Chapter 4. Servlet and JSP Security

An enterprise solution has come to be considered incomplete if the applications it enables cannot be accessed over the Web. Along with the advantages of Web enablement of enterprise applications comes the inherent vulnerability of security breaches into an enterprise system. Security must be considered from the design through deployment and administration. This chapter describes the security policies and features defined for use by J2EE Web modules, which assemble Java servlets and JSP files, as well as static content, such as HTML pages, into a single deployable unit (see Section 3.2.2 on page 59).

The sections in this chapter use concrete examples to illustrate how the security policy can be declaratively specified in a Web module's deployment descriptor. The chapter first describes a Web module's deployment descriptor and then explains how it can be used to enforce authentication, authorization, and delegation policies. This chapter also discusses how applications can programmatically enforce security to address any additional enterprise security requirements that are not addressed by the J2EE specification at this time. The chapter concludes by describing future directions of Web application security.