| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Added: | ||||||||
| > > | http://java.sun.com/javase/6/docs/technotes/guides/security/ | |||||||
| Chapter J2EE.3 of the j2ee 1.4 spec http://java.sun.com/products/j2ee/ (includes a simple example) Chapter 21 of the EJB spec http://java.sun.com/products/ejb/docs.html Chapter SRV.12 of the servlet spec http://java.sun.com/products/servlet/download.html | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Chapter J2EE.3 of the j2ee 1.4 spec http://java.sun.com/products/j2ee/ (includes a simple example) Chapter 21 of the EJB spec http://java.sun.com/products/ejb/docs.html Chapter SRV.12 of the servlet spec http://java.sun.com/products/servlet/download.html | ||||||||
| Line: 6 to 6 | ||||||||
| J2ee security can be implemented either as declarative (i.e. entirely in configuration files) or programmatic (i.e. implemented in code, using the Sun API's). Declarative is recommended. | ||||||||
| Added: | ||||||||
| > > | The Sapient j2ee framework called "Carbon" has a security module that looks pretty good. Nice intro page. | |||||||
Concepts | ||||||||
| Changed: | ||||||||
| < < | Subject - defined by JAAS as "any user of a computing service." Maps roughly onto Martin Fowler's idea of a "party." | |||||||
| > > | Subject - defined by JAAS as "any user of a computing service." Maps roughly onto Martin Fowler's idea of a "party." http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/Subject.html | |||||||
| Changed: | ||||||||
| < < | Principal - an entity that can be authenticated, in fact a name that a Subject uses to interact with a service. Each user of the system will typically have a set of Principals which they use to interact with the system. A principal has a Principal Name and Authentication Data. | |||||||
| > > | Principal - an entity (person or group) that can be authenticated, in fact a name that a Subject uses to interact with a service. Each user of the system will typically have a set of Principals which they use to interact with the system. A principal has a Principal Name and Authentication Data. http://java.sun.com/j2se/1.4.2/docs/api/java/security/Principal.html | |||||||
Credentials - data or attributes used to authenticate a Principal. Sun doesn't define any specific class to represent credentials, coders can use any object they want.
Realm - a set of security policies. Users belong to one realm. The default realm always exists. | ||||||||
| Changed: | ||||||||
| < < | Group - a user can be a part of a J2EE group. A J2EE group's scope is the entire J2EE environment. | |||||||
| > > | Group - a user can be a part of a J2EE group, which is a type of principal. A J2EE group's scope is the entire J2EE environment. http://java.sun.com/j2se/1.4.2/docs/api/java/security/acl/Group.html | |||||||
| Security Role - similar to a group, but scope is only within a single application. Roles are declared in the ear file. Each Principal is mapped into one or more roles. | ||||||||
| Line: 30 to 32 | ||||||||
EJBEJB security can be declarative (in ejb-jar.xml) or procedural. For procedural security seeEJBContext, especially the getCallerPrincipal() and isCallerInRole() methods here. | ||||||||
| Added: | ||||||||
| > > |
Implementationhttp://www.developer.com/java/ejb/article.php/3077421 - how-to using JBoss and LDAP | |||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Chapter J2EE.3 of the j2ee 1.4 spec http://java.sun.com/products/j2ee/ (includes a simple example) Chapter 21 of the EJB spec http://java.sun.com/products/ejb/docs.html Chapter SRV.12 of the servlet spec http://java.sun.com/products/servlet/download.html | ||||||||
| Line: 6 to 6 | ||||||||
| J2ee security can be implemented either as declarative (i.e. entirely in configuration files) or programmatic (i.e. implemented in code, using the Sun API's). Declarative is recommended. | ||||||||
| Changed: | ||||||||
| < < | Concepts | |||||||
| > > | Concepts | |||||||
| Subject - defined by JAAS as "any user of a computing service." Maps roughly onto Martin Fowler's idea of a "party." | ||||||||
| Line: 22 to 22 | ||||||||
| There are two approaches to authorization: capabilities and permissions. Capabilities are user-oriented, i.e. the user can do this or that but not the other. Permissions work the other way. i.e. for this method on this EJB, only these roles can call it. | ||||||||
| Changed: | ||||||||
| < < | -- TobyCabot - 30 Jul 2001 | |||||||
| > > | ServletServlet security can be declarative (in web.xml) or procedural. For procedural security seeHttpServletRequest, especially the getUserPrincipal() and isUserInRole() methods here.
EJBEJB security can be declarative (in ejb-jar.xml) or procedural. For procedural security seeEJBContext, especially the getCallerPrincipal() and isCallerInRole() methods here. | |||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Changed: | ||||||||
| < < | J2EE SecurityChapter 21 of the j2ee spec http://java.sun.com/products/j2ee/ See also JAAS http://java.sun.com/security/jaas/doc/acsac.html | |||||||
| > > | Chapter J2EE.3 of the j2ee 1.4 spec http://java.sun.com/products/j2ee/ (includes a simple example) Chapter 21 of the EJB spec http://java.sun.com/products/ejb/docs.html Chapter SRV.12 of the servlet spec http://java.sun.com/products/servlet/download.html See also JAAS http://java.sun.com/products/jaas/ , overview whitepaper: http://java.sun.com/security/jaas/doc/acsac.html | |||||||
| J2ee security can be implemented either as declarative (i.e. entirely in configuration files) or programmatic (i.e. implemented in code, using the Sun API's). Declarative is recommended. Concepts | ||||||||
| Changed: | ||||||||
| < < | Subject - defined by JAAS as "any user of a computing service." Maps roughly onto an Axia "party." | |||||||
| > > | Subject - defined by JAAS as "any user of a computing service." Maps roughly onto Martin Fowler's idea of a "party." | |||||||
| Changed: | ||||||||
| < < | Principal - an entity that can be authenticated, in fact a name that a Subject uses to interact with a service. Each user of the system will typically have a set of Principals which they use to interact with the system. A principal has a Principal Name and Authentication Data. Maps roughly onto an Axia "alias." | |||||||
| > > | Principal - an entity that can be authenticated, in fact a name that a Subject uses to interact with a service. Each user of the system will typically have a set of Principals which they use to interact with the system. A principal has a Principal Name and Authentication Data. | |||||||
| Changed: | ||||||||
| < < | Credentials - data or attributes used to authenticate a Principal. | |||||||
| > > | Credentials - data or attributes used to authenticate a Principal. Sun doesn't define any specific class to represent credentials, coders can use any object they want. | |||||||
Realm - a set of security policies. Users belong to one realm. The default realm always exists. | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
J2EE Security | ||||||||
| Added: | ||||||||
| > > | Chapter 21 of the j2ee spec http://java.sun.com/products/j2ee/ See also JAAS http://java.sun.com/security/jaas/doc/acsac.html | |||||||
| J2ee security can be implemented either as declarative (i.e. entirely in configuration files) or programmatic (i.e. implemented in code, using the Sun API's). Declarative is recommended. Concepts | ||||||||
| Changed: | ||||||||
| < < | User - pretty much self-explanatory except that Java users don't map onto operating systems users. | |||||||
| > > | Subject - defined by JAAS as "any user of a computing service." Maps roughly onto an Axia "party." Principal - an entity that can be authenticated, in fact a name that a Subject uses to interact with a service. Each user of the system will typically have a set of Principals which they use to interact with the system. A principal has a Principal Name and Authentication Data. Maps roughly onto an Axia "alias." Credentials - data or attributes used to authenticate a Principal. | |||||||
Realm - a set of security policies. Users belong to one realm. The default realm always exists.
Group - a user can be a part of a J2EE group. A J2EE group's scope is the entire J2EE environment. | ||||||||
| Changed: | ||||||||
| < < | Role - similar to a group, but scope is only within a single application. Roles are declared in the EJB jar or war file. | |||||||
| > > | Security Role - similar to a group, but scope is only within a single application. Roles are declared in the ear file. Each Principal is mapped into one or more roles. | |||||||
| There are two approaches to authorization: capabilities and permissions. Capabilities are user-oriented, i.e. the user can do this or that but not the other. Permissions work the other way. i.e. for this method on this EJB, only these roles can call it. | ||||||||
| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Added: | ||||||||
| > > | J2EE SecurityJ2ee security can be implemented either as declarative (i.e. entirely in configuration files) or programmatic (i.e. implemented in code, using the Sun API's). Declarative is recommended. Concepts User - pretty much self-explanatory except that Java users don't map onto operating systems users. Realm - a set of security policies. Users belong to one realm. Thedefault realm always exists.
Group - a user can be a part of a J2EE group. A J2EE group's scope is the entire J2EE environment.
Role - similar to a group, but scope is only within a single application. Roles are declared in the EJB jar or war file.
There are two approaches to authorization: capabilities and permissions. Capabilities are user-oriented, i.e. the user can do this or that but not the other. Permissions work the other way. i.e. for this method on this EJB, only these roles can call it.
-- TobyCabot - 30 Jul 2001 | |||||||