Search
The Caboteria
/
Tech Web
/
JavaJ2eeSecurityNotes
(19 Jun 2008,
TobyCabot
)
(raw view)
http://java.sun.com/javase/6/docs/technotes/guides/security/ Chapter J2EE.3 of the j2ee 1.4 spec http://java.sun.com/products/j2ee/ (includes a simple example)<br/> Chapter 21 of the EJB spec http://java.sun.com/products/ejb/docs.html<br/> Chapter SRV.12 of the servlet spec http://java.sun.com/products/servlet/download.html<br/> See also JAAS http://java.sun.com/products/jaas/ , overview whitepaper: http://java.sun.com/security/jaas/doc/acsac.html J2ee security can be implemented either as *declarative* (i.e. entirely in configuration files) or *programmatic* (i.e. implemented in code, using the Sun API's). Declarative is recommended. The Sapient j2ee framework called "Carbon" has a [[http://carbon.sourceforge.net/modules/security/docs/index.html][security module]] that looks pretty good. Nice intro page. ---+ Concepts *Subject* - defined by JAAS as "any user of a computing service." Maps roughly onto Martin Fowler's idea of a "party." http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/Subject.html *Principal* - an entity (person or group) that can be authenticated, in fact a name that a Subject uses to interact with a service. Each user of the system will typically have a set of Principals which they use to interact with the system. A principal has a _Principal Name_ and _Authentication Data_. http://java.sun.com/j2se/1.4.2/docs/api/java/security/Principal.html *Credentials* - data or attributes used to authenticate a Principal. Sun doesn't define any specific class to represent credentials, coders can use any object they want. *Realm* - a set of security policies. Users belong to one realm. The =default= realm always exists. *Group* - a user can be a part of a J2EE group, which is a type of principal. A J2EE group's scope is the entire J2EE environment. http://java.sun.com/j2se/1.4.2/docs/api/java/security/acl/Group.html *Security Role* - similar to a group, but scope is only within a single application. Roles are declared in the ear file. Each Principal is mapped into one or more roles. There are two approaches to authorization: *capabilities* and *permissions*. Capabilities are user-oriented, i.e. the user can do this or that but not the other. Permissions work the other way. i.e. for this method on this EJB, only these roles can call it. ---+ Servlet Servlet security can be declarative (in web.xml) or procedural. For procedural security see =HttpServletRequest=, especially the =getUserPrincipal()= and =isUserInRole()= methods [[http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/http/HttpServletRequest.html][here]]. ---+ EJB EJB security can be declarative (in ejb-jar.xml) or procedural. For procedural security see =EJBContext=, especially the =getCallerPrincipal()= and =isCallerInRole()= methods [[http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/ejb/EJBContext.html][here]]. ---+ Implementation http://www.developer.com/java/ejb/article.php/3077421 - how-to using JBoss and LDAP
E
dit
|
A
ttach
|
P
rint version
|
H
istory
: r6
<
r5
<
r4
<
r3
<
r2
|
B
acklinks
|
V
iew topic
|
Ra
w
edit
|
M
ore topic actions
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding The Caboteria?
Send feedback