Section 9.1. J2EE Security


9.1. J2EE Security

Security is an important part of J2EE application architecture because the J2EE components and tiers used in a system's architecture determine the choice of security technologies. If an application uses only web-based technologies, then it only needs to restrict access to JSPs, Servlets, and so on. But EJBs are now part of the JAW Motors architecture, so they must be protected as well. The system must create a security context that encompasses the entire J2EE stack from frontend web pages to backend business logic and data. We need a unified security mechanism that propagates the user's credentials to all components in the application.

The two fundamental concepts in J2EE security are:


Authentication

Answers the following questions:

  • Who is attempting to access the system?

  • Is this person allowed to access the system?


Authorization

Determines what an authenticated user can access in an application.

Authentication is an important aspect of a J2EE application's architecture and security strategy, and ensures that only valid users or entities can use the system's resources. Authentication is the front line of defense in protecting sensitive business logic and data from users. Authentication identifies a user in the system, and requires the user to log on just as they would log on to an operating system or database. Users identify themselves to the system by supplying credentials, which could be in the form of passwords, certificates, or keys. If the user enters a valid username and password, the user can access sensitive portions of the web site; otherwise, access is denied.

Although restricting access on internal business functions and web pages to known users of the JAW Motors is a good first step in securing the system, it still isn't enough. We know who the user is, but what can they do in the system? What are they not allowed to do? How can we ensure that users see only what they're allowed to access? Authorization answers these questions and strengthens security by adding the concept of roles to our security realm. Each role represents different types of users, and the JAW Motors application has the following roles:


Manager

A manager is an administrative user who can modify the JAW Motors inventory.


Guest

A guest is a user who can only view the JAW Motors inventory.

Although there is no need to protect public pages and their underlying business logic, we must prevent unauthenticated/unauthorized users from accessing protected web pages and business functions.

Let's start by securing the web tier and working our way down through the architecture.



JBoss at Work. A Practical Guide
JBoss at Work: A Practical Guide
ISBN: 0596007345
EAN: 2147483647
Year: 2004
Pages: 197

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net