Difference: JavaJ2eeSecurityNotes (1 vs. 2)

Revision 230 Jul 2001 - TobyCabot

  J2EE Security
->
>
+Chapter 21 of the j2ee spec http://java.sun.com/products/j2ee/

See also JAAS http://java.sun.com/security/jaas/doc/acsac.html
 J2ee security can be implemented either as declarative (i.e. entirely in configuration files) or programmatic (i.e. implemented in code, using the Sun API's).  Declarative is recommended.

Concepts
-<
<
+User - pretty much self-explanatory except that Java users don't map onto operating systems users.
->
>
+Subject - defined by JAAS as "any user of a computing service."  Maps roughly onto an Axia "party."

Principal - an entity that can be authenticated, in fact a name that a Subject uses to interact with a service.  Each user of the system will typically have a set of Principals which they use to interact with the system.  A principal has a Principal Name and Authentication Data.  Maps roughly onto an Axia "alias."

Credentials - data or attributes used to authenticate a Principal.
 Realm - a set of security policies.  Users belong to one realm.  The default realm always exists.

Group - a user can be a part of a J2EE group.  A J2EE group's scope is the entire J2EE environment.
-<
<
+Role - similar to a group, but scope is only within a single application.  Roles are declared in the EJB jar or war file.
->
>
+Security Role - similar to a group, but scope is only within a single application.  Roles are declared in the ear file.  Each Principal is mapped into one or more roles.
 There are two approaches to authorization: capabilities and permissions.  Capabilities are user-oriented, i.e. the user can do this or that but not the other.  Permissions work the other way. i.e. for this method on this EJB, only these roles can call it.

Revision 130 Jul 2001 - TobyCabot

Line: 1 to 1

Line: 1 to 1
Added:
> >	J2EE Security J2ee security can be implemented either as declarative (i.e. entirely in configuration files) or programmatic (i.e. implemented in code, using the Sun API's). Declarative is recommended. Concepts User - pretty much self-explanatory except that Java users don't map onto operating systems users. Realm - a set of security policies. Users belong to one realm. The `default` realm always exists. Group - a user can be a part of a J2EE group. A J2EE group's scope is the entire J2EE environment. Role - similar to a group, but scope is only within a single application. Roles are declared in the EJB jar or war file. There are two approaches to authorization: capabilities and permissions. Capabilities are user-oriented, i.e. the user can do this or that but not the other. Permissions work the other way. i.e. for this method on this EJB, only these roles can call it. -- TobyCabot - 30 Jul 2001

Added:

>
>

J2EE Security

J2ee security can be implemented either as declarative (i.e. entirely in configuration files) or programmatic (i.e. implemented in code, using the Sun API's). Declarative is recommended.

Concepts

User - pretty much self-explanatory except that Java users don't map onto operating systems users.

Realm - a set of security policies. Users belong to one realm. The default realm always exists.

Group - a user can be a part of a J2EE group. A J2EE group's scope is the entire J2EE environment.

Role - similar to a group, but scope is only within a single application. Roles are declared in the EJB jar or war file.

There are two approaches to authorization: capabilities and permissions. Capabilities are user-oriented, i.e. the user can do this or that but not the other. Permissions work the other way. i.e. for this method on this EJB, only these roles can call it.

-- TobyCabot - 30 Jul 2001

View topic | History: r6 < r5 < r4 < r3 | More topic actions...