service. Each user of the system will typically have a set of Principals which they use to interact with the system. A principal has a Principal Name and Authentication Data. Maps roughly onto an Axia "alias." Credentials - data or attributes used to authenticate a Principal. | |||||||
Realm - a set of security policies. Users belong to one realm. The default realm always exists.
Group - a user can be a part of a J2EE group. A J2EE group's scope is the entire J2EE environment. | ||||||||
Changed: | ||||||||
< < | Role - similar to a group, but scope is only within a single application. Roles are declared in the EJB jar or war file. | |||||||
> > | Security Role - similar to a group, but scope is only within a single application. Roles are declared in the ear file. Each Principal is mapped into one or more roles. | |||||||
There are two approaches to authorization: capabilities and permissions. Capabilities are user-oriented, i.e. the user can do this or that but not the other. Permissions work the other way. i.e. for this method on this EJB, only these roles can call it. |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Added: | ||||||||
> > | J2EE SecurityJ2ee security can be implemented either as declarative (i.e. entirely in configuration files) or programmatic (i.e. implemented in code, using the Sun API's). Declarative is recommended. Concepts User - pretty much self-explanatory except that Java users don't map onto operating systems users. Realm - a set of security policies. Users belong to one realm. Thedefault realm always exists.
Group - a user can be a part of a J2EE group. A J2EE group's scope is the entire J2EE environment.
Role - similar to a group, but scope is only within a single application. Roles are declared in the EJB jar or war file.
There are two approaches to authorization: capabilities and permissions. Capabilities are user-oriented, i.e. the user can do this or that but not the other. Permissions work the other way. i.e. for this method on this EJB, only these roles can call it.
-- TobyCabot - 30 Jul 2001 |