Security

Overview

• Declarative : XML or annotation

• Programmatic : as complement

Java SE mechanisms

• Java Authentication and Authorization Service (JAAS) - provide a pluggable and extensible framework

• Java Generic Security Services (Java GSS-API) - token based API to securely exchange messages between applications

• Java Cryptography Extension (JCE) - encryption, key generation, key agreement, message authentication code

• Java Secure Sockets Extension (JSSE) - Java version of SSL/TLS

• Simple Authentication and Security Layer (SASL)

Java EE Security Mechanisms

• Application layer

• Transport layer

• Message layer (SOAP)

Realms, users, groups and roles

Realm

• security policy domain

• contains a collection of users

• controlled by the same authentication policy

• each with own authentication scheme / authorization database

Group

Role

• name for permission to access a particular set of resources

• can be compared to a key to open a lock

Principal - entity can be authenticated (=user?)

Security policy domain - scope over which a common security policy is defined

Security attributes - attributes associated with every principal

Credential - security attributes to authenticate a principal

Setting up

User: server specific

Roles:

• @DeclareRoles({"ROLE1","ROLE2"}) defined before class

• @RolesAllowed()

• for servlet: @ServletSecurity(@HttpConstraint(... rolesAllowed

Mapping Roles to Users and Groups: server specific