J2EE Security

J2ee security can be implemented either as declarative (i.e. entirely in configuration files) or programmatic (i.e. implemented in code, using the Sun API's). Declarative is recommended.

Concepts

User - pretty much self-explanatory except that Java users don't map onto operating systems users.

Realm - a set of security policies. Users belong to one realm. The default realm always exists.

Group - a user can be a part of a J2EE group. A J2EE group's scope is the entire J2EE environment.

Role - similar to a group, but scope is only within a single application. Roles are declared in the EJB jar or war file.

There are two approaches to authorization: capabilities and permissions. Capabilities are user-oriented, i.e. the user can do this or that but not the other. Permissions work the other way. i.e. for this method on this EJB, only these roles can call it.

-- TobyCabot - 30 Jul 2001

This topic: Tech > JavaJ2eeSecurityNotes
Topic revision: r1 - 30 Jul 2001 - TobyCabot
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding The Caboteria? Send feedback