| Line: 1 to 1 | ||||||||
|---|---|---|---|---|---|---|---|---|
| Chapter J2EE.3 of the j2ee 1.4 spec http://java.sun.com/products/j2ee/ (includes a simple example) Chapter 21 of the EJB spec http://java.sun.com/products/ejb/docs.html Chapter SRV.12 of the servlet spec http://java.sun.com/products/servlet/download.html | ||||||||
| Line: 6 to 6 | ||||||||
| J2ee security can be implemented either as declarative (i.e. entirely in configuration files) or programmatic (i.e. implemented in code, using the Sun API's). Declarative is recommended. | ||||||||
| Changed: | ||||||||
| < < | Concepts | |||||||
| > > | Concepts | |||||||
| Subject - defined by JAAS as "any user of a computing service." Maps roughly onto Martin Fowler's idea of a "party." | ||||||||
| Line: 22 to 22 | ||||||||
| There are two approaches to authorization: capabilities and permissions. Capabilities are user-oriented, i.e. the user can do this or that but not the other. Permissions work the other way. i.e. for this method on this EJB, only these roles can call it. | ||||||||
| Changed: | ||||||||
| < < | -- TobyCabot - 30 Jul 2001 | |||||||
| > > | ServletServlet security can be declarative (in web.xml) or procedural. For procedural security seeHttpServletRequest, especially the getUserPrincipal() and isUserInRole() methods here.
EJBEJB security can be declarative (in ejb-jar.xml) or procedural. For procedural security seeEJBContext, especially the getCallerPrincipal() and isCallerInRole() methods here. | |||||||