2. Using the Tutorial Examples
3. Getting Started with Web Applications
5. JavaServer Pages Technology
7. JavaServer Pages Standard Tag Library
10. JavaServer Faces Technology
11. Using JavaServer Faces Technology in JSP Pages
12. Developing with JavaServer Faces Technology
13. Creating Custom UI Components
14. Configuring JavaServer Faces Applications
15. Internationalizing and Localizing Web Applications
16. Building Web Services with JAX-WS
17. Binding between XML Schema and Java Classes
19. SOAP with Attachments API for Java
21. Getting Started with Enterprise Beans
23. A Message-Driven Bean Example
24. Introduction to the Java Persistence API
25. Persistence in the Web Tier
26. Persistence in the EJB Tier
27. The Java Persistence Query Language
28. Introduction to Security in the Java EE Platform
Step 2: Initial Authentication
Step 4: Fulfilling the Original Request
Step 5: Invoking Enterprise Bean Business Methods
Characteristics of Application Security
Security Implementation Mechanisms
Java SE Security Implementation Mechanisms
Java EE Security Implementation Mechanisms
Securing the Application Server
Working with Realms, Users, Groups, and Roles
What Are Realms, Users, Groups, and Roles?
Managing Users and Groups on the Application Server
Adding Users to the Application Server
Adding Users to the Certificate Realm
Mapping Roles to Users and Groups
Establishing a Secure Connection Using SSL
Installing and Configuring SSL Support
Specifying a Secure Connection in Your Application Deployment Descriptor
Working with Digital Certificates
Using a Different Server Certificate with the Application Server
Miscellaneous Commands for Certificates
Enabling Mutual Authentication over SSL
Creating a Client Certificate for Mutual Authentication
Further Information about Security
29. Securing Java EE Applications
31. The Java Message Service API
32. Java EE Examples Using the JMS API
36. The Coffee Break Application
Securing Containers
In Java EE, the component containers are responsible for providing application security. Acontainer provides two types of security: declarative and programmatic. The following sections discussthese concepts in more detail.
Using Deployment Descriptors for Declarative Security
Declarative security expresses an application component’s security requirements usingdeployment descriptors. A deployment descriptor isan XML document with an.xml extension that describes the deployment settings ofan application, a module, or a component. Because deployment descriptor information is declarative,it can be changed without the need to modify the source code. Atruntime, the Java EE server reads the deployment descriptor and acts upon theapplication, module, or component accordingly.
This tutorial does not document how to write the deployment descriptors from scratch,only what configurations each example requires its deployment descriptors to define. For helpwith writing deployment descriptors, you can view the provided deployment descriptors in atext editor. Each example’s deployment descriptors are stored at the top layer ofeach example’s directory. Another way to learn how to write deployment descriptors isto read the specification in which the deployment descriptor elements are defined.
Deployment descriptors must provide certain structural information for each component if this informationhas not been provided in annotations or is not to be defaulted.
Different types of components use different formats, orschema, for their deployment descriptors.The security elements of deployment descriptors which are discussed in this tutorial includethe following:
Enterprise JavaBeans components use an EJB deployment descriptor that must be namedMETA-INF/ejb-jar.xml and must be contained in the EJB JAR file.
The schema for enterprise bean deployment descriptors is provided in the EJB 3.0 Specification (JSR-220), Chapter 18.5,Deployment Descriptor XML Schema, which can be downloaded fromhttp://jcp.org/en/jsr/detail?id=220.
Security elements for EJB deployment descriptors are discussed in this tutorial in the sectionUsing Enterprise Bean Security Deployment Descriptor Elements.
Web Services components use ajaxrpc-mapping-info deployment descriptor defined in JSR 109. This deployment descriptor provides deployment-time mapping functionality between Java and WSDL. In conjunction with JSR 181, JAX-WS 2.0 complements this mapping functionality with development-time Java annotations that control mapping between Java and WSDL.
The schema for web services deployment descriptors is provided in Web Services for Java EE (JSR-109), section 7.1,Web Services Deployment Descriptor XML Schema, which can be downloaded fromhttp://jcp.org/en/jsr/detail?id=109.
Schema elements for web application deployment descriptors are discussed in this tutorial in the sectionDeclaring Security Requirements in a Deployment Descriptor.
Web components use a web application deployment descriptor namedweb.xml.
The schema for web component deployment descriptors is provided in the Java Servlet 2.5 Specification (JSR-154), section SRV.13,Deployment Descriptor, which can be downloaded fromhttp://jcp.org/en/jsr/detail?id=154.
Security elements for web application deployment descriptors are discussed in this tutorial in the sectionDeclaring Security Requirements in a Deployment Descriptor.
Using Annotations
Annotations enable a declarative style of programming, and so encompass both the declarativeand programmatic security concepts. Users can specify information about security within a classfile using annotations. When the application is deployed, this information is used bythe Application Server. Not all security information can be specified using annotations, however. Someinformation must be specified in the application deployment descriptors.
Annotations let you avoid writing boilerplate code under many circumstances by enabling toolsto generate it from annotations in the source code. This leads to adeclarative programming style, where the programmer says what should be done and toolsemit the code to do it. It also eliminates the need for maintainingside files that must be kept up to date with changes insource files. Instead the information can be maintained in the source file.
In this tutorial, specific annotations that can be used to specify security informationwithin a class file are described in the following sections:
The following are sources for more information on annotations:
JSR 175: A Metadata Facility for the Java Programming Language
JSR 181: Web Services Metadata for the Java Platform
JSR 250: Common Annotations for the Java Platform
The Java SE discussion of annotations
Links to this information are provided inFurther Information about Security.
Using Programmatic Security
Programmatic security is embedded in an application and is used to make securitydecisions. Programmatic security is useful when declarative security alone is not sufficient toexpress the security model of an application. The API for programmatic security consistsof two methods of theEJBContext interface and two methods of the servletHttpServletRequest interface. These methods allow components to make business logic decisions based onthe security role of the caller or remote user.
Programmatic security is discussed in more detail in the following sections:
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.Legal Notices