Summary

In this chapter, we discussed the J2EE architecture's security concepts and applied mechanisms. We took an in-depth look at the different security mechanisms facilitated by the J2EE architecture and how they contribute to the end-to-end security of an overall J2EE application solution. In particular, we saw how the J2EE architecture facilitates end-to-end security mechanisms and how it spans across all logical tiersfrom the presentation tier to the Business tier, and from the Business tier to the Back-end resources. We also looked at how to enforce security mechanisms at the J2EE application level as well as Java and J2ME clients. We studied the different security mechanisms available for the different J2EE components, including JSPs, Servlets, EJBs, J2EE Connectors, JMS, and JDBC. We discussed the security mechanisms for enforcing authentication, authorization, security communication, integrity, confidentiality, and so on, and how they can be applied to the tiers and components during the application development and deployment phases. In particular, we focused on the following:

• J2EE architecture and its logical tiers

• J2EE security infrastructure and mechanisms

• J2EE authentication and authorization

• Users, groups and realms

• J2EE Web-tier security mechanisms

• J2EE Business-tier security mechanisms

• J2EE Integration-tier security mechanisms

• J2EE application deployment and network topologies

• J2EE Web services securityoverview

In general, this chapter provided a J2EE security reference guide that discussed the architectures security details and the available mechanisms for building end-to-end security in a J2EE-based solution. For more information about J2EE security design strategies and best practices, refer to Chapter 9, "Securing the Web Tier: Design Strategies and Best Practices," and Chapter 10, "Securing the Business TierDesign Strategies and Best Practices."

In the next chapter, we will explore Web services security standards and technologies.