J2EE Security
Chapter 21 of the j2ee spec
http://java.sun.com/products/j2ee/
See also JAAS
http://java.sun.com/security/jaas/doc/acsac.html
J2ee security can be implemented either as
declarative (i.e. entirely in configuration files) or
programmatic (i.e. implemented in code, using the Sun API's). Declarative is recommended.
Concepts
Subject - defined by JAAS as "any user of a computing service." Maps roughly onto an Axia "party."
Principal - an entity that can be authenticated, in fact a name that a Subject uses to interact with a service. Each user of the system will typically have a set of Principals which they use to interact with the system. A principal has a
Principal Name and
Authentication Data. Maps roughly onto an Axia "alias."
Credentials - data or attributes used to authenticate a Principal.
Realm - a set of security policies. Users belong to one realm. The
default
realm always exists.
Group - a user can be a part of a
J2EE group. A
J2EE group's scope is the entire
J2EE environment.
Security Role - similar to a group, but scope is only within a single application. Roles are declared in the ear file. Each Principal is mapped into one or more roles.
There are two approaches to authorization:
capabilities and
permissions. Capabilities are user-oriented, i.e. the user can do this or that but not the other. Permissions work the other way. i.e. for this method on this EJB, only these roles can call it.
--
TobyCabot - 30 Jul 2001
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding The Caboteria?
Send feedback