Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Chapter J2EE.3 of the j2ee 1.4 spec http://java.sun.com/products/j2ee/ (includes a simple example) Chapter 21 of the EJB spec http://java.sun.com/products/ejb/docs.html Chapter SRV.12 of the servlet spec http://java.sun.com/products/servlet/download.html | ||||||||
Line: 6 to 6 | ||||||||
J2ee security can be implemented either as declarative (i.e. entirely in configuration files) or programmatic (i.e. implemented in code, using the Sun API's). Declarative is recommended. | ||||||||
Changed: | ||||||||
< < | Concepts | |||||||
> > | Concepts | |||||||
Subject - defined by JAAS as "any user of a computing service." Maps roughly onto Martin Fowler's idea of a "party." | ||||||||
Line: 22 to 22 | ||||||||
There are two approaches to authorization: capabilities and permissions. Capabilities are user-oriented, i.e. the user can do this or that but not the other. Permissions work the other way. i.e. for this method on this EJB, only these roles can call it. | ||||||||
Changed: | ||||||||
< < | -- TobyCabot - 30 Jul 2001 | |||||||
> > | ServletServlet security can be declarative (in web.xml) or procedural. For procedural security seeHttpServletRequest , especially the getUserPrincipal() and isUserInRole() methods here.
EJBEJB security can be declarative (in ejb-jar.xml) or procedural. For procedural security seeEJBContext , especially the getCallerPrincipal() and isCallerInRole() methods here. |