JAAS, Securing J2EE Applications: Securing Web Components
Web applications must be developed with security in mind right from the start. Developers should plan for securing a web application with both the web server and the application server in mind. Securing a J2EE application can seem very complicated, however. This article, the first of two parts, explains how to secure J2EE web components.
JAAS, Securing J2EE Applications: Securing Web Components (Page 1 of 7 )
“Prevention is better than cure”
This age old adage holds true even today, especially in the case of web applications. Site defacement is only one aspect of website attacks. It does not augur well if the security of an application is first considered after an attack. Applications must be developed with their security aspects well defined in advance.
Until a few years ago, security meant securing the web server. But with the advent of server-side programming, security cannot be limited to the resources within the web server, as most of the processing and servicing of the request is done by code executing within the application server. In the case of J2EE, securing a web application can be perplexing; a J2EE application can consist of one or more different components, each providing service to a different layer. So what is the solution? The solution comes in two different packages:
Declarative Security: If one is adopting this approach, then all the security constraints are specified within the web.xml file of the application. The container reads these constraints and performs the access control for that particular application.
Programmatic Security: Under this model, the responsibility for securing the web application belongs solely to the programmer. The logic for authenticatomg and authorizing the user is embedded within the application. It can exist as a service at the boundary of the application or within each module.
Realms based security comes under the former, while Java Authentication and Authorization Services (JAAS) based security comes under the latter. The next obvious question that arises is, which is superior? The answer, often repeated, is that the context determines usage. If codeless security is the context, then declarative security is better. If fine-grained control is the requirement, then programmatic security is the best choice.
Resuming the context of J2EE components, they are divided into Web Components and Business Components. Servlets and JSPs are Web Components whereas Enterprise Java Beans (EJBs) are Business Components. The method for securing Web Components is different from that for securing Business Components. In this tutorial, I will be discussing how to securing Web Components using JAAS. Before implementation is discussed, it is better to get acquainted with the JAAS, its overview and its vocabulary.