http://java.sun.com/javase/6/docs/technotes/guides/security/
Chapter
J2EE.3 of the j2ee 1.4 spec
http://java.sun.com/products/j2ee/ (includes a simple example)
Chapter 21 of the EJB spec
http://java.sun.com/products/ejb/docs.html
Chapter SRV.12 of the servlet spec
http://java.sun.com/products/servlet/download.html
See also JAAS
http://java.sun.com/products/jaas/ , overview whitepaper:
http://java.sun.com/security/jaas/doc/acsac.html
J2ee security can be implemented either as
declarative (i.e. entirely in configuration files) or
programmatic (i.e. implemented in code, using the Sun API's). Declarative is recommended.
The Sapient j2ee framework called "Carbon" has a
security module that looks pretty good. Nice intro page.
Concepts
Subject - defined by JAAS as "any user of a computing service." Maps roughly onto Martin Fowler's idea of a "party."
http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/Subject.html
Principal - an entity (person or group) that can be authenticated, in fact a name that a Subject uses to interact with a service. Each user of the system will typically have a set of Principals which they use to interact with the system. A principal has a
Principal Name and
Authentication Data.
http://java.sun.com/j2se/1.4.2/docs/api/java/security/Principal.html
Credentials - data or attributes used to authenticate a Principal. Sun doesn't define any specific class to represent credentials, coders can use any object they want.
Realm - a set of security policies. Users belong to one realm. The
default
realm always exists.
Group - a user can be a part of a
J2EE group, which is a type of principal. A
J2EE group's scope is the entire
J2EE environment.
http://java.sun.com/j2se/1.4.2/docs/api/java/security/acl/Group.html
Security Role - similar to a group, but scope is only within a single application. Roles are declared in the ear file. Each Principal is mapped into one or more roles.
There are two approaches to authorization:
capabilities and
permissions. Capabilities are user-oriented, i.e. the user can do this or that but not the other. Permissions work the other way. i.e. for this method on this EJB, only these roles can call it.
Servlet
Servlet security can be declarative (in web.xml) or procedural. For procedural security see
HttpServletRequest
, especially the
getUserPrincipal()
and
isUserInRole()
methods
here.
EJB
EJB security can be declarative (in ejb-jar.xml) or procedural. For procedural security see
EJBContext
, especially the
getCallerPrincipal()
and
isCallerInRole()
methods
here.
Implementation
http://www.developer.com/java/ejb/article.php/3077421 - how-to using JBoss and LDAP