Section 10.3. Declarative Security Versus Programmatic Security


10.3. Declarative Security Versus Programmatic Security

Two basic approaches to implementing security are programmatic security, in which you embed explicit security calls directly into your code, and declarative security, in which you specify security policies using deployment descriptors and configuration files.

When making use of programmatic security, you embed security enforcement within the application with programmatic checks on policies, to determine what a user is allowed to do or see in the application, and then react to this information appropriately. Programmatic security can be useful, even required in some situations, especially in application contexts in which the expressive power of declarative security is insufficient. But programmatic security should be used with care. If the design and implementation are not clever and the developers are not careful, such checks become scattered and strewn throughout the application code. This situation can become extremely difficult to maintain because of duplicated code and nonuniform implementation styles. For example, a change in a particular piece of business logic might require changing several pieces of code. This is expensive, because there is more code to update and test, and also error-prone, because it's difficult to ensure that you've covered all the bases when the code is implemented and distributed in an ad hoc fashion. So with programmatic security, the onus is on you to architect your security code in such a way that it's contained and well encapsulated.

Declarative security involves the use of external deployment descriptors and configuration files to describe the authentication and authorization requirements for your application code. The application server or container is responsible for applying these security constraints to your code at runtime. Implementing security in this manner can result in more straightforward and maintainable code, because there's less of it. However, in many situations, declarative security is not sufficient and you still need to add some carefully designed programmatic security in order to achieve all of your application's security requirements.

At this point, having laid this groundwork, let's look at how J2EE security works in both web-based and EJB applications.



Java Enterprise in a Nutshell
Java Enterprise in a Nutshell (In a Nutshell (OReilly))
ISBN: 0596101422
EAN: 2147483647
Year: 2004
Pages: 269

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net